MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bc995cd61b3a6dcf917ff0ed3ed541f8f80c597636b8dcfacbf6128c659fc14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7bc995cd61b3a6dcf917ff0ed3ed541f8f80c597636b8dcfacbf6128c659fc14
SHA3-384 hash: aed92f581fde9ff59a022848aada8c24ee91d83c13c386c01b6ec0a2e1b968a0bfa74c9d166c4b809becd4fae617f8fc
SHA1 hash: 9536cb3646195c7e2dfc5d8217aae1e77141e962
MD5 hash: e8a5202307ec44163bee29d5f0d806fc
humanhash: fanta-jig-blossom-crazy
File name:e8a5202307ec44163bee29d5f0d806fc
Download: download sample
Signature AgentTesla
Create hunting rule
File size:306'954 bytes
First seen:2021-08-12 08:28:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 77554e5daa9478a6160428ce3abe1161 (8 x AgentTesla, 3 x Formbook, 2 x Loki)
ssdeep 6144:Xs9rRiOnKVLvYNRRNLHbJoSnPZOCyF0dfs0QtQm6sT/A97vsM:Xs9rRRNx7lnkCL5GT/A9zsM
Threatray 8'323 similar samples on MalwareBazaar
TLSH T11764E151B2C9C964F9772E3014A9C8A28B2BEA301F6FE97B734853261F740D1D931E76
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
326
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e8a5202307ec44163bee29d5f0d806fc
Verdict:
Malicious activity
Analysis date:
2021-08-12 08:37:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/62602250-5949-413c-88a7-70af875b2be8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178544/
Detection(s):
SecuriteInfo.com.Trojan.Nanocore.565.26145.10498.UNOFFICIAL
Create hunting rule

Win.Trojan.Razy-9885396-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Sending a UDP request
Unauthorized injection to a system process
Changing the hosts file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be844939-7918-4b9b-b9b0-c15dca1c9f71
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831585
Signature
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7bc995cd61b3a6dcf917ff0ed3ed541f8f80c597636b8dcfacbf6128c659fc14/
Threat name:
Win32.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 00:41:59 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ppezltlbwotnz6ix74hnh3kud6hybrmxmnvy3t5mx5qsrrsz7qka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2d61556b631b4920af773904a0ae5011f0103be9effb7c7292e4ebe3e39f1ad5
AgentTesla
3332ae8c0f7892922ad49600076bf9f76080ce02a6071be444299815f26c66db
AgentTesla
9dbd31bbb8546392e2d60247f5010a176ff2625a0bbb626476b7f4c15625fb5c
AgentTesla
b68f9419a52a690f1572c9d38e3311ec2ef9007935354e1122bff14c41b7e9b2
AgentTesla
b6e6023d1b3b0d62b6d20825ab7a993c3cda55051d56b42bf40db27fdab761b0
AgentTesla
ce8de6e2f70e2c2e688ef8dd1693a0356b01ce9a31e06a0b6cb11b8eceb2509e
AgentTesla
f469d130a06088304f4b4f8250d178ea47e6823775ca7dc94aacdf75d5b3f0bd
AgentTesla
f4c05b03d057e5d16ef1297e82644f3ea39c77aab42eb6e836b2d33ff4e3d9e0
AgentTesla
f9b0193780989df57bdf746917310573ee0bb92e28dc18ac2ed6083a21aace3f
AgentTesla
+ 8'313 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210812-kls4b8hjy2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
807777fc7104b87a5a026f9fa80e018e0d44fb556ef6850577adcd23057588b7
MD5 hash:
7d4c429dcfa210ad0302a47bf613ed3b
SHA1 hash:
c2bcab401e8a459fe8abfd5ed6559c20ebfd7a8f
Link:
https://www.unpac.me/results/95b7a2d6-1590-4c86-a137-29edce463d70/
SH256 hash:
7bc995cd61b3a6dcf917ff0ed3ed541f8f80c597636b8dcfacbf6128c659fc14
MD5 hash:
e8a5202307ec44163bee29d5f0d806fc
SHA1 hash:
9536cb3646195c7e2dfc5d8217aae1e77141e962
Link:
https://www.unpac.me/results/95b7a2d6-1590-4c86-a137-29edce463d70/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7bc995cd61b3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7bc995cd61b3a6dcf917ff0ed3ed541f8f80c597636b8dcfacbf6128c659fc14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 7bc995cd61b3a6dcf917ff0ed3ed541f8f80c597636b8dcfacbf6128c659fc14

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1527136/
Cape
Cape
https://www.capesandbox.com/analysis/178544/

Comments


Avatar
zbet commented on 2021-08-12 08:28:19 UTC

url : hxxp://bante.xyz/ven/myn.exe