MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e3c713dd63b4620a6fe5c7c848726eca5e01918b7977561ec00f7d8f8f31cd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e3c713dd63b4620a6fe5c7c848726eca5e01918b7977561ec00f7d8f8f31cd8
SHA3-384 hash: 560792a73884ba8b25321b96d5f20bfbade271f16f4d9df89a7dec15cbcd7a954ff7f3e867172833cf204a9501cbf15b
SHA1 hash: 54ed6c05aff268542ad83cc0c9b1f5687ec49afa
MD5 hash: 8330307adb193d3f49bb96ca59ae355c
humanhash: maryland-pluto-kentucky-aspen
File name:PO#CENT_pdf.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:806'912 bytes
First seen:2020-12-03 08:32:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:HQACHv8Bq3QU+tPsCz8h1vFnxGmJIBb52no:wDv8Bq3QZM1x+Bl2
Threatray 9 similar samples on MalwareBazaar
TLSH 01059CF1FD07E849D56609F4D45ED28C8D61EF2B1729DD88A948F30929B260DCEC89F2
Reporter abuse_ch
Tags:AgentTesla scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: webserver.capricorn-it.co.za
Sending IP: 41.0.5.199
From: Paymentsemail@fnb.co.za
Subject: Payment Notification from *BLUEBIRD MANUFACTURING_HY5RQGZG
Attachment: PO620671942_pdf.img (contains "PO#CENT_pdf.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106546/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6091.29293.30326.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/554425
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7e3c713dd63b4620a6fe5c7c848726eca5e01918b7977561ec00f7d8f8f31cd8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 08:33:11 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=py6hcpowhndcbjx6lr6ijbzg5ss6agiyw6lxkypmad35r6htdtma._file
Verdict:
unknown
Similar samples:
09b7bf15736eeb15efdae06322e1aa1e8f960d3264aa380ab0ba05a348aadca6
AgentTesla
17a8a1cf50fab9fd70406eea7ac849a15ab69224feffaddf0a72ee0a93332215
AgentTesla
55948fede55c398fce76d97b8316d5da6f958b08746a33f0cdaf4e016f0a1e15
AgentTesla
623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100
AgentTesla
72072c06a5fe2aa1ebf6d2d0b8882c1e11565bed693b2cff1be63a228b26886b
AgentTesla
9b21045796c15c4348f79483c825882c491de047a0ca577e0eb6ba770c60e9f6
AgentTesla
9d4101435d5c761e583b31dd48ddcd5bce7081ae2e290f04330e6c4dbf954c92
AgentTesla
ac4bc198b74ee90e9ae296353856fe12fc688a42bdeb2b8b9b4f6c2923cd668a
AgentTesla
fd1fe7db423103d1067ccf7dec534ad9025025106238e3bbe1b45a52995b4294
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201203-m65zra88px/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/2a57a547-ddd3-4cbe-b686-6e4222b51423/
SH256 hash:
c0986e4e71ce62f2a790a64eff23c73dd8ebce7fb285b87579cbd01930556f31
MD5 hash:
8a4fbefe7daf419393973754b4296025
SHA1 hash:
4915d4c0996bed2766eeaf924c4b4d260e591907
Link:
https://www.unpac.me/results/2a57a547-ddd3-4cbe-b686-6e4222b51423/
SH256 hash:
cced6efbbc7a27b8ae7460c0a46c12bfbc2ec8ba79a4cbc0d23ec01f2dbd30a8
MD5 hash:
0da58d6c1c40298ed1a2646247113b62
SHA1 hash:
99bfa65e83cc0354aa3bd8ff448bf08d9320d11d
Link:
https://www.unpac.me/results/2a57a547-ddd3-4cbe-b686-6e4222b51423/
SH256 hash:
7e3c713dd63b4620a6fe5c7c848726eca5e01918b7977561ec00f7d8f8f31cd8
MD5 hash:
8330307adb193d3f49bb96ca59ae355c
SHA1 hash:
54ed6c05aff268542ad83cc0c9b1f5687ec49afa
Link:
https://www.unpac.me/results/2a57a547-ddd3-4cbe-b686-6e4222b51423/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e3c713dd63b4620a6fe5c7c848726eca5e01918b7977561ec00f7d8f8f31cd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

f4bd0862781b70702f734af50ef93152

AgentTesla

Executable exe 7e3c713dd63b4620a6fe5c7c848726eca5e01918b7977561ec00f7d8f8f31cd8

(this sample)

  
Dropped by
MD5 f4bd0862781b70702f734af50ef93152
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106546/

Comments