MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f5d47643ef02e7a4c2e00b445ba1f78122c7773b5b27fecfccd29260e7cc52e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	7f5d47643ef02e7a4c2e00b445ba1f78122c7773b5b27fecfccd29260e7cc52e
SHA3-384 hash:	cca3bdc092ec3780390c744e118b49b0d52b1642399b7a8d3cf1bd8a752405a1c6e00342596153749f3c3b175c27b7a5
SHA1 hash:	6fb428ffb2d67a69ac4427c8fcb6d28443ec557d
MD5 hash:	25739f14a967ec3d4c21beb0ef7db081
humanhash:	nine-foxtrot-pennsylvania-oregon
File name:	Facturas Pagadas al Vencimien .exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'131'008 bytes
First seen:	2021-08-14 06:50:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:v0gst2u8Q5iHw6Nd/hY1muKgIcMNwY6KA13pinSHHcD/xXfIhfnG:8gsF8Q5iNnK1JKg9owcAZp
Threatray	9'863 similar samples on MalwareBazaar
TLSH	T1EB357F3C29FD263FC0A6D775CAE28C13B00168AF7121AD5594C7172E532AA5376C72BE
dhash icon	70f0eab2e0ecf070 (15 x AgentTesla, 9 x Loki, 7 x Formbook)
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
mail.brimaq.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

303

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Facturas Pagadas al Vencimien .exe

Verdict:

Malicious activity

Analysis date:

2021-08-14 07:16:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/38b5e7e1-3993-4115-89bd-12552008a36b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/179166/

Detection(s):

SecuriteInfo.com.Trojan.Siggen14.59996.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5054a2b0-718c-43cc-af51-531bda10b7d5

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/832789

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/7f5d47643ef02e7a4c2e00b445ba1f78122c7773b5b27fecfccd29260e7cc52e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-13 18:22:09 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p5ouozb66axhutboac2eloq7pajcy53twwzh73h4zuusmdt4yuxa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0db37b6127c8a4265ac68f29104dd7ce217eaedaac9dd818d121c5dab44f4873

AgentTesla

202a874c92cd603d7743eec18025972cde4f15ac56792856a77d6f9e27b96ec9

AgentTesla

23f395feba9af97086e3c3dee7cde812ad67a31cc151d9285b2fc7b2f926bc4d

AgentTesla

66eee5b2f2d5356fc7e5aaf37b28536b36c8c13158e80972b6404bf3218e9574

AgentTesla

7a73931022a29bdf9fc344791b8b3d641c7ef49cb124d4b42942bc64ef6f5151

AgentTesla

a5b4a1aa53134e93a392b7b90cc7c5d4a939d4f61bdf330de08d49fa1b4356ed

AgentTesla

efc33e49a1f2bb8a2caf20a3609c44170c3739c90c1e2f4f236961e13279a3b3

AgentTesla

f428071470e36380bb7afbd161da6a61a2283f9b7a4a9850395d0ed54f171041

AgentTesla

+ 9'853 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210814-bj8jnp5xaj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

33ac6b8012ce739e72022086b5d39b7fc030c20fa72988f76957685509d5c041

MD5 hash:

83f8ae95a7e6f016f6b00482588086e6

SHA1 hash:

70392939d6d60a913b51084ec1d98eaae8ca4868

Link:

https://www.unpac.me/results/2bd1b544-810c-4575-acc3-54fa390db360/

SH256 hash:

1ea63375478a37663a6c87993fdb73c4a816312900220660f4cf0c5a2e03b377

MD5 hash:

dbf7f63637a6186772db5bafa629957e

SHA1 hash:

32bd5c04fbfbaf3ddfce61986098446941ea2e45

Link:

https://www.unpac.me/results/2bd1b544-810c-4575-acc3-54fa390db360/

SH256 hash:

508df71a7848e598dc368322f7802a34a0752430ae978c4ec904bb9a90b73dbd

MD5 hash:

7461174083dee4dcceae59c6d3caedd0

SHA1 hash:

23194a12ffadcec0e7dce7cac861f06c96dc1792

Link:

https://www.unpac.me/results/2bd1b544-810c-4575-acc3-54fa390db360/

SH256 hash:

7f5d47643ef02e7a4c2e00b445ba1f78122c7773b5b27fecfccd29260e7cc52e

MD5 hash:

25739f14a967ec3d4c21beb0ef7db081

SHA1 hash:

6fb428ffb2d67a69ac4427c8fcb6d28443ec557d

Link:

https://www.unpac.me/results/2bd1b544-810c-4575-acc3-54fa390db360/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7f5d47643ef0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7f5d47643ef02e7a4c2e00b445ba1f78122c7773b5b27fecfccd29260e7cc52e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/179166/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample