MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dcc941cc14464f8ade39e87ef427d4a5cd2734348c1c98c387d905aea91bf7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	7dcc941cc14464f8ade39e87ef427d4a5cd2734348c1c98c387d905aea91bf7b
SHA3-384 hash:	17eef6f3491394579981b06ee6e9ecd862b86b5930ea89d389ad1c94e25b5b1700791cf40c909d50642e5fa7ea6f72fa
SHA1 hash:	d11d45b5f1e360a8f3ea1d069294df0e61050d14
MD5 hash:	57e60a2791fdc098b9fa9d15bbf9decd
humanhash:	cardinal-sodium-king-december
File name:	QUOTATION JANUARY_ALFA-NISTRU_20210129-20293083020234.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	575'328 bytes
First seen:	2021-04-07 06:00:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:Wh8MYiSt1h3dRdoJAjMHgLGyOiyCyYP2Dm/KLl:g8MYiqx3eJUMHSGyOvu26/il
Threatray	1'405 similar samples on MalwareBazaar
TLSH	B4C4F121D7896EAEDD090B7840B259350563EE7892F2134E069C78300EB7BE7275AF5F
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: dig0.samigo-trade.com
Sending IP: 143.198.208.26
From: Savelie Raischi <contact@samigo-trade.com>
Subject: Previous inq
Attachment: QUOTATION JANUARY_ALFA-NISTRU_20210129-20293083020234.lzh (contains "QUOTATION JANUARY_ALFA-NISTRU_20210129-20293083020234.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

QUOTATION JANUARY_ALFA-NISTRU_20210129-20293083020234.exe

Verdict:

Malicious activity

Analysis date:

2021-04-07 06:10:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0a1c6705-2142-4ccc-b041-64fd6d6d8404

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/132771/

Detection(s):

SecuriteInfo.com.generic.ml.210.29145.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Sending a UDP request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun by creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/668296

Signature

.NET source code contains potential unpacker

Creates an undocumented autostart registry key

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/7dcc941cc14464f8ade39e87ef427d4a5cd2734348c1c98c387d905aea91bf7b/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2021-04-07 02:50:05 UTC

AV detection:

7 of 48 (14.58%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pxgjihgbirsprlpdt2d66qt5jjone42djda4tdbypwifv2urx55q._file

Verdict:

malicious

AgentTesla

1debc399539d6dddfa7522dbf42b2ade7d0e56179588fae9f144301a84629e50

AgentTesla

20e0f8561c714292edd786c9d77983c8777d8d5740758e43c08ab899e5c00023

AgentTesla

28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd

AgentTesla

2ecba20721fa9432e4e407b62f815f12b6fee820b5b348547175c36a274c7f16

AgentTesla

3e43a04b037b6e092c352fcf85eef535cf036ee8a4b7100cb15f7343ab2b097f

AgentTesla

757de1bfe2ba8c069cad8938b02383d54fbc1ed0823ca0f8374c34ae12ee0ce8

AgentTesla

784bda4b3f1a0aa52eb077984ceccbe3724c9d592a99a26ef0134146e6523980

AgentTesla

a47e971bd76da39e18307424c6bfacd9aed830139cb2822f942d97223467e601

AgentTesla

b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865

AgentTesla

+ 1'395 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210407-5p57k7f89a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

1fcfcd83e45b74d7823a43e766467c001362fa7537a3e2f6b4ae18679826f1ce

MD5 hash:

9dd83d76e884535ecd9ad0a2dbc1e4dd

SHA1 hash:

c11bd97ed228c492e6daff1c00720b814dce5906

Link:

https://www.unpac.me/results/22c341e0-ef02-40db-b189-28c57ded9bcd/

SH256 hash:

425c1a52eff52c8205e83da514418ad9c633af450f850f6291f0c9b5b0cee260

MD5 hash:

b176af2b019ea7d0a8a99540265efc18

SHA1 hash:

995c7ad1a1dfbb12f5a99fcd30b89c7abe223e52

Link:

https://www.unpac.me/results/22c341e0-ef02-40db-b189-28c57ded9bcd/

SH256 hash:

72ebfe27f2e7a4131f98a1eb38b9a7331de1f424a5e3073464dbb7bc8c6334e4

MD5 hash:

a123101bd517ecc6b1555e8fa60b1de9

SHA1 hash:

1504de13775de42681e03297d45a3cc52974f55f

Link:

https://www.unpac.me/results/22c341e0-ef02-40db-b189-28c57ded9bcd/

SH256 hash:

7dcc941cc14464f8ade39e87ef427d4a5cd2734348c1c98c387d905aea91bf7b

MD5 hash:

57e60a2791fdc098b9fa9d15bbf9decd

SHA1 hash:

d11d45b5f1e360a8f3ea1d069294df0e61050d14

Link:

https://www.unpac.me/results/22c341e0-ef02-40db-b189-28c57ded9bcd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7dcc941cc14464f8ade39e87ef427d4a5cd2734348c1c98c387d905aea91bf7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_4f8ebbb263f3cbe558d37118c43f8d58 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates