MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7df19e1037edd7ddabab739d820866552327a492c2ae00c72ecb1201c72bd325. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7df19e1037edd7ddabab739d820866552327a492c2ae00c72ecb1201c72bd325
SHA3-384 hash: 3f778f688ba528c70b2b0b5633ad92d1e284a8e9f84f3473d9289243b2e653e5c63a83b3e4be0c198b2d9669846d5d76
SHA1 hash: 48de6e30b2a7bdc856ec7ce9a99a1c2ef734c44f
MD5 hash: 0fc7b8a730620e6c1ddb14c2882701c4
humanhash: spring-grey-network-vermont
File name:EDCO569932.COM
Download: download sample
Signature AgentTesla
Create hunting rule
File size:449'024 bytes
First seen:2021-09-16 09:44:20 UTC
Last seen:2021-09-16 10:51:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:N2Y6WHCM2K4Cs3jAMb8QgPTg5eFxdOUJdHF6Zptg9t:N233C25qPTggPUZp6
Threatray 9'903 similar samples on MalwareBazaar
TLSH T1E8A4CF243EEA9019F1B3EFB55FE475969A6FBB63260BA45D105003CA0623F40DED163E
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EDCO569932.COM
Verdict:
Malicious activity
Analysis date:
2021-09-16 09:44:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d99ba52d-caac-4b80-bcfe-d35180f7d869

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188394/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1031.7091.16089.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/617521889a5a1e91c5d20455/reports/0e38cf85-9f92-4a23-a210-c66c57334642/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c1f9a4c-0468-4e5a-a626-6c64eeb3dbbc
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/851954
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7df19e1037edd7ddabab739d820866552327a492c2ae00c72ecb1201c72bd325/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 08:03:52 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxyz4ebx5xl53k5loooyecdgkurspjesykxabrzozmjadrzl2msq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
13c2ff62d1e29d6e88c828851f842b17acb6293da92bdf5223e87a67bf00ed31
AgentTesla
28363e47447b25727050e30a1b918fc792439fc182d28a3378eb53f983e30c2c
AgentTesla
3262041b975c085ac4910cab0c54cafd02bee3accf8f921712f9a626634ea833
AgentTesla
43f6edcd253f873d92084360b73166040790c8bf7ca9ea125a736b67cb5f3d58
AgentTesla
5ccb4b42592b867c638bc0b10bd75d11865ee1bea36d8242bffe1aba403336e4
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75
AgentTesla
8590979813969f693284c7b01fe2d8c799cdc2a1b603c6feb621f7ced99277cf
AgentTesla
9ca766e3e0643a762b8e40b63c7db535d677d7c6b4be3109f1c68afe3334d8f9
AgentTesla
c9af30b2a800c774844eee76e019d10b72c4637adbccd34a6de3bcc8a4f32ba4
AgentTesla
+ 9'893 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210916-lq3gjsfefn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/29aed52f-b952-44d2-bb79-b97ae1ab8900/
SH256 hash:
62aa30181a40c4d17d3ffc096d5f0d7f4c44bb53867d57418c1bf50af926faa8
MD5 hash:
fe4dd6bcdb951c7581159eba321ee144
SHA1 hash:
527117a7aa07fae4be612d6463b34e456b4ee5fa
Link:
https://www.unpac.me/results/29aed52f-b952-44d2-bb79-b97ae1ab8900/
SH256 hash:
5f82be2856579cb575c0fb1988022540b426481b6106bdabd8fcdfd59de3e87d
MD5 hash:
d45fc747e84af19eba37e85ac41fb6e2
SHA1 hash:
26d057e8669626aa96914cb8cef860bdeab99958
Link:
https://www.unpac.me/results/29aed52f-b952-44d2-bb79-b97ae1ab8900/
SH256 hash:
7df19e1037edd7ddabab739d820866552327a492c2ae00c72ecb1201c72bd325
MD5 hash:
0fc7b8a730620e6c1ddb14c2882701c4
SHA1 hash:
48de6e30b2a7bdc856ec7ce9a99a1c2ef734c44f
Link:
https://www.unpac.me/results/29aed52f-b952-44d2-bb79-b97ae1ab8900/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7df19e1037ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7df19e1037edd7ddabab739d820866552327a492c2ae00c72ecb1201c72bd325

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 7df19e1037edd7ddabab739d820866552327a492c2ae00c72ecb1201c72bd325

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/188394/

Comments