MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f55066e20c9aa6f3568fb142a1a52af313005ae4739d5f378d61991fc2fce74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA File information Comments

SHA256 hash:	7f55066e20c9aa6f3568fb142a1a52af313005ae4739d5f378d61991fc2fce74
SHA3-384 hash:	be934ac33c414e76972559dc8ee8a59bd2b733682a577cb3bf5e6421490461095d9c4580ef12a00d84f79045fcab42c4
SHA1 hash:	681dbc4eb5dac0a19533834a9698776bd46db80f
MD5 hash:	b8ec5b7361b39b0bc5471c3bb23bcf79
humanhash:	jupiter-magazine-west-freddie
File name:	DHL SHIPMENT AWB# 4633817031_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	966'656 bytes
First seen:	2023-12-18 18:53:16 UTC
Last seen:	2023-12-18 23:15:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:qGXDY6tPATswYfzBySzmhk8KuyX4IEYVSsZhyX5ThoB5AM0qzpw:VzdAfCNyGmhk8KuyX4IOkMwAMzzp
Threatray	4'197 similar samples on MalwareBazaar
TLSH	T1B225B33C58BD2237D5B5C7A58BDC8427F25CA46F3151ED6588DA93E603C6E4238E322E
TrID	61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.1% (.SCR) Windows screen saver (13097/50/3) 8.9% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

Vendor Threat Intelligence

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/468345/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Win32.PWSX-gen.2248.1684.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Reading critical registry keys

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/6580954eb855eb3693e48b0c/reports/8dec60af-4832-4fa6-b1dd-0e2003b73e35/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/7f55066e20c9aa6f3568fb142a1a52af313005ae4739d5f378d61991fc2fce74

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dd30778c-7429-4242-9a09-c7eb87c1276e

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1364123

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7f55066e20c9aa6f3568fb142a1a52af313005ae4739d5f378d61991fc2fce74

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/7f55066e20c9aa6f3568fb142a1a52af313005ae4739d5f378d61991fc2fce74/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-18 10:52:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 37 (54.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p5kqm3razgvg6nli7mkcugssv4ytabnoi445l43y2ymzd7bpzz2a._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

5c3a1a44e8f69e87acc9b95aa6798fcecbc33dc8f11a96b89bea796236887f92

AgentTesla

a0af28c2998916fb7b8d403dc398c54f829e0f7a0768834fcb7b677048aa18c4

AgentTesla

b965df83cfeec960e1372166cd73d936ebfb3be2986db0bf953bf2b67b5209ce

AgentTesla

bfa9ee3b5a985b9a9a3d5df7d691a1f2fa14334d800331310033d37d3ed2ba8b

AgentTesla

+ 4'187 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231218-xj7ngaedg8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

8c887b6830204ebfbb6edde8fc5f70e42cf0086c26b97f477a02ba328379ad05

MD5 hash:

526d926bd1f677078748681b69d84b2c

SHA1 hash:

ef6fb445834c83d12d8d89f19f19696c91332d63

Link:

https://www.unpac.me/results/dc8684ce-1b62-4c2c-a5c5-85e24713c822/

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/dc8684ce-1b62-4c2c-a5c5-85e24713c822/

SH256 hash:

c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf

MD5 hash:

160f4669c06c6496d79a92ea9d33e89b

SHA1 hash:

baae226fdb2a9739f118db781bdc74f2efc6a585

Link:

https://www.unpac.me/results/dc8684ce-1b62-4c2c-a5c5-85e24713c822/

SH256 hash:

26e45f403cdfe814e0bb0cfddb24c6e257c074ab7f1042ee1fc3d56f2f4c773a

MD5 hash:

1284934322e058996f102f49dc76fdf7

SHA1 hash:

81dad69bca70c3ae4d91dd22b452f64c87fb0a05

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/dc8684ce-1b62-4c2c-a5c5-85e24713c822/

Parent samples :

a0af28c2998916fb7b8d403dc398c54f829e0f7a0768834fcb7b677048aa18c4
128b915c058609131a3ae2ae25b26aea06b51a0001bb9b9794b9cf401f16668c
b965df83cfeec960e1372166cd73d936ebfb3be2986db0bf953bf2b67b5209ce
7f55066e20c9aa6f3568fb142a1a52af313005ae4739d5f378d61991fc2fce74
4e77677a9a29e465f030c9a9695533c8dbde964ecc66585a0b9f26a1548ad3ff
0d6a3c92315085cf70b5d0ee89b0db28a27ed40102cd12df9547e8d396eba733
dcfd5b0c16f4b58c12f71af5f546b06fbdf597b7a82d6c14b9799588551a5a9a
57653821b3827abd3779dcfc3a2d03f480eccf8beab8bc541ecda5aa9dc1bdcc
29f087438d46cf90b950d1013a74442b2f59854ff69b760616b9d14d6ac9a801
453a55e207726e7d46391d250ebb8be6b2f188c27ae597d49defeb8831f026dc
9ffb250a0fdf3f3cb6f1a0d9b4bf8b5b5693f2b4181e4b2c4373cfa64be5cea8
50493a0bad941676566a58131684cefe655e9913366257e8f25092f0914eb3fa
299b6a2c1ea140d514d858008cbc42425f7e580d203942d742f21ee6d307d90e

SH256 hash:

7f55066e20c9aa6f3568fb142a1a52af313005ae4739d5f378d61991fc2fce74

MD5 hash:

b8ec5b7361b39b0bc5471c3bb23bcf79

SHA1 hash:

681dbc4eb5dac0a19533834a9698776bd46db80f

Link:

https://www.unpac.me/results/dc8684ce-1b62-4c2c-a5c5-85e24713c822/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7f55066e20c9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/7f55066e20c9aa6f3568fb142a1a52af313005ae4739d5f378d61991fc2fce74

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 7f55066e20c9aa6f3568fb142a1a52af313005ae4739d5f378d61991fc2fce74

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/468345/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample