MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b18395c202720f8f4a880abedb8e8419019e9b3e9972a42b212b992eebbafe2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	7b18395c202720f8f4a880abedb8e8419019e9b3e9972a42b212b992eebbafe2
SHA3-384 hash:	8a9446ca18d5fdadb0b62742b954cc4f49e44dbc2ce833d83091baca2c8cc83dc26dccad4889bd58cd001b01920135b0
SHA1 hash:	5e66f959643ac4125099127b27c002c213d6f6e3
MD5 hash:	1ff1ded251016eef7c58aaa22683b3f2
humanhash:	tango-minnesota-sierra-moon
File name:	charles1.ps1
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	365'441 bytes
First seen:	2021-09-07 05:57:48 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	1536:JUhtCIvnw1ycD4WXv1Y/7cQx0Eylfy5x+vGleY9fk7+Ld7Ec1d2Vsme+e8aziGx+:irG
Threatray	9'577 similar samples on MalwareBazaar
TLSH	T1F174175303851BBDF69D0EC9C94B245B20F2D46B7D251298EBB36EE7BC3B9849430636
Reporter	JAMESWT_WT
Tags:	AgentTesla hagga ps1

Intelligence

File Origin

# of uploads :

1

# of downloads :

240

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7b18395c202720f8f4a880abedb8e8419019e9b3e9972a42b212b992eebbafe2/

Threat name:

Script-PowerShell.Trojan.Invoker

Status:

Malicious

First seen:

2021-09-07 05:55:40 UTC

File Type:

Text (PowerShell)

AV detection:

3 of 41 (7.32%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

0522494bc4a2bf38c14fc1bbbad35678d647c774c35c1597e294c815e773955c

174d9ba2e89f897d84a612d59117d349773c91f129aa8cdb8ad8a29d576fa8af

1c5ee28286d91164ea32239ff0fb8471aa8b0d3cf22fc2bd3b03e23dd0b48da9

294d3baa6d4e6b9d6e55fd9c67072d0d27f3786a4abb6b27c32fa977778fd94e

2cda5a819c37bfd8d72c1d55fd1caaccbc8e4b18ee3f6531923d272ffba6f6a9

713d9e6751189d5c0699e7563d806ffe3283c248a5d6bc1b440dc815da97b717

88fc70b1b309fd00d08629db01c91f1b7de5f3d459eee1e31782aee3f8172771

ded91378a317de086a8a747ba894bc874e3accef878732947637cf41381268f0

+ 9'567 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210907-gn7k9sfbfn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Malware Config

C2 Extraction:

http://bot.statusupdate.one/webpanel-charles/mawa/e22cc3544e8953ec6191.php

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7b18395c2027/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7b18395c202720f8f4a880abedb8e8419019e9b3e9972a42b212b992eebbafe2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

X

https://twitter.com/James_inthe_box/status/1434872208094949382?s=20

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample