MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c204f35b9ee817d98670d20ad2a8d41e6d7a0cf96d86c5bc44cdf41d9296b95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c204f35b9ee817d98670d20ad2a8d41e6d7a0cf96d86c5bc44cdf41d9296b95
SHA3-384 hash: 615334678a207688fa9909960fe8937be5be87a25b250638c5ff3e42685d29f29a085dc819c5cfb95427881f17026ab0
SHA1 hash: 512b355d73854196867bee81689e829ff83ba6c3
MD5 hash: d2bb15eedc3467e3639ec37e3be2a2b3
humanhash: mississippi-network-coffee-blue
File name:Payment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:379'196 bytes
First seen:2021-10-04 08:16:15 UTC
Last seen:2021-10-04 08:50:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:18LxBDGeKGDuGyGNQjdefxSLNfZv1YGI3dnPvJpVIjDWXwfprk/y+365:ljfNFiJUj+wfprkS5
Threatray 10'629 similar samples on MalwareBazaar
TLSH T13284125631C49997D2862B300EB3B3BAB6359E0487464B86B7D43E2F7C309C7AE056DD
File icon (PE):PE icon
dhash icon 5232d212f0cc8626 (20 x AgentTesla, 1 x Formbook, 1 x MassLogger)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment.exe
Verdict:
Malicious activity
Analysis date:
2021-10-04 08:19:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ebc3f3d6-722e-4c69-a18b-c39a59db603f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194462/
Detection(s):
SecuriteInfo.com.Trojan.Generic.30295315.31494.23568.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/615c2feae3d213d202b77462/reports/f96d87ea-292b-4ff3-a163-99c6eaa6ecea/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b71a1281-ac68-4c5c-92d4-fe628742760a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863720
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7c204f35b9ee817d98670d20ad2a8d41e6d7a0cf96d86c5bc44cdf41d9296b95/
Threat name:
Win32.Infostealer.DarkStealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 07:45:03 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pqqe6nnz52ax3gdhbuqk2kunihtnpigps3mgyw6ejtpudwjjnokq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
139600dbb664f155f2874f115c15ed4d6cc9fb72bd918b3cab09c0ffd4e64040
AgentTesla
29a8a708880ca187202112de47bed915bf9fd0e64cab0d08a839b7ede6c16506
AgentTesla
33522f78827572158bd59c33cb91a6db68eeb48e3690d105a787ea9cb7b8c54c
AgentTesla
581543b7144f7ba606b44119ee7607c70f01920ec0d10084a9ff9106c6753519
AgentTesla
5d26b106108feeedd106c7b0a66712cf3c29d1ef75fac3db29159229660652a3
AgentTesla
66c22123d2f34a1da60e3235f1f80e762f2f351ac826e7a8c6e4671a61d408bf
AgentTesla
8749c16cb8cc3999e4db4fa619da8d90fcdee57c7c99479e96e5eb3427a427a0
AgentTesla
b528aab1cf14c985fecd7f6f2fd0a31101cd952abedbd10cf7357708057d91b9
AgentTesla
c2bf77c7740f8cae2b71502eb3945e92587441a29fa72127bc531b959de100e3
AgentTesla
+ 10'619 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211004-j6pvaagban/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument
Unpacked files
SH256 hash:
39c48453e8181c7c975e1bdb88d6a8e29c2d62b2f66fd8ab5d6997640367aa86
MD5 hash:
80a6f3fbffabb3744a2c48766b15af5f
SHA1 hash:
213c50acba399329f4fc58e45f98cc7b40efad7a
Link:
https://www.unpac.me/results/a726f0d7-71e1-4db4-8717-d73b5b485769/
SH256 hash:
7c204f35b9ee817d98670d20ad2a8d41e6d7a0cf96d86c5bc44cdf41d9296b95
MD5 hash:
d2bb15eedc3467e3639ec37e3be2a2b3
SHA1 hash:
512b355d73854196867bee81689e829ff83ba6c3
Link:
https://www.unpac.me/results/a726f0d7-71e1-4db4-8717-d73b5b485769/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7c204f35b9ee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c204f35b9ee817d98670d20ad2a8d41e6d7a0cf96d86c5bc44cdf41d9296b95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 7c204f35b9ee817d98670d20ad2a8d41e6d7a0cf96d86c5bc44cdf41d9296b95

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194462/

Comments