MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d4d2a289195f4c5ea91de699999037acd8f969b9c562531234c3ff0faedcb2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	7d4d2a289195f4c5ea91de699999037acd8f969b9c562531234c3ff0faedcb2a
SHA3-384 hash:	d02389118298da8afc3a62b4cfd52c9e9f80180d9985f52b1bd39a3e5880a3df2e3620259a7a8cc6c5126970a312d13e
SHA1 hash:	736a1c68cf07d575f6c32ce35ced6044d3a46696
MD5 hash:	9505a5a4947bff428749a29813e4caf8
humanhash:	april-quebec-monkey-green
File name:	Shipment Advice & Draft BL.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	882'176 bytes
First seen:	2023-07-13 08:15:34 UTC
Last seen:	2023-07-13 13:25:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:WpicMLLP7Jv3P8iz9MPy+dTLX71wO0nAsKWlkrmHl5+VyduKWe2dGbXcrmk7CPGS:dciLtvfXzCD/LmO4Fmwl5+EdPzg
Threatray	5'064 similar samples on MalwareBazaar
TLSH	T12B157BAD325075DFC867CD76CAA81C74EA2168B7930BD203906715EC9A4EA9BCF141F3
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

296

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Shipment Advice & Draft BL.exe

Verdict:

Malicious activity

Analysis date:

2023-07-13 08:18:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/90ce594e-9e1a-43aa-9066-bf0c856bba69

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/417314/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.27433.17344.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64afb2c96e9f7019dea01830/reports/c362addf-542b-4829-a642-725223fb30a3/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/7d4d2a289195f4c5ea91de699999037acd8f969b9c562531234c3ff0faedcb2a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b61c72a1-5051-4440-92e1-3bb54fe9e978

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1272297

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/7d4d2a289195f4c5ea91de699999037acd8f969b9c562531234c3ff0faedcb2a/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-13 03:12:26 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pvgsukersx2ml2ur3zuztgidplgy7fu3trlckmjdjq77b6xnzmva._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

5afc34ba8d87868898a975c8a82a6817739d9ff294fae609b2ca293ac5e478a6

AgentTesla

82ec3f48b64379387613c3cddcdd400f095161826bac92ce3f7907dc3807a9df

AgentTesla

8faf480c1ae966b6f4f2656368ec83dca9ab004811cf330083afc56043735a5b

AgentTesla

e0a9d1ee5f291098090a028934842e554f4bb482a0100077d909d3005430b2ee

AgentTesla

e5b3f5c88055487475981257a3146b756a653845e01c66141d3547192805a8f3

AgentTesla

+ 5'054 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230713-j555wagg8w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137

MD5 hash:

60126f10641986bbcefca9ed6159994b

SHA1 hash:

df584155d49b10805f1f0d81a758e98b23990815

Link:

https://www.unpac.me/results/6f6dae7d-141a-4d70-bba9-a20ab71dbcb5/

SH256 hash:

25e7729536d0aeaa71b869fdf0d8f2b4ade4af704252a9dfce316ee9582fc6ab

MD5 hash:

b14fdc473b7d5e9783afc2424f80e784

SHA1 hash:

b9e4bbdaafe9a9b91366f06d302c73b925e4d819

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/6f6dae7d-141a-4d70-bba9-a20ab71dbcb5/

Parent samples :

7d4d2a289195f4c5ea91de699999037acd8f969b9c562531234c3ff0faedcb2a
3179f266c2fc52d2d06b1b14afdc952d5463b3b03c3a838d879c3caac3a2a60e

SH256 hash:

4ab333729ef274362517f6acdd4a9b386bc085d5454cd2a27a811dce8ab5cd4f

MD5 hash:

b4e6f01312b2aa5d1807ea5382849b3b

SHA1 hash:

7012c26775f2d35e40239638f49b5d25b1a3b129

Link:

https://www.unpac.me/results/6f6dae7d-141a-4d70-bba9-a20ab71dbcb5/

SH256 hash:

3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9

MD5 hash:

a5228b97b33467ac41fac5cac2718252

SHA1 hash:

28bb020c8a53b046fc8e8106f2913e62c5941a0d

Link:

https://www.unpac.me/results/6f6dae7d-141a-4d70-bba9-a20ab71dbcb5/

SH256 hash:

7d4d2a289195f4c5ea91de699999037acd8f969b9c562531234c3ff0faedcb2a

MD5 hash:

9505a5a4947bff428749a29813e4caf8

SHA1 hash:

736a1c68cf07d575f6c32ce35ced6044d3a46696

Link:

https://www.unpac.me/results/6f6dae7d-141a-4d70-bba9-a20ab71dbcb5/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7d4d2a289195/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.