MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f9d5ddcf9927f33fe6a7e76025eb1cfef7cdc489afc3cf02973ead2e2197b67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	7f9d5ddcf9927f33fe6a7e76025eb1cfef7cdc489afc3cf02973ead2e2197b67
SHA3-384 hash:	8552fd044fc36e6bfa13ba1b7738cf8ce1a93fb380f639ab68be48b95cbe8027990ac2a03fc2019c338b1c582d7496f9
SHA1 hash:	026d23ec3491ecf8e995937c07f56559635704b6
MD5 hash:	5ad27819990e8c91c68bfff80ce7b8a5
humanhash:	fillet-sad-pasta-maryland
File name:	New Inquiry - Qingdao Wisdom International Supply Management Co., Ltd.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	590'336 bytes
First seen:	2023-04-14 06:46:42 UTC
Last seen:	2023-04-14 07:12:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	6144:YrGHJJxN9vjOiqpSGatSc2OGZRm/KY15LPRZyei30133ennMUW6AbT1lsKU5X4IW:YrQoitFRu4/KY1tySJen1gW9qYctR
Threatray	2'080 similar samples on MalwareBazaar
TLSH	T125C41226B7AB9222E2B887B740F6051843B296536653C78D5CD9308D8F4F7C94F52F4B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000c4c4e4c47000 (17 x AgentTesla, 7 x SnakeKeylogger, 6 x Loki)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

217

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

New Inquiry - Qingdao Wisdom International Supply Management Co., Ltd.exe

Verdict:

Malicious activity

Analysis date:

2023-04-14 06:48:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0a1e01b1-288b-47b3-98e0-51ea90f7fb3c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/382191/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker comodo darkkomet packed unsafe

Link:

https://www.filescan.io/uploads/6438f6e9b8bb6af0d10d954f/reports/d70fda38-7c42-4980-872d-438d161a12f1/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/7f9d5ddcf9927f33fe6a7e76025eb1cfef7cdc489afc3cf02973ead2e2197b67

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bd8f62ed-2e18-4599-b722-e319a5655d96

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1213740

Signature

.NET source code contains potential unpacker

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7f9d5ddcf9927f33fe6a7e76025eb1cfef7cdc489afc3cf02973ead2e2197b67/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p6ov3xhzsj7th7tkpz3aexvrz7xxzxcitl6dz4bjopvnfyqzpntq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

15b0f8e2aed7ee2ada1092022c44479d911c860804a28933fb98db80c2c560d2

AgentTesla

1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562

AgentTesla

5c1ca4adaa201d18b6f6af946d8b610fbc30dd33994bd69c34349af46d2eb1a9

AgentTesla

69fa15d77275d1d0383f6a1ec7137989a392fe17050cb90f3670e8e834f931be

AgentTesla

745334ebcf459ec748d00eaf3bcb94045cebdd6275aca548255c1c922f0f9d9d

AgentTesla

7f9d5ddcf9927f33fe6a7e76025eb1cfef7cdc489afc3cf02973ead2e2197b67

AgentTesla

8a03b8808de5dc90141e961a89350e8e50ad3f8410ec4e2d5b4fa64cfc310519

AgentTesla

920961f43c4590704b068fb3bd274325c966908e805f7994522ce173e7e4c0ec

AgentTesla

d9af863b59bd558282c282807446bbc9bf19347df44eae0107d4f008afc303c3

AgentTesla

+ 2'070 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230414-hj7wxagg25/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

ebc746d70c2e0e1c17c3b07a41f2437f4cc9b1d94025adba636413244ffd85aa

MD5 hash:

f1c02ea3db40ac4030c76edd37b28a18

SHA1 hash:

fbfd2a6257adb779a8c6324fcfe4b2eb588af4c3

Link:

https://www.unpac.me/results/48047ad3-b8e7-4b55-b96e-e885f76dcdb2/

SH256 hash:

ca57c4aa2baa0639743daa11ce548d5c131a7c154e9c46a7e54fc569b33d2f06

MD5 hash:

f50bdd792e6fca2ee7391035126e2c32

SHA1 hash:

9b105692d62548b2630f75fa32439f163a37f794

Link:

https://www.unpac.me/results/48047ad3-b8e7-4b55-b96e-e885f76dcdb2/

SH256 hash:

40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403

MD5 hash:

c768bac25fc6f0551a11310e7caba8d5

SHA1 hash:

95f9195e959fb48277c95d1dd1c97a4edff7cb3a

Link:

https://www.unpac.me/results/48047ad3-b8e7-4b55-b96e-e885f76dcdb2/

SH256 hash:

072ead9c26749cef708539c58a16e8d22c9fbd2a752776fab54e54e49687b538

MD5 hash:

c86af051c96b80c326bbb9fd598609e3

SHA1 hash:

2d6216ba540abb1bee1e0b2ab028611e1514cab5

Link:

https://www.unpac.me/results/48047ad3-b8e7-4b55-b96e-e885f76dcdb2/

SH256 hash:

a8cb23f0d03321bec01dc5c1ec5d2cee14a83dbd0e4fde487d505cb6a9c755e0

MD5 hash:

353c8d0f37b87c3113bb6c05daf1832d

SHA1 hash:

15535a0e30fab46be6c3346f4b4e4e51cc3364db

Link:

https://www.unpac.me/results/48047ad3-b8e7-4b55-b96e-e885f76dcdb2/

SH256 hash:

7f9d5ddcf9927f33fe6a7e76025eb1cfef7cdc489afc3cf02973ead2e2197b67

MD5 hash:

5ad27819990e8c91c68bfff80ce7b8a5

SHA1 hash:

026d23ec3491ecf8e995937c07f56559635704b6

Link:

https://www.unpac.me/results/48047ad3-b8e7-4b55-b96e-e885f76dcdb2/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7f9d5ddcf992/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7f9d5ddcf9927f33fe6a7e76025eb1cfef7cdc489afc3cf02973ead2e2197b67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Dotnet_Hidden_Executables_Detect Create hunting rule
Author:	Mehmet Ali Kerimoglu (@CYB3RMX)
Description:	This rule detects hidden PE file presence.
Reference:	https://github.com/CYB3RMX/Qu1cksc0pe