MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e761146417fe50b717e75ce3526dc46a22e6c416bb61ee18c23cd3a6909c5ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e761146417fe50b717e75ce3526dc46a22e6c416bb61ee18c23cd3a6909c5ec
SHA3-384 hash: 927383ec98f7d0c1f27360f9509e630aa0f9695e96c1e21a4e8a7e209e6b11c248e086cfa221e672a3c5cad2e6e54617
SHA1 hash: cca62f66a1514e610c70b4e4152c0c15c4e766ba
MD5 hash: e9fa8f0e3258ab4c058bfa1c66ff8cdd
humanhash: mobile-eleven-march-bakerloo
File name:HY19071 PI.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:485'888 bytes
First seen:2021-09-13 12:05:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:PFuy/tWGk4DbF53e0IUFLgxp8KBhOt9iA2NZAZj69AyizChnFH:y40xzvOSLN+jeAyA0H
Threatray 9'779 similar samples on MalwareBazaar
TLSH T1E0A4BE242DEE5029F173EFBA5AE474969AAFB7733603E86D145103870723B41DEC193A
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HY19071 PI.exe
Verdict:
Malicious activity
Analysis date:
2021-09-13 12:06:17 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/d66a7b06-18af-4645-8576-d72fea6e0f35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187450/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1025.23642.16973.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6175011adb358dd15ed91ba7/reports/d69d68a6-dc5e-40ca-a672-7de2cde97728/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19940d4c-d8c5-4a3a-b366-a8d17f527dc3
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849753
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7e761146417fe50b717e75ce3526dc46a22e6c416bb61ee18c23cd3a6909c5ec/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 01:11:35 UTC
AV detection:
9 of 45 (20.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pz3bcrsbp7sqw4l6oxhdkjw4i2rc43cbno3b5ymmepgtu2ijyxwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
014b3137818fe9c6b66f870dfb5a2d59ea9e78ef414cb28dae5142e9eeb1736c
AgentTesla
26799266072f7aeaf11cfe54773cd3f387dd383bb8900cf1708a8db00740d101
AgentTesla
27be20987c99b458cf83ec344bde7e393c16faf117889382a595ea3bd4b1e248
AgentTesla
2b753f49b613e63e1147071b6935bf5a010f95f42145099e38a2eba447e6e625
AgentTesla
3fdd6fb3ef8dc83279db7671263b4d7ea0fd896a3eebabe951ca86bd3cba7233
AgentTesla
4317d0c6e4f3db18cddf672376a586b3652fa7f8aa9e6789821cc2ddcf538d25
AgentTesla
481e26f9e3e3c68c95db2e01ce4f552805c4a11014781ddeea08f43c3a3c530b
AgentTesla
639b9c39bd84e462f141b98d3905b4c695d70ae5259b63df22dd3e454e59f872
AgentTesla
9b49a9b7baa2dd6642fcc3c97976f6f1ddb0f8d6b4261ce4b32583c75a572e4e
AgentTesla
f04d5b287971f60d5f04b262f3714a790b7d7c9b591ab88faa1d1f5244792d09
AgentTesla
+ 9'769 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210913-n9qyzagfgj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
6470ac89d4960747346833be19554cf8bd4bc339576738fc40a79566af89b5a3
MD5 hash:
c3ad49f15e627fc63d2da1a635849bcf
SHA1 hash:
c04b86e9a9b82039cb115887e44a18ac7492d109
Link:
https://www.unpac.me/results/36c03759-fb4e-40e5-ab43-9ad56ce096eb/
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/36c03759-fb4e-40e5-ab43-9ad56ce096eb/
SH256 hash:
c820f89b4438bd3d6eb33fbba33c13b9a309ea0bb2c3ae53ccbadcae5083e5a5
MD5 hash:
2a0a02997240b17c69867f38ffc0f3e9
SHA1 hash:
753f37ea3645cb24fa2e0a1c2546215fe79c7582
Link:
https://www.unpac.me/results/36c03759-fb4e-40e5-ab43-9ad56ce096eb/
SH256 hash:
7e761146417fe50b717e75ce3526dc46a22e6c416bb61ee18c23cd3a6909c5ec
MD5 hash:
e9fa8f0e3258ab4c058bfa1c66ff8cdd
SHA1 hash:
cca62f66a1514e610c70b4e4152c0c15c4e766ba
Link:
https://www.unpac.me/results/36c03759-fb4e-40e5-ab43-9ad56ce096eb/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7e761146417f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/7e761146417fe50b717e75ce3526dc46a22e6c416bb61ee18c23cd3a6909c5ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187450/

Comments