MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ef143a1a946b149a94dbc3d2e8622cf1e5802914ee74fd5caed0ba960fb39d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ef143a1a946b149a94dbc3d2e8622cf1e5802914ee74fd5caed0ba960fb39d0
SHA3-384 hash: dec03b7aeae3fa3cf96ca98f0080130e29929e42be78999c530802b94e92e144b6b33b1d1e6c60d8a113a18a75674dbc
SHA1 hash: 6b1ebb906301252547d50266445dfed154d36e11
MD5 hash: 91b675d8d9573b6a032677d9d4b0e149
humanhash: lion-cardinal-undress-winter
File name:SOA AS At 31st Mar.2021.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:597'504 bytes
First seen:2021-04-06 21:30:46 UTC
Last seen:2021-04-06 22:52:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:tG/3I8TimyPAZWm/9gUZeKsdsEOQtxW2Z14u2qOd6VJwyIpaZzIdI62:AIPAZWukcEztM2f4u2qOdmJfIpcZ9
Threatray 3'720 similar samples on MalwareBazaar
TLSH 40D4EF782E401AC6E9EC7BF4285094424BAD8DA673C6F70ED7B071A59A313B3DD0661F
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA AS At 31st Mar.2021.exe
Verdict:
Malicious activity
Analysis date:
2021-04-06 21:32:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5159cf63-1b73-480e-99bf-dfc020a77eb8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132715/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668071
Signature
.NET source code contains very large array initializations
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 382965 Sample: SOA AS At 31st Mar.2021.exe Startdate: 06/04/2021 Architecture: WINDOWS Score: 100 60 Found malware configuration 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Sigma detected: Scheduled temp file as task from temp location 2->64 66 11 other signatures 2->66 7 SOA AS At 31st Mar.2021.exe 7 2->7         started        11 newapp.exe 5 2->11         started        13 newapp.exe 2->13         started        process3 file4 42 C:\Users\user\AppData\Roaming\DAwegxI.exe, PE32 7->42 dropped 44 C:\Users\user\...\DAwegxI.exe:Zone.Identifier, ASCII 7->44 dropped 46 C:\Users\user\AppData\Local\...\tmp660D.tmp, XML 7->46 dropped 48 C:\Users\...\SOA AS At 31st Mar.2021.exe.log, ASCII 7->48 dropped 68 Injects a PE file into a foreign processes 7->68 15 SOA AS At 31st Mar.2021.exe 2 7 7->15         started        20 schtasks.exe 1 7->20         started        22 SOA AS At 31st Mar.2021.exe 7->22         started        70 Multi AV Scanner detection for dropped file 11->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->72 74 Machine Learning detection for dropped file 11->74 76 2 other signatures 11->76 24 schtasks.exe 1 11->24         started        26 newapp.exe 4 11->26         started        28 schtasks.exe 13->28         started        30 newapp.exe 13->30         started        signatures5 process6 dnsIp7 50 smtp.vivaldi.net 31.209.137.12, 49725, 587 HRINGDU-ASIS Iceland 15->50 38 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 15->38 dropped 40 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 15->40 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->52 54 Tries to steal Mail credentials (via file access) 15->54 56 Tries to harvest and steal ftp login credentials 15->56 58 2 other signatures 15->58 32 conhost.exe 20->32         started        34 conhost.exe 24->34         started        36 conhost.exe 28->36         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7ef143a1a946b149a94dbc3d2e8622cf1e5802914ee74fd5caed0ba960fb39d0/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 21:30:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p3yuhinji2yutkknxq6s5brcz4pfqaurj3tu7vok5uf2syh3hhia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0063947555fada876477c4e186d19517a3894d56153477590b0d6367ec80fe2d
AgentTesla
3431190b4acce9544602d5d6ef411b64f0f0ebcd7628cec487e5a39347720d7a
AgentTesla
562d247c94d3afd41fb2dbe409605ff22354acde3361f9518ef260179c2076cd
AgentTesla
5cdc13420f4812754d41158ca2015d69c2d7c903f1b00f90db14705eee8f8cc8
AgentTesla
74d935398b83fb7e73bef7bd8127a4421bbfe3b41eee9dd914b546132ce742c2
AgentTesla
7c6d3861bbf68bbb058925e888115864a1c3727fd6f3702d9eeb8adca304d505
AgentTesla
dff521eb1bc7abe5eb779280c5d17c95310be7352ce5927c2173bf1d91a6ca97
AgentTesla
e3154d853187b18659c637d16cb0a1fdd48c1bfa53c5d39aa11e1ed3db471dbd
AgentTesla
e4649c6b74b9494074c6020ba5e73d1253ed1929146135f4e9dbc48da6ace470
AgentTesla
fb1c77156c32d3643f2b21550110a48c3bbf869d2f0aa099b7400646e1fcaeb5
AgentTesla
+ 3'710 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210406-pw9dxsszw2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/1881b7be-b2a7-4be2-b7b8-4262717acfaa/
SH256 hash:
7ef143a1a946b149a94dbc3d2e8622cf1e5802914ee74fd5caed0ba960fb39d0
MD5 hash:
91b675d8d9573b6a032677d9d4b0e149
SHA1 hash:
6b1ebb906301252547d50266445dfed154d36e11
Link:
https://www.unpac.me/results/1881b7be-b2a7-4be2-b7b8-4262717acfaa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/7ef143a1a946b149a94dbc3d2e8622cf1e5802914ee74fd5caed0ba960fb39d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/132715/

Comments