MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bccf288fd0f23a0ed1f1582ff2e5109b453c2bc01eda749bfe55a900f5b47b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 8 File information Comments

SHA256 hash:	7bccf288fd0f23a0ed1f1582ff2e5109b453c2bc01eda749bfe55a900f5b47b2
SHA3-384 hash:	97933ed45cf7e8069300ab6f06840988caa1d49130527fbcc6e3c9e6359cf22971fd20d52db407fde830be1779089fc1
SHA1 hash:	3b55e20c90e8da5d5cae309810602ff368e760f2
MD5 hash:	0c5d36944ab0c34e70ef9ec43429f7d4
humanhash:	romeo-vermont-nine-delaware
File name:	Albarán factura.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	683'520 bytes
First seen:	2021-09-27 12:25:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:ASDlQIF/OXfwYw/FYQaMaqY4TDGDkN7L8RmYONSCaYjFSrvEk:2IFaHoFYQaMPQkN7NYOLagFS
Threatray	10'287 similar samples on MalwareBazaar
TLSH	T1D0E4D028B33D8A1FC5EF83BAF059015887E2E68B734DC7849F8270ED69E9735554248B
File icon (PE):
dhash icon	609e696169701000 (17 x AgentTesla, 5 x Formbook, 2 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	AgentTesla exe Telegram

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Albarán factura.pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-09-27 12:27:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/37f86b18-05a9-4311-ac5e-60016d735d06

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/192066/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1048-2.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2d738dd9-c21b-4bdf-992a-9948723170cf

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/858980

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/7bccf288fd0f23a0ed1f1582ff2e5109b453c2bc01eda749bfe55a900f5b47b2/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-27 13:03:13 UTC

AV detection:

14 of 27 (51.85%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ppgpfch5b4r2b3i7cwbp6lsrbg2fhqv4ahw2osn74vnjad23i6za._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

786a9b90ee6541476ce7b9ffed8a4d22438b7cfc72ec33ddad9a3cf2cb2f8613

AgentTesla

7f3bc638d00a6b3fd61d768fd39047fc87b97942d809d16042770d42d0e0da24

AgentTesla

b2d650760a9ae5850dd4d5accdf1c252b36976cb5401d50ac4f07e0dff750031

AgentTesla

bd9455da30d6335b0dffe00aa01a1d46cc6bdecc1cf91076e846038369603e43

AgentTesla

c810e257ac876cb505d076efee941037f5f9fd11464a4af8515d0fbac61509b1

AgentTesla

f9c716c3b4b1144cc071f6056628f3f9c7fc05f20f17697b727804826ad03d3b

AgentTesla

+ 10'277 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210927-plmgbaghg9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot1952154144:AAEHUKomldKQIyjgq_MWw4YWiGcA_iwz6T4/sendDocument

Unpacked files

SH256 hash:

8a7f6e89d3ee78e7e582cbf4cc1577c9fbd1b5d4af049284def6eb1f32a872eb

MD5 hash:

469a36aca9a7bab11b3b0acb15d20c35

SHA1 hash:

a9a868398cc0625b5c26cc31433fb662f73f7d45

Link:

https://www.unpac.me/results/e81f0d74-a110-4cc9-bad9-88c14d29fb79/

SH256 hash:

f44a6eb80b36ce2c85aa518c8e01313d00ed5f5d3f59371a659412b01129f367

MD5 hash:

111459714dd64ea6d784e71f1105aafc

SHA1 hash:

4e28a738b927dde4e31b840cfa41b3c86083f448

Link:

https://www.unpac.me/results/e81f0d74-a110-4cc9-bad9-88c14d29fb79/

Parent samples :

24ba16885e8cc1052640b95b43ee08c42483e1d0dadb4a10c4b87ad507d9c305
f44a6eb80b36ce2c85aa518c8e01313d00ed5f5d3f59371a659412b01129f367
a4f9e3a3944e87a7cf9eca4f206b2ed7d41361179fee32006e5bf9882f8e9855
54d629d1bbdc3dc634692b74936cabedbce47b088e07878229458b7d5acf79cd

SH256 hash:

9bce0e0970a1945a35b99cd0e1143fbc7b190a2c2c917b0eb2382278e376c5d3

MD5 hash:

38eece3513adc50b06604e080f43ec45

SHA1 hash:

4591356de5243f0263c7be7fde2b929b552e1f26

Link:

https://www.unpac.me/results/e81f0d74-a110-4cc9-bad9-88c14d29fb79/

SH256 hash:

efd2f7657839b252c2fb8489c1ccf610b8e57b471efe049de86a74bc1506775d

MD5 hash:

c3f3e4a9e9ab54bf847a9fc02e7a2160

SHA1 hash:

0853bec33e36ede763927cda0f03129ca763bc07

Link:

https://www.unpac.me/results/e81f0d74-a110-4cc9-bad9-88c14d29fb79/

SH256 hash:

7bccf288fd0f23a0ed1f1582ff2e5109b453c2bc01eda749bfe55a900f5b47b2

MD5 hash:

0c5d36944ab0c34e70ef9ec43429f7d4

SHA1 hash:

3b55e20c90e8da5d5cae309810602ff368e760f2

Link:

https://www.unpac.me/results/e81f0d74-a110-4cc9-bad9-88c14d29fb79/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7bccf288fd0f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7bccf288fd0f23a0ed1f1582ff2e5109b453c2bc01eda749bfe55a900f5b47b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 7bccf288fd0f23a0ed1f1582ff2e5109b453c2bc01eda749bfe55a900f5b47b2

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/192066/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample