MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ca2e77373e52431f89441df57949f8ed73f5d3cf5873f964b4c00446770d5fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ca2e77373e52431f89441df57949f8ed73f5d3cf5873f964b4c00446770d5fe
SHA3-384 hash: bd6ac4d6f7e33a33de8d2969c658664b1571829209cefc9ce8e604e3a3807ff121bb414cd2ca5f4021d05f50f19a2c9a
SHA1 hash: 2d5c0fbf770c944443d52a2b0088e9077001838d
MD5 hash: d9d9b12977e4df98046692a0a47d4ca9
humanhash: sixteen-cardinal-gee-magazine
File name:P.O-00490585693.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:583'680 bytes
First seen:2020-10-15 11:59:24 UTC
Last seen:2020-10-15 13:28:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:aJEBPAfK06DEJX6rwXyibjp9Uib4p4iZqm5WC:aJCPAy0aEJX6rcb7UyIHZt
Threatray 11 similar samples on MalwareBazaar
TLSH A9C4016133E62F15E43DA3B334B4412013F5A2C28727EE4E7FD912CD1A62F50A696A5F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ns823.tekrom.com
Sending IP: 159.253.133.229
From: Katie Raymond <kraymond@raymondnet.com>
Subject: Purchase order 00490585693 10/14/20
Attachment: P.O-00490585693.zip (contains "P.O-00490585693.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Hiverat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71355/
Detection(s):
SecuriteInfo.com.ArtemisD9D9B12977E4.20047.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
Hive RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492306
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Found strings related to Crypto-Mining
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Hive RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ca2e77373e52431f89441df57949f8ed73f5d3cf5873f964b4c00446770d5fe/
Threat name:
ByteCode-MSIL.Spyware.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 03:56:34 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=psroo43t4usdd6euihpvpfe7r3lt6xj46wdt7fsljqaeiz3q2x7a._file
Verdict:
suspicious
Similar samples:
0b5146bc92433d5374ba7dca572a787520aba7f5c1f1efdc85db0dd8b07807da
AgentTesla
0db8c615e9cd13c0bdd7b3bc5b1b58bc0e27574d7ba4577f8d4b30a8d8b4337a
AgentTesla
210c6f413be18ff3ba11a0ba9886179cf98e73e43d3e0b366960d04b925e9283
AgentTesla
233ff0bfb72db560756d1a4886d708658e7bd64c5ca548aba0655b6332e050b1
AgentTesla
27bec5b0582b3447dfbf1e2cca8afae778532caa31b449bebb434d5468cbe3b7
AgentTesla
50bf9e38c817f386cbf2b43ce3766d898571a21e5bb690ad89f851d5bf017bb7
AgentTesla
8a1bab54673df9e46725e035d92723321576c1b871ac44facc775881d39f44a7
AgentTesla
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
AgentTesla
a00a6fe53b7e8d3f5ab9d8b8ab2119c9d3fcbe2b41a1fad6b29ed37e493a2ba0
AgentTesla
bdd5a26a1e63c3c60b9fa021dc6445a1a66d1680cfdf489c403645bb09b1e4af
AgentTesla
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware
Link:
https://tria.ge/reports/201015-yxlasass4x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
7ca2e77373e52431f89441df57949f8ed73f5d3cf5873f964b4c00446770d5fe
MD5 hash:
d9d9b12977e4df98046692a0a47d4ca9
SHA1 hash:
2d5c0fbf770c944443d52a2b0088e9077001838d
Link:
https://www.unpac.me/results/772c87d5-dc7d-4abc-934e-9b903c998095/
SH256 hash:
5b3f3cd2ce926ee78529d921c632bc57ea952f926e88f4b1b8f983843c0bcef8
MD5 hash:
6c60cce3ba99216f4488523a9d719767
SHA1 hash:
5dbab119eac09dd917bfa3c1a0c80789e59989e3
Link:
https://www.unpac.me/results/772c87d5-dc7d-4abc-934e-9b903c998095/
SH256 hash:
97c27bd063cca815a976a679bd938bc3ed6849c9328b35669fd5f10a9214c039
MD5 hash:
e5891b7abec5fbe9263c816092b97faa
SHA1 hash:
b3bc45613b1be56eef0abc3d85d8c6e8aaac153a
Link:
https://www.unpac.me/results/772c87d5-dc7d-4abc-934e-9b903c998095/
SH256 hash:
73fcf24c970e4310dcfcddc5386680dcb2265589bb407632b365d8ff55537025
MD5 hash:
8b22f0b862979d44da3900712dd26ee3
SHA1 hash:
cf1cbf7a1f4e66baa63ec23625006fc42c717ae4
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/772c87d5-dc7d-4abc-934e-9b903c998095/
Parent samples :
7ca2e77373e52431f89441df57949f8ed73f5d3cf5873f964b4c00446770d5fe
e93242e9568fd161477b9913cbfeeb2c8a9034d600eefa550c68c8748f89d44e
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/772c87d5-dc7d-4abc-934e-9b903c998095/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ca2e77373e52431f89441df57949f8ed73f5d3cf5873f964b4c00446770d5fe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip dacb1f83bda72e3242b9f541134724ff871ddbb671afb0698d357fafadf43ef0

AgentTesla

Executable exe 7ca2e77373e52431f89441df57949f8ed73f5d3cf5873f964b4c00446770d5fe

(this sample)

  
Dropped by
MD5 9a268fbf3ac57ff1e1b9c1a35beec8ed
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 dacb1f83bda72e3242b9f541134724ff871ddbb671afb0698d357fafadf43ef0
Cape
Cape
https://www.capesandbox.com/analysis/71355/

Comments