MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cbe84a986434d919c2e616bfd9f78d94c9986bce211b34496e2d1139ff87f6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cbe84a986434d919c2e616bfd9f78d94c9986bce211b34496e2d1139ff87f6b
SHA3-384 hash: c1ef3ecffb7ae5d6a46672459e5b85e5122e453b0f43922370c64c22052dceae6cd27e0f3edfb0d37c1e0f63850e4f4b
SHA1 hash: 63dcff1b15d6bb01feb8bd8696242a0c6c5b5cbd
MD5 hash: 9e37bbffb267a00d169719a493003c51
humanhash: winner-lithium-venus-sierra
File name:SS21 order IN644.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:957'952 bytes
First seen:2020-10-19 13:20:08 UTC
Last seen:2020-10-19 14:22:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:qN7y33hfyNb+ZhIZk5vbBA1GUKzodUK/:QI3hqNbEuK5lANKzoR/
Threatray 650 similar samples on MalwareBazaar
TLSH 68157B0432F80B59F47A47F5973440848BB6BA4A553EE25CBD8E32EE5FB2B014A43B57
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.undorthemoure.ml
Sending IP: 5.8.93.50
From: Ravi Textile <ubacen@undorthemoure.ml>
Subject: 回复: Re: SS21 order IN646
Attachment: SS21 order IN644.zip (contains "SS21 order IN644.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72968/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.3531.31022.25560.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495503
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7cbe84a986434d919c2e616bfd9f78d94c9986bce211b34496e2d1139ff87f6b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 09:55:53 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ps7ijkmgingzdhbomfv73h3y3fgjtbv44ii3grew4lirhh7yp5vq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3b97909b8cc676b840fd25680d29f211efcc6c71a0234f33365dd0fec17e8438
AgentTesla
58bd9279e5ef2a3c1a55c9257c276f8203b69c79e29008399c6629eaf8ca6d56
AgentTesla
6490275833a54ddb21377ef003cacd595697c7659c1b7c6fc24a285fec1946ee
AgentTesla
680e6e46c8bed6c48e63f6dab3409bb9cd05f6642084ef8b0d03898dacc500a7
AgentTesla
99cc56c49ea22eaf929c14180a5625096c6652ae122fb35d913ae774604965f0
AgentTesla
a6f68b61781c4503ac6dbc6b79d22d3a2f6e7995c35e85f08c0d153e056d6f0e
AgentTesla
b8e4dfdddae3c40ef710797605631573fe5689ae296637a411a88f8f3c1d7389
AgentTesla
ba5cf0e14767afbaf1ef4310a5a7a55e152b7c54507a1b567133cdf42493629d
AgentTesla
d18f27370f8ee9d89c588980241ef2757a4a5d6cc70a357c7a45fae186c7e84b
AgentTesla
eacd132f69b64ef7a47c959fd92f50343be23e5768f0476c665870f5de4f89ee
AgentTesla
+ 640 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/201019-j775tpdvx2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/b85fc62f-1fe7-4967-a488-21c258901791/
SH256 hash:
e985045062fa6a8c1ce845974e276331d6652da35aed7fc4df0e8598a4d31184
MD5 hash:
6e7df6ec5fb9420f1b5c9b1cb4b36b3b
SHA1 hash:
8ec67ed503f0cfd9aa2f8ddc5cd5de2453c6df1e
Link:
https://www.unpac.me/results/b85fc62f-1fe7-4967-a488-21c258901791/
SH256 hash:
a4d1ee81e7c368c3d309e6235f635708dcd4bd30ecd984317873cb850207f889
MD5 hash:
ff34d91ee02b341521337bcb5c6ace5d
SHA1 hash:
cff8d156f69c36f41312a2f1fe28ea3b800eedb8
Link:
https://www.unpac.me/results/b85fc62f-1fe7-4967-a488-21c258901791/
SH256 hash:
7cbe84a986434d919c2e616bfd9f78d94c9986bce211b34496e2d1139ff87f6b
MD5 hash:
9e37bbffb267a00d169719a493003c51
SHA1 hash:
63dcff1b15d6bb01feb8bd8696242a0c6c5b5cbd
Link:
https://www.unpac.me/results/b85fc62f-1fe7-4967-a488-21c258901791/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7cbe84a986434d919c2e616bfd9f78d94c9986bce211b34496e2d1139ff87f6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 3a809258347f85825f651c810734818c29111fb8376e391711aa4376ed570e97

AgentTesla

Executable exe 7cbe84a986434d919c2e616bfd9f78d94c9986bce211b34496e2d1139ff87f6b

(this sample)

  
Dropped by
MD5 b1752e4721da202e88b28abf924c1198
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3a809258347f85825f651c810734818c29111fb8376e391711aa4376ed570e97
Cape
Cape
https://www.capesandbox.com/analysis/72968/

Comments