MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bbaffb0510630073fa0fd46d11054bd320f0f3066119b9672cad99e4a35ffae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7bbaffb0510630073fa0fd46d11054bd320f0f3066119b9672cad99e4a35ffae
SHA3-384 hash: 7a681b17cbd3161ee43feb5304ec88c819a4f3bad47cc57d0fa4e2848a3e6b8ac8bb2f897f2f083afa2499f956c530c8
SHA1 hash: 5cd303c3c1b827ccc4fd88913ff33358de9b43e4
MD5 hash: 2174ce8099a8cc155b101cb21f101c7b
humanhash: video-aspen-leopard-speaker
File name:Order 67543_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:740'864 bytes
First seen:2020-11-06 17:04:05 UTC
Last seen:2020-11-06 19:03:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:Z0+P4IJv3G8t2ufQ2wZlyQXC56Us8wGStdIZcaS95ix:i+A4vnthfQhZATUhXtdIZcawi
Threatray 1'003 similar samples on MalwareBazaar
TLSH CAF4F09DD65832FCD0A66F7346EC46804623AF636131AE8F1838F50F46F6D686623F16
Reporter matte_lodi
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.6894.7215.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523535
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7bbaffb0510630073fa0fd46d11054bd320f0f3066119b9672cad99e4a35ffae/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 03:26:47 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=po5p7mcrayyaop5a7vdncecuxuza6dzqmyizxftszlmz4srv76xa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
15814d40339c1e572590b74683dec0fdf2e55e7f565be6e806adfa2e59c4a915
AgentTesla
45c513f108712bc98e81a23e054b3d20de0e7ed152c1e42807ae5deeae7606c5
AgentTesla
727e1f0aabc7d8fb68f756541bd8797dd810c2b3ab684ae6e53732e461425f20
AgentTesla
9dac8c618a01c75a4b8b1e26b4a3198c832d8230a5788fb1ccf1e2e8d7d8001c
AgentTesla
9efe8cef3127a10a3c0ee380a77298650e7a54e9e785d86f9871c00c2ad62bdf
AgentTesla
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
AgentTesla
c43cecf1b4a2303d2eff66ac49e4539aaaac2605373b98bb03c2867d79f0a784
AgentTesla
d3b1b01d88e939b5b448fbdd1b9a04250bee0c46ae137dd2cccc354dea9a157e
AgentTesla
d55a3bea3809a1aacc17fbd3e4a1c00e31d326eb12ed07e9ca2215cff41a3bf3
AgentTesla
fa2bcbff57b3c111ea69b6f47cb4f39c4111b124ef97e3ee00347a175f67e93d
AgentTesla
+ 993 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201106-r6xft9tgan/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
7bbaffb0510630073fa0fd46d11054bd320f0f3066119b9672cad99e4a35ffae
MD5 hash:
2174ce8099a8cc155b101cb21f101c7b
SHA1 hash:
5cd303c3c1b827ccc4fd88913ff33358de9b43e4
Link:
https://www.unpac.me/results/545c916a-4b88-4694-83c4-fbdc81d43c40/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/545c916a-4b88-4694-83c4-fbdc81d43c40/
SH256 hash:
e4904d1bfbd2a6fef1100145d6fcaf29cc555d61666e5858d3ee50ba71c20b50
MD5 hash:
8aa99400768caddbe74088fe27c73d5c
SHA1 hash:
01c7cd22fd2d18b690cf471dfa1703834cacfdae
Link:
https://www.unpac.me/results/545c916a-4b88-4694-83c4-fbdc81d43c40/
SH256 hash:
a3f239a252408430fe270d0b3a09798e22fdf49a97d1e2abb58ca8bd6f7f1059
MD5 hash:
043fcf2c516228438631981884e37340
SHA1 hash:
5308c6ce07d1f1de228edc64f50f11d77ba16ff3
Link:
https://www.unpac.me/results/545c916a-4b88-4694-83c4-fbdc81d43c40/
SH256 hash:
f00b936b72e8b1f59d47271d2c88e32e04a59a312eb5abe9484cdd324db82a81
MD5 hash:
95acf95a9636aeb912ba2f41281d51e1
SHA1 hash:
7855ffa6a53cf5a3693b0904fe5aa1dac20c8153
Link:
https://www.unpac.me/results/545c916a-4b88-4694-83c4-fbdc81d43c40/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/7bbaffb0510630073fa0fd46d11054bd320f0f3066119b9672cad99e4a35ffae/detection

Comments