MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e668e824e528e312b547817f7e96cc3ece42e75081a9588e13b5955dcfa2950. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	7e668e824e528e312b547817f7e96cc3ece42e75081a9588e13b5955dcfa2950
SHA3-384 hash:	c5ea865ec16eabe90b87dbafeb91289da3784dae05fbe6b86da9cb0be1fcd03a085b823a2db54a2f1f09b477513b268d
SHA1 hash:	36b8dd88545b4441cfe39fdf381a3a2a476f01b6
MD5 hash:	b5a5e8ff1bf424bce14c9e1f2d285a83
humanhash:	quiet-october-helium-michigan
File name:	drawings and specification contract.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	659'968 bytes
First seen:	2020-08-17 13:54:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:7ZhKka9eL6PdosPIhKo8yW0wVwVIpmg7DEl7z89qIItgy86SK0q2:b/ABPdTVKWpVwcmYuTaNN
Threatray	10'320 similar samples on MalwareBazaar
TLSH	CEE41223F261C912C17A4636C949935417782ACA7663F33DFC9922BF9554BE28B01FCB
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: ns5.bilsay.com
Sending IP: 89.252.181.244
From: <arma@armaltd.com>
Subject: Inquiry// Meeting Table// Final Payment
Attachment: drawings and specification contract.r00 (contains "drawings and specification contract.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

73

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/47057/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/433644

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/7e668e824e528e312b547817f7e96cc3ece42e75081a9588e13b5955dcfa2950/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-17 05:23:18 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pzti5asokkhdck2upal7p2lmypwoiltvbanjlchbhnmvlxh2ffia._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

0e5e318e272a7450269e3eacf53f53f5f25b843f1d8828452a090e4b2afe04df

2b1b0832a94d3e2a53b597aab9a04130dfaca6dfcbb7dd43f2a6aff5a836ba98

3d10095b28765e35766f353b3b16723f94211b3d28d2712c73d50cb7bf6a3a76

52d7bfc971d3f5909eed410680570736d02dc79f93b42e1627a78597205ef862

62fcdae1698a3257838b23279dfb2706ed7eb727cbe24e89ab2445565d45de04

b69f6ee64e6f0fd78926dc5f41314ac63de7bd5f60969185dc7e48470ca1d0a9

efa3422b648b4ad5e66a973700c15abc250b772f9e699565c86909f817b54396

f242ad8f253e4e481529cffa7b3d697683649ba31b8c8500f2d24d2bf591e553

f8d6845e4bbaf3b148d938cebbe21d80cf53288e387abdaa7f7776c2ae89dcf5

fcdececb42372d5ae1a1a1d367046476f916624878980498984983f00add62ad

+ 10'310 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer trojan spyware family:agenttesla

Link:

https://tria.ge/reports/200817-g1rcp8cfy2/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7e668e824e528e312b547817f7e96cc3ece42e75081a9588e13b5955dcfa2950

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

r00 efdd71930b1035b643332384adf41e59f6ca280bd9b4a922bad7776d0410ab51

exe 7e668e824e528e312b547817f7e96cc3ece42e75081a9588e13b5955dcfa2950

(this sample)

Dropped by

MD5 0d857a4d436fbe928d6fe4435d8fbcf6

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/47057/

Dropped by

SHA256 efdd71930b1035b643332384adf41e59f6ca280bd9b4a922bad7776d0410ab51

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample