MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7af05f8c8f222f5a7a4226d8ce90caab690c64c498a8c0433368bafde933f0a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7af05f8c8f222f5a7a4226d8ce90caab690c64c498a8c0433368bafde933f0a6
SHA3-384 hash: b67c4ec542247e6713bf3f89801ea4312a64dd470b2764abef69d48516cd1ab54095d19906761683b553ed5e2046eaaa
SHA1 hash: 4209535f882b313f331c5ba56e5a16c5dba8a1d8
MD5 hash: 0a4d74999ee58829960aa6839b65d75a
humanhash: maine-wolfram-lamp-mockingbird
File name:QUOTATION.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:778'240 bytes
First seen:2021-05-03 05:54:25 UTC
Last seen:2021-05-03 12:32:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:MrILUlyFMYtWX3YVlfNfz6kprbPw7b7l6b9FALxytsjB99GqDNRL5E8yWpSG2vMI:MrI4Yo3YVtN28bYx6RFANN5G+sG2vF
Threatray 4'381 similar samples on MalwareBazaar
TLSH FBF4122E0384DFE7D77970B5249A604306F4C1156722F70ABC9868F5EBC7BE123A167A
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148169/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707100
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7af05f8c8f222f5a7a4226d8ce90caab690c64c498a8c0433368bafde933f0a6/
Threat name:
ByteCode-MSIL.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 02:47:43 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=plyf7depeixvu6sce3mm5egkvnuqyzgetcumaqztnc5p32jt6cta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4bc5afb7fa8639008d294a8afb8f42531bfcf084398600500bdc81533602c760
AgentTesla
51ca9453d5b45f1def4745ce3126dcf3e6b7d6a6b9ed39aa8a68c4c68d17ac4d
AgentTesla
6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8
AgentTesla
6abf5552765851e4db6d8346af1473568c7d1497fd848648e32bd1c5c8d8cb2f
AgentTesla
70bba7ae7db7a571dde9f6e9adad50a1b4fb32b8757f5d6cebb3d73b833644f6
AgentTesla
72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75
AgentTesla
734bd3a51497f8faf4a48e596768e68cbede73e21c5dfcc1c8b8da9b02a4c4c2
AgentTesla
b5be17b9a7cb258eeeb27f08c5ba197c47e87b052ce41b150e9945b17d1308c3
AgentTesla
b893403d4de4bd767e6196f0b7a4fd6dfd0f18f854a3d3dfac40b9a6488cff17
AgentTesla
f5e0c3bfd23d86f0cdef681b4922c59e77fb094bacd29add988ff6c9a30d850b
AgentTesla
+ 4'371 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210503-yhs2cbn8vn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/8fed6f31-b92f-4b6c-a2af-0bfa71b8d716/
SH256 hash:
7af05f8c8f222f5a7a4226d8ce90caab690c64c498a8c0433368bafde933f0a6
MD5 hash:
0a4d74999ee58829960aa6839b65d75a
SHA1 hash:
4209535f882b313f331c5ba56e5a16c5dba8a1d8
Link:
https://www.unpac.me/results/8fed6f31-b92f-4b6c-a2af-0bfa71b8d716/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7af05f8c8f222f5a7a4226d8ce90caab690c64c498a8c0433368bafde933f0a6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 7af05f8c8f222f5a7a4226d8ce90caab690c64c498a8c0433368bafde933f0a6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/148169/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 06:00:07 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing