MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c7ea2d4161707e247fe758ddb23f293a31affbc68820fccbe8417daa0507242. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c7ea2d4161707e247fe758ddb23f293a31affbc68820fccbe8417daa0507242
SHA3-384 hash: 39255a5cd4cfc2a548eef1b93e97d0fc6789ae4b9743b9c1d1b6ce680feff414dacc9b8beb02bb8698d818dee999c7fd
SHA1 hash: 79f5469506a344e996f4b5a0840f1d77036ac537
MD5 hash: 31f8825d959b7650d9387b4eb9e73fce
humanhash: mockingbird-table-stairway-earth
File name:ORDER C19015-7267 AND C19020-7268.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:287'232 bytes
First seen:2020-10-20 11:48:18 UTC
Last seen:2020-10-26 07:11:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:xvdiVXk6lMpS7WQoAwe5cf0UO9l66w+/hY2jKR:6VUI7WQoUeMUG66w+YyK
Threatray 24 similar samples on MalwareBazaar
TLSH A154B708CE6BDA62FF94BBB6F8296CEEDB3084281D57F34A52014D858D3E7C4075716A
Reporter abuse_ch
Tags:AgentTesla exe geo TUR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ditas.com.tr
Sending IP: 193.142.59.17
From: Tuncay AYKAƇ <tuncayaykac@ditas.com.tr>
Subject: AW: ORDER C19015-7267 AND C19020-7268
Attachment: ORDER C19015-7267 AND C19020-7268.img (contains "ORDER C19015-7267 AND C19020-7268.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73462/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34835248.5132.13756.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497600
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c7ea2d4161707e247fe758ddb23f293a31affbc68820fccbe8417daa0507242/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 10:38:38 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pr7kfvawc4d6er76owg5wi7ssorrv754ncba7tf6qql5vicqojba._file
Verdict:
unknown
Similar samples:
023fb24e4591fcbbff6096a61e7cbfb79bc1bade9236dd0db6ede7ab1e00bf9f
AgentTesla
06b7205ba6898b1f45883d5a313c1e3e39d8c226eec0ae289f42106af070e8db
AgentTesla
2e6b47bbdb9f281c1432dc63d92d67ca891adf87e20edfa456789c8724a4b7b1
AgentTesla
382cb836252147bd203a592b73db28024cf9aa7a78abcca57ee472362bf8cdfb
AgentTesla
44cfbbb142d8d2eb853ac5453ebc129955bfe879cc4d41f898e5f52838c682ce
AgentTesla
670d2b752c68da68cdfd9d1b2f5a2f994509e563cc7ca3f1049d5503b8f48369
AgentTesla
79541840f37314c88b923c55cfa29bc952a514242edce7b9a54a937a6f5ed985
AgentTesla
d1d245f4d408bf9dbaed6c59f68c995e427d95bd8316cc358377ec7ee43fb2f2
AgentTesla
df1a3d7b6f4c431992aef66e5296b83f0bea7ef127a22fe4574eb0cad66fb3be
AgentTesla
e1422dbc6631aec397fe0dc7298ec6b52570720f2fb6c7605db0a72b48809df9
AgentTesla
+ 14 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/201020-aw9jhs6lzx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
7c7ea2d4161707e247fe758ddb23f293a31affbc68820fccbe8417daa0507242
MD5 hash:
31f8825d959b7650d9387b4eb9e73fce
SHA1 hash:
79f5469506a344e996f4b5a0840f1d77036ac537
Link:
https://www.unpac.me/results/ebf93221-6ca2-4707-ba13-b11d04d32ac2/
SH256 hash:
dbd881ab3e29d5c92971a644d63f67f6d93adc801c240f264b5e629ed2c2f769
MD5 hash:
70e8eb8aaf5ae20211e353d57d81c8c2
SHA1 hash:
226f21dd57619573113542d2de72231d0799a372
Link:
https://www.unpac.me/results/ebf93221-6ca2-4707-ba13-b11d04d32ac2/
SH256 hash:
fd1df5042f42ad48aa73aa04e7fd3bba388cd1a3268eee6d86bd4734e82a183b
MD5 hash:
738de26f889038cf4947fd7c899b1b69
SHA1 hash:
c6a2ff7a120bdee501aeed4b52b6319ff8da5f3f
Link:
https://www.unpac.me/results/ebf93221-6ca2-4707-ba13-b11d04d32ac2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c7ea2d4161707e247fe758ddb23f293a31affbc68820fccbe8417daa0507242

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img a59023573b4db7d4bbd0c2bd082b5f5cebe254c14d63d820936a5e13f24e9625

AgentTesla

Executable exe 7c7ea2d4161707e247fe758ddb23f293a31affbc68820fccbe8417daa0507242

(this sample)

  
Dropped by
MD5 7c508d8aee20f263306634298071dcc1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73462/
  
Dropped by
SHA256 a59023573b4db7d4bbd0c2bd082b5f5cebe254c14d63d820936a5e13f24e9625

Comments