MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cd1bb647fff3c340e2eae0532318bde99947b6bc91e3fabe286bd3fb0a1658e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cd1bb647fff3c340e2eae0532318bde99947b6bc91e3fabe286bd3fb0a1658e
SHA3-384 hash: 73f36d157abdb67770b8ca643e35ccb95666aafaf0e9f6db56ee9ac895deb846780b9825615410a9793e71f5e67a1ba3
SHA1 hash: 2904830cfda1e2864942a4c0dc5864d653499988
MD5 hash: 329a7d1d749c98a9537b0fd305f86f33
humanhash: wyoming-texas-hot-burger
File name:PAYMENT INSTRUCTIONS COPY.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'035'264 bytes
First seen:2022-03-23 22:17:52 UTC
Last seen:2022-03-24 10:14:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 24576:1Tkma18Ej4ODRFW0Xjll1IW23604KrH+mS2DGnoM/+5:1TvojDPW05lfi6Q+oM+5
TLSH T1AB25231E23646E2BFF6F86F88905408243B0197B59A1E7B5CDD660F27394BE06F1A4C7
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/256949/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.1711.27112.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623b9cf3dfdfa8501cd4e60e/reports/e3a9689d-0fbb-4051-88e1-b49889af06aa/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8c649a7-0038-4548-a52b-832fa63b9302
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/963283
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7cd1bb647fff3c340e2eae0532318bde99947b6bc91e3fabe286bd3fb0a1658e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-23 22:18:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pti3wzd7746didrovyctemml32mzi63lzepd7k7cq26t7mfbmwha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220323-17y8saahf2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
dc5c057b0ee1eb079cf189762aac69f0d86338ea18795dc4fbf7ed9b5a45c2eb
MD5 hash:
4103ed94f4747b30e166cf3c25416f47
SHA1 hash:
d553a67056e94f60d621ca42dcecd6d93f9ef1ad
Link:
https://www.unpac.me/results/775d076e-4136-4464-8fd3-c59c98b5f514/
SH256 hash:
51620455d2b5fb186d15da040a436fffd52960a28661156d97f16138338585f1
MD5 hash:
0fc264f8c18eed60126b39e0afd5f957
SHA1 hash:
cf14584430f18a94b201d72ab1ab49c344a84d2f
Link:
https://www.unpac.me/results/775d076e-4136-4464-8fd3-c59c98b5f514/
SH256 hash:
12f0c7808bcaa141e01f5d489299be4c05830b1715d90eeb16e46d25cdf0f842
MD5 hash:
1db3148f24a6c3f8443b7cd066afef22
SHA1 hash:
cc780179f0314d92cfecb5e7b86979ea6a9480ab
Link:
https://www.unpac.me/results/775d076e-4136-4464-8fd3-c59c98b5f514/
SH256 hash:
37f780415d8ec793f77dd5bc2cad890cac96831bf1978a8236997d1c2487f5b8
MD5 hash:
6c3aee1ded5bbf88dd10408ac442d00e
SHA1 hash:
29aa01d1a71f2ecc6dc23b60611e67a321676ee4
Link:
https://www.unpac.me/results/775d076e-4136-4464-8fd3-c59c98b5f514/
SH256 hash:
7cd1bb647fff3c340e2eae0532318bde99947b6bc91e3fabe286bd3fb0a1658e
MD5 hash:
329a7d1d749c98a9537b0fd305f86f33
SHA1 hash:
2904830cfda1e2864942a4c0dc5864d653499988
Link:
https://www.unpac.me/results/775d076e-4136-4464-8fd3-c59c98b5f514/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7cd1bb647fff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7cd1bb647fff3c340e2eae0532318bde99947b6bc91e3fabe286bd3fb0a1658e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 7cd1bb647fff3c340e2eae0532318bde99947b6bc91e3fabe286bd3fb0a1658e

(this sample)

  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/256949/

Comments