MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d87ab47471995e965c8a938c94bfd7c64122f4f7d366e307945104f558d52df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d87ab47471995e965c8a938c94bfd7c64122f4f7d366e307945104f558d52df
SHA3-384 hash: 4828ab94b1ff8079814f2b057aa9e762fa297983d117a9899308f0f6a46fa26473c81919f33298bcaa922e65a0d4d7b5
SHA1 hash: fa4c09fa5f16661f42b3fead503b00e9300e0ab9
MD5 hash: 0ee74f2375354386660b64ed7b5ab37f
humanhash: don-enemy-alaska-early
File name:SOA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:450'048 bytes
First seen:2021-02-17 10:41:08 UTC
Last seen:2021-02-17 12:57:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'647 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:FZR/SQVieUH3J3RTvQu33mBzJzbXt5ywAZnreh+:XR/SQVi7H3JhnyZL0tri
Threatray 2'672 similar samples on MalwareBazaar
TLSH C7A4129C9521C177EA6CA7F4912242FC8370EA12B1CBE35E1FBDB07A4593B7C1A542B4
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bazaar.abuse.ch/browse/
Verdict:
Malicious activity
Analysis date:
2021-02-17 16:19:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2ad05a7a-7ebb-43e7-9e5e-deb6bc8b4008

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117571/
Detection(s):
SecuriteInfo.com.Artemis0EE74F237535.12135.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing the hosts file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/610121
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected Beds Obfuscator
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 354081 Sample: SOA.exe Startdate: 17/02/2021 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 5 other signatures 2->71 6 SOA.exe 3 2->6         started        10 kprUEGC.exe 2 2->10         started        12 kprUEGC.exe 3 2->12         started        process3 file4 33 C:\Users\user\AppData\Local\...\SOA.exe.log, ASCII 6->33 dropped 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->75 77 Injects a PE file into a foreign processes 6->77 14 SOA.exe 2 5 6->14         started        19 SOA.exe 6->19         started        21 SOA.exe 6->21         started        23 SOA.exe 6->23         started        25 kprUEGC.exe 2 10->25         started        27 kprUEGC.exe 10->27         started        29 kprUEGC.exe 10->29         started        79 Multi AV Scanner detection for dropped file 12->79 81 Machine Learning detection for dropped file 12->81 31 kprUEGC.exe 2 12->31         started        signatures5 process6 dnsIp7 41 smtp.allenqers.net 14->41 43 us2.smtp.mailhostbox.com 208.91.199.223, 49754, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->43 35 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 14->35 dropped 37 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 14->37 dropped 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->51 53 Tries to steal Mail credentials (via file access) 14->53 55 Modifies the hosts file 14->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->57 45 208.91.198.143, 49755, 587 PUBLIC-DOMAIN-REGISTRYUS United States 25->45 47 smtp.allenqers.net 25->47 49 192.168.2.1 unknown unknown 25->49 39 C:\Windows\System32\drivers\etc\hosts, ASCII 25->39 dropped 59 Tries to harvest and steal ftp login credentials 25->59 61 Tries to harvest and steal browser information (history, passwords, etc) 25->61 63 Installs a global keyboard hook 25->63 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7d87ab47471995e965c8a938c94bfd7c64122f4f7d366e307945104f558d52df/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-02-17 08:38:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pwd2wr2hdgk6szoive4mss75prsbel2ppu3g4mdziuie6vmnklpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02dd2922b3d663ac779b0a5a5f579ac6c097a3847aadf5118aac23dc0a639a87
AgentTesla
0b277825df78139d46171f324c582866a81252fdaec3c8912fee41fb6f6172e2
AgentTesla
27645f1d148b659a43b23aff406fd0a354c0f4c5ad89eadc475cc5b58244c83b
AgentTesla
350d069225cb53bc0c3762da5cc170eac2737318377be141a5485651105914f6
AgentTesla
bda798b8e628a9b364450614d203b2d1540155c102eddc36ad8a6ebfba18aca8
AgentTesla
ce2c29bbd18352557dd6fb16e294265d66d8d13e6d0586ef8030bbeb28e0cc97
AgentTesla
dc6a499c7c08de87d5d986fbaf33a59debbc355d00b04d69f340d6d7c346e98d
AgentTesla
e5c32739c115f51b0d7bf70fe1c50ca8253ee7ce97ef53d97582417e4bc093cb
AgentTesla
ef91cdf4d2ae2a3dd427b89bf9a2e057ec1f6308aba537b7d808e999bb9815f8
AgentTesla
f550b174528b14a38ed8725fc03cf092de3e976a4287874c4fd5eb7fad33312f
AgentTesla
+ 2'662 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210217-nxbc82eq12/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Beds Protector Packer
AgentTesla
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/4b2cf763-fac8-4b3b-84d5-1ecf61b03560/
SH256 hash:
bd9ac8f0d8158293e70761e2cd4f9e2a00d1e73b7c0c44cc5e6a410fe59dc953
MD5 hash:
33d6a95863d19c01e583bfa07525fe2c
SHA1 hash:
c917106e2babe4ce3966a17df5986af000fe9511
Link:
https://www.unpac.me/results/4b2cf763-fac8-4b3b-84d5-1ecf61b03560/
SH256 hash:
5c820f5c3cc1553c802d2a6ecab6b6a5b97f7c3c876eddf7c8cf3f0fa8597c59
MD5 hash:
2e06aa0754f0c59106f36c4668c2666f
SHA1 hash:
4095f2343f8f57e7b0c601c9077e35fc996110b4
Link:
https://www.unpac.me/results/4b2cf763-fac8-4b3b-84d5-1ecf61b03560/
SH256 hash:
7d87ab47471995e965c8a938c94bfd7c64122f4f7d366e307945104f558d52df
MD5 hash:
0ee74f2375354386660b64ed7b5ab37f
SHA1 hash:
fa4c09fa5f16661f42b3fead503b00e9300e0ab9
Link:
https://www.unpac.me/results/4b2cf763-fac8-4b3b-84d5-1ecf61b03560/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d87ab47471995e965c8a938c94bfd7c64122f4f7d366e307945104f558d52df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 71f9d7a06eb71d42ad7e065df3587af017176d6001f0c8943344648a87722fe5

AgentTesla

Executable exe 7d87ab47471995e965c8a938c94bfd7c64122f4f7d366e307945104f558d52df

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 71f9d7a06eb71d42ad7e065df3587af017176d6001f0c8943344648a87722fe5
Cape
Cape
https://www.capesandbox.com/analysis/117571/

Comments