MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e1aa5a27b397de94ebb0593c2a4aa59d90c0179539ec982c93848ff6470b9c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e1aa5a27b397de94ebb0593c2a4aa59d90c0179539ec982c93848ff6470b9c0
SHA3-384 hash: 7dbf3d51e3c76bae22e4ed517b813d948708ca9bcff32c0723c49eb284eb4e996ba61a6accfa9990314fea9bfcbe390e
SHA1 hash: d5f8948f1d3d23414675f8050d730ba525078c8c
MD5 hash: 437e9a9b1fadeaf96020a2bc02b0f501
humanhash: quebec-winner-comet-comet
File name:sS87CGnbDWZ72N6.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:795'648 bytes
First seen:2023-06-14 09:37:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:qvgaWA7GkPzx4wZlgw9h5KuvxDyHM4qXdV:qvTWAKkZlj5Kuss4qX
Threatray 5'393 similar samples on MalwareBazaar
TLSH T1CA05028497FE8707D9BB67F4A47051344BB2F96EA136E35E0E41B0DAA923F014E12B17
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sS87CGnbDWZ72N6.exe
Verdict:
Malicious activity
Analysis date:
2023-06-14 09:38:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/19693677-2f6c-4fe9-829f-8ce0297d43cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398682/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2104.32430.5620.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/64898a7cafa30f336ef0ea33/reports/347a723b-1bf9-40a3-86cc-bfc64ec88c57/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/7e1aa5a27b397de94ebb0593c2a4aa59d90c0179539ec982c93848ff6470b9c0
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35f09d27-1f11-4174-b71a-8a30fdf25ca9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1254339
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7e1aa5a27b397de94ebb0593c2a4aa59d90c0179539ec982c93848ff6470b9c0/
Threat name:
ByteCode-MSIL.Trojan.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-14 09:38:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pynklit3hf66stv3awj4fjfklhmqyalzkopmtawjhbep6zdqxhaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0335bef9440cae7dd60e617e31258a490b9598e3dfa1325bf79ca9eca5c4c720
AgentTesla
128b4d5b46b29d5a788f28a9059f7ad139afea6a686eed22acbf05e33ecab3f9
AgentTesla
40b0a076e904042e87b4cfae93b7ae9ac00db794675cc4bfd2ca57fe55fb0949
AgentTesla
4853f6116a561395c5d4950114e750e3f140622e5ebdfb21db1ccbfba1e67941
AgentTesla
6234c83cf8e46f8e09fed9cbf0456be735dc8640c2df0ee4734b7fa730e0b8eb
AgentTesla
8668cd0f536fc0fb2d750d9d4ed492ac9435a32b7ade9f3e427af470bab09bf9
AgentTesla
aa23406d036894ae210e0531e6014c1377bdb409619cde6143e69d0a8dc7b85b
AgentTesla
bd46a723d17048369ac18ff1a2ec0d0f54a8a4a3c5e23d56a53e014a02d1c42e
AgentTesla
ea9f2431a64fc69fa9fdc839c8526744ede33f35a8e0a7b703fa2e03382c49d2
AgentTesla
f10ded3e928cda9f52bb28f82c7057fd9ac571063891d3fd664a0a33971d40d3
AgentTesla
+ 5'383 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230614-ll3lrafe75/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6268016808:AAGlJ7-7fNU_zij4XWc49szQ_0ZA6biFI70/
Unpacked files
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/db01af5a-e9c4-4f44-a521-d0f8a531a91c/
SH256 hash:
d6d27ed1939b8527bfaab77b5cda589e3cdc842639958f7b4b63aed35ac7a7ab
MD5 hash:
72b601a1609673f221ca537200e6f074
SHA1 hash:
9bd391169223d5d967cbda11e237b68204cb8511
Link:
https://www.unpac.me/results/db01af5a-e9c4-4f44-a521-d0f8a531a91c/
SH256 hash:
fb3b3f8dfd83747484eae6af3361f829a9784dd39d4f71aa7229c2b8eba19189
MD5 hash:
4ec682c48606b2c7549b0763f46abde2
SHA1 hash:
86d93e09e3e972ff8fc78ba4689141528a5972e7
Link:
https://www.unpac.me/results/db01af5a-e9c4-4f44-a521-d0f8a531a91c/
SH256 hash:
2ea319f549c06cb5845f74d394c9084b67712e1ca5ec8d637b6ceef5a784b0bb
MD5 hash:
946086a67312ece4db96a04fe4fd414d
SHA1 hash:
589e6e09edac0115a4282ebcaec5ef2602e3b9c4
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/db01af5a-e9c4-4f44-a521-d0f8a531a91c/
SH256 hash:
c4c3539b834442ba4ee988e3ebc15b85ca8d28e398f1edbb589a50136d3dc252
MD5 hash:
408483033c3d9f9f2dcf53b30fe9f569
SHA1 hash:
0b16f1226dfca51e38e97e068f9b9a3b35aa15c4
Link:
https://www.unpac.me/results/db01af5a-e9c4-4f44-a521-d0f8a531a91c/
SH256 hash:
7e1aa5a27b397de94ebb0593c2a4aa59d90c0179539ec982c93848ff6470b9c0
MD5 hash:
437e9a9b1fadeaf96020a2bc02b0f501
SHA1 hash:
d5f8948f1d3d23414675f8050d730ba525078c8c
Link:
https://www.unpac.me/results/db01af5a-e9c4-4f44-a521-d0f8a531a91c/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e1aa5a27b39/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7e1aa5a27b397de94ebb0593c2a4aa59d90c0179539ec982c93848ff6470b9c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 7e1aa5a27b397de94ebb0593c2a4aa59d90c0179539ec982c93848ff6470b9c0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/398682/

Comments