MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c
SHA3-384 hash: 7ed93f80806b4760f50b90412ebb9bdb73e5323660d033c1922d9ee1a7c04d5684d5899d69a6c560ca6c4d2bdca59136
SHA1 hash: 75d28d710180b899847f35de4857952cde5d97ba
MD5 hash: db82b1e54d378158c2873fd90f30880a
humanhash: harry-charlie-carpet-london
File name:견적요청.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:694'784 bytes
First seen:2023-10-05 09:40:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:2iMl/jysa+SRohg0KbwQZvwFRQkFvUPaIONAqptrBm1k5Bfa4SliEv3:kLysa+SKeBnMGkFmaISjI1kjfuBv
Threatray 45 similar samples on MalwareBazaar
TLSH T102E4026073EA4B36D9B94BFA023054001776BD6FBA78EA8C5ED6B0CE4175F424A51F23
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
견적요청.exe
Verdict:
Malicious activity
Analysis date:
2023-10-05 10:03:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ec90f786-3309-469e-ad27-576c9310e887

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.16531.25578.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/651e84b1426c8727d6eea938/reports/3b8f5bbc-8d56-4094-9f7d-9d95a923b505/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ee7219b-4464-4244-b774-e98586200312
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1320105
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1320105 Sample: #Uacac#Uc801#Uc694#Uccad.exe Startdate: 05/10/2023 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 7 other signatures 2->60 7 #Uacac#Uc801#Uc694#Uccad.exe 7 2->7         started        11 TnYaBdvu.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\Roaming\TnYaBdvu.exe, PE32 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmp228B.tmp, XML 7->38 dropped 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 7->64 66 Adds a directory exclusion to Windows Defender 7->66 13 #Uacac#Uc801#Uc694#Uccad.exe 15 2 7->13         started        17 powershell.exe 20 7->17         started        19 schtasks.exe 1 7->19         started        68 Multi AV Scanner detection for dropped file 11->68 70 Machine Learning detection for dropped file 11->70 72 Injects a PE file into a foreign processes 11->72 21 TnYaBdvu.exe 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 42 api4.ipify.org 64.185.227.156, 443, 49798 WEBNXUS United States 13->42 44 discordapp.com 162.159.129.233, 443, 49799 CLOUDFLARENETUS United States 13->44 46 api.ipify.org 13->46 25 WerFault.exe 13->25         started        28 conhost.exe 17->28         started        30 conhost.exe 19->30         started        48 104.237.62.212, 443, 49800 WEBNXUS United States 21->48 50 162.159.133.233, 443, 49802 CLOUDFLARENETUS United States 21->50 52 api.ipify.org 21->52 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->74 76 Tries to steal Mail credentials (via file / registry access) 21->76 78 Tries to harvest and steal browser information (history, passwords, etc) 21->78 32 WerFault.exe 21->32         started        34 conhost.exe 23->34         started        signatures8 process9 dnsIp10 40 192.168.2.1 unknown unknown 25->40
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-05 09:23:50 UTC
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pzpdyspaxszoc24g5byplep6zj23bvyap3kykhwn7nypupigs5wa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d05c9ec5cbccc7252bfa4f1fe3da5ac89c431fb9aba15fcbf28621cf2f2a48d
AgentTesla
18a48731b148e59ecffa75b392d72963d1a7e386201e9745eb1f06169cd37d00
AgentTesla
246d6ffb502aa4b83300c5bb35e008e245ad36d243a83e6bdfee04eefdaac71e
AgentTesla
40d0a5c663f59b7454e4e8535918b57ccba56e5f445d02e384debb16b868ebce
AgentTesla
4eecb3d02825158bc36d86c8d75f37137a11576eb8fb9fec7e592648fd369f96
AgentTesla
7cbe0d24267f2f3b343b4e223cfdbeaf47ce23e2d405d65a72074682b1f56089
AgentTesla
87762de58ca2d2b24f126c5767f14b76f04cf9b8e9d317f325ff131fc3e88bc3
AgentTesla
9469f86dad566eb14d265d9b449de22d1b67b72c40dd3033f15a6243e376ab96
AgentTesla
aafdc5cc140661046edad9a3b157fab08df14b11b53e394ceb00bbdee14cb34d
AgentTesla
+ 35 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231005-lnrx2aab8z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Unpacked files
SH256 hash:
2e784255765e932b2f93d8c55464fe4a2ff91a36e3a2f2fc515d8864d6076a36
MD5 hash:
80f85576c278a788ed66c12fc9531f2e
SHA1 hash:
fb50f27685bfa55ab1b74982a19b84ee5d270230
Link:
https://www.unpac.me/results/2c9388a8-8fcc-4352-90ea-7d87398b22c7/
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/2c9388a8-8fcc-4352-90ea-7d87398b22c7/
SH256 hash:
c9d8bf22a149b97a63aa741db547fe491533ea90686ca1f3778164ee30bc93e4
MD5 hash:
b6a7249587bca7ecd0aa5445c31866fb
SHA1 hash:
d2f64d1f3fc6323cd3545a63e65607471f72e475
Link:
https://www.unpac.me/results/2c9388a8-8fcc-4352-90ea-7d87398b22c7/
SH256 hash:
af10a81d30ea6c14a0857caa64697f78672a941419d679b34eedb82e080ad46b
MD5 hash:
ec0b80883f0b18fb75a48dd18795f514
SHA1 hash:
afe9537c27362b6769a1df0ad414b8e58d34ea40
Link:
https://www.unpac.me/results/2c9388a8-8fcc-4352-90ea-7d87398b22c7/
SH256 hash:
7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c
MD5 hash:
db82b1e54d378158c2873fd90f30880a
SHA1 hash:
75d28d710180b899847f35de4857952cde5d97ba
Link:
https://www.unpac.me/results/2c9388a8-8fcc-4352-90ea-7d87398b22c7/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e5e3c49e0bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments