MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d31211e88bbc31cd128c1b5a3ae9e1dbbb823b449f807e3d3a6669047810dc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d31211e88bbc31cd128c1b5a3ae9e1dbbb823b449f807e3d3a6669047810dc1
SHA3-384 hash: 6c48ddb53bb2f22ac223548c8b4433d8b61dd871f8e9ca6fb43a47701a708f14bb6c3c3ece2f1215c1553cc9ce83bb1a
SHA1 hash: 6ae25dd4586629db60429c3c66cac81ee735c9dc
MD5 hash: 363044c48c8d035c08cddcdb22bb0838
humanhash: november-alaska-september-michigan
File name:dochus20230925.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'071'104 bytes
First seen:2023-09-26 13:52:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:eRT5oEFwWfz/1sAsSn46qttH6n6MYAUH+5ZxGIAU:eN5EWr/1sZSn46qX5J+5ZxRh
Threatray 5'715 similar samples on MalwareBazaar
TLSH T188357CD91693EA1BE7F7C63A5BCA4430663DE42FC07AD285361426269C36DD62F3012F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e2e2b2ccf0b27ee3 (9 x AgentTesla, 1 x SnakeKeylogger)
Reporter JAMESWT_WT
Tags:AgentTesla exe payorderreceipt-info

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
dochus20230925.exe
Verdict:
Malicious activity
Analysis date:
2023-09-26 14:02:40 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/f375d648-9070-43d8-8f09-e2e711915fa1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451291/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.3326.25554.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file in the %temp% directory
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Reading critical registry keys
Sending a custom TCP request
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/6512e2420870810f01870c67/reports/0865a5c2-4aa8-45f8-b27f-2bcffc5196a5/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7d31211e88bbc31cd128c1b5a3ae9e1dbbb823b449f807e3d3a6669047810dc1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e181077d-8596-431e-be7a-ecac01bfe1a0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1314569
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7d31211e88bbc31cd128c1b5a3ae9e1dbbb823b449f807e3d3a6669047810dc1/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-26 13:50:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=puyschuixpbrzujiyg22hlu6dw53qi5ujh4apy6tuztjar4bbxaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10265ef7d6568a1b67cd65013ecc2bb5bf98b11b8186a5f13f432da0c69613b6
AgentTesla
1b91aa318e9c011abed18662e8c577ddcb12499de26e2fd19bfb4a4ea81f7450
AgentTesla
26e4c2040af6ee16a1794c86220f5249743ec9c9ceee933645331c1e54ebcca6
AgentTesla
323f7a2c28d21f7098817977c3854be91f379cb2791fbc5504d6c3342fb163ac
AgentTesla
3f8a355ce6dd6d2703dcb44bad8134df383496f1f5db5c7c5b4c613cdb32aa0b
AgentTesla
77fc980c2c8f9412e843d83cb4b808e7dfc9b459aaa7f1936b7d93bc7357bfbb
AgentTesla
8d9a8f9de34a75aeba8164f658881f4c142690b58c8cf30486f18574a8e14185
AgentTesla
a5511e15b015d02f9475da2875c37dcdacdda81793f2324fe5d61d487187aa8c
AgentTesla
be0189e9af3e8929a3f23d2077ed2a5162e4e7801386cf637d1e449a35eb0671
AgentTesla
dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6
AgentTesla
+ 5'705 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230926-q6y7aaba94/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a
MD5 hash:
6741d00c206f685140fd9cd0957aaaa8
SHA1 hash:
8e2da1453a6001aef807661db6940b1703846890
Link:
https://www.unpac.me/results/805f2d0f-3886-4a36-90ee-25d45ab50420/
SH256 hash:
dd964dc6102869e095014d01eca10b5cd1e456b052dac875d61b7777acd42e85
MD5 hash:
84716d14a6222d8b11c6dc246e89f44b
SHA1 hash:
ff9371f6200adb027ff66698f19c9c53df44a6aa
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/805f2d0f-3886-4a36-90ee-25d45ab50420/
SH256 hash:
3629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030
MD5 hash:
ed9d91fe584d5109d4067734ac452753
SHA1 hash:
c277e57866833509d94787fc6f4d634a2714825d
Link:
https://www.unpac.me/results/805f2d0f-3886-4a36-90ee-25d45ab50420/
SH256 hash:
6848b9eacbae89641e6be39f9bc43cf8e2e45e6c70b76e517b8df8df31b47816
MD5 hash:
958575c10cc72c98963efe1134d38e48
SHA1 hash:
9e51e47d08d31cf265da6c097521779864cdcbc6
Link:
https://www.unpac.me/results/805f2d0f-3886-4a36-90ee-25d45ab50420/
SH256 hash:
7d31211e88bbc31cd128c1b5a3ae9e1dbbb823b449f807e3d3a6669047810dc1
MD5 hash:
363044c48c8d035c08cddcdb22bb0838
SHA1 hash:
6ae25dd4586629db60429c3c66cac81ee735c9dc
Link:
https://www.unpac.me/results/805f2d0f-3886-4a36-90ee-25d45ab50420/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7d31211e88bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/7d31211e88bbc31cd128c1b5a3ae9e1dbbb823b449f807e3d3a6669047810dc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 7d31211e88bbc31cd128c1b5a3ae9e1dbbb823b449f807e3d3a6669047810dc1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/451291/
  
URLhaus
https://urlhaus.abuse.ch/url/2714264/
  
Delivery method
Distributed via web download

Comments