MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ad36d3f343d7d8357c9ca31d9ed0218c7913608b76e9cc6a98f4b1a7369fd55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ad36d3f343d7d8357c9ca31d9ed0218c7913608b76e9cc6a98f4b1a7369fd55
SHA3-384 hash: 39868b74524b111d41900d9234abe45f569a602c6554d7818bdac52cfa6d9e272da5c04efcbfd3581b9c3a3e33b3fbf7
SHA1 hash: 56b2ae047eb7d4390852b56635f9e5631e1ed53f
MD5 hash: 9d201999f5aace1194ee3947f2585936
humanhash: aspen-football-venus-sierra
File name:shedyGrace.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:457'482 bytes
First seen:2021-03-01 07:28:42 UTC
Last seen:2021-03-01 13:05:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 6144:F9X0GEgj5fSkuGDm/ldiFhMhKDrR6SBNbCax3X/DDnYeq2//1t/S6:b0bkwsYldEMhYt6WbC2P8231t/S6
Threatray 2'886 similar samples on MalwareBazaar
TLSH 3FA4D1563980ACCED6B241754D34D6B582EA6D05723D2A627BF27F0F70BC15B1B0E982
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: medeortz.co.tz
Sending IP: 196.41.32.157
From: Miranda Wang <mandatoryreporting@accc.gov.au>
Subject: New offers for Pharmaceutical And Medical Products
Attachment: 098345689768.ISO (contains "shedyGrace.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
shedyGrace.exe
Verdict:
Malicious activity
Analysis date:
2021-03-01 07:33:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5e35f3c2-84af-4ce7-aa0a-7bb3c70ca9c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120133/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621874
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ad36d3f343d7d8357c9ca31d9ed0218c7913608b76e9cc6a98f4b1a7369fd55/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 07:29:08 UTC
AV detection:
12 of 48 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pljw2pzuhv6ygv6jziy5t3icdddzcnqiw5xjzrvjr5fru43j7vkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
5defd50046db301c82c85cc8306960982f576cbf5446f24062cc570dcf0becec
AgentTesla
62e4849bf2b02dd9508f6db60bc9f0d0e982ddfb607b9816e4a777c8cf5542ec
AgentTesla
69f4101e63fdfdec4a5b6fc4a778619a69f9511416dd90fe9df33502ff8d9d4f
AgentTesla
6ba09bf0b6f9ed13f6600679a0c81cc79dc1461213798b606178f3815078aedd
AgentTesla
73884bc59571b3c7199849dcdfb8330b57435a822c320d1913eb990db842fbbf
AgentTesla
7579d907f11e31daadd189f27bb76ece470935be7d196e402030fae41615fca7
AgentTesla
a9af2bddccc4126a93f8b0a3413df57fd0f70d8829c8cba61c8aae21c07423f6
AgentTesla
b3169da25d6a50990a664203361eac74ab36b8f9412e46fd89e19f450993e307
AgentTesla
d6815935b80fc0d39cceab37523c71add55b175d975fa0d42169894b551e27cd
AgentTesla
e41c50d817a963a03c07188bda3e42f164f1ce189f2875dc7f5125594d4ec159
AgentTesla
+ 2'876 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210301-d245eghbpn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
7ad36d3f343d7d8357c9ca31d9ed0218c7913608b76e9cc6a98f4b1a7369fd55
MD5 hash:
9d201999f5aace1194ee3947f2585936
SHA1 hash:
56b2ae047eb7d4390852b56635f9e5631e1ed53f
Link:
https://www.unpac.me/results/41b0e24e-8c43-4eaf-adfe-8a1490dd1be8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/7ad36d3f343d7d8357c9ca31d9ed0218c7913608b76e9cc6a98f4b1a7369fd55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:adonunix
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 103bf6d87d8791d73d2ab89faad8c18c2246e4a10a6b18841c602b38651ac0bc

AgentTesla

Executable exe 7ad36d3f343d7d8357c9ca31d9ed0218c7913608b76e9cc6a98f4b1a7369fd55

(this sample)

  
Dropped by
MD5 0d81ffb55791e8ad4bc28f130d52f0db
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120133/
  
Dropped by
SHA256 103bf6d87d8791d73d2ab89faad8c18c2246e4a10a6b18841c602b38651ac0bc

Comments