MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7faf86e2c9fbd54192ebe7cb795e281aea66f0eef72bdef7240e1e543aedc614. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7faf86e2c9fbd54192ebe7cb795e281aea66f0eef72bdef7240e1e543aedc614
SHA3-384 hash: 164101aeb2332ee0d7c8c11287976716467dcfa0e25e20518a7ab2ac9bd43f8f768c51a2d6802467e9a1de9fc9391705
SHA1 hash: 12412cd9a04b794a7768ada1d9b66b16fea9e01b
MD5 hash: 41d8c370c67f7ac2d60a1e8a9bc6a324
humanhash: batman-equal-island-ink
File name:shipping document.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:871'424 bytes
First seen:2021-02-01 06:26:13 UTC
Last seen:2021-02-01 08:18:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:up/6toP6/u8/wEt27TNn+bYxsHCLBTq2ZJf2:u3P6/u8/p449SJf2
Threatray 4 similar samples on MalwareBazaar
TLSH 4405E0326745DF58E47F97BA9438668053F1BABBDB11EACD7CE540D82D61F800B22B42
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
shipping document.exe
Verdict:
Malicious activity
Analysis date:
2021-02-01 06:29:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9d3774c7-9a70-43bf-8838-4cc5ffaaaa5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114401/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594960
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7faf86e2c9fbd54192ebe7cb795e281aea66f0eef72bdef7240e1e543aedc614/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-31 12:35:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6xynywj7pkudexl47fxsxridlvgn4ho64v555zebypfioxnyyka._file
Verdict:
unknown
Similar samples:
10322acb3813bf047663e86eed28be131bcec8c67fb54f6643c5419b05a4cc8e
AgentTesla
1514ac17df22efd38c94f55862e01bd17ccf24def18924566e50dd5a1721eefa
AgentTesla
17c38ccce635b7567fb09e4e48c53b5661bdd29e827917a447f0de7741694d71
AgentTesla
510512320d54cf1dc953b01181d979bb25e60e0dc2895a38e0d0f303a1cc9253
AgentTesla
Result
Malware family:
n/a
Score:
  5/10
Tags:
ransomware
Link:
https://tria.ge/reports/210201-2t1n7fcrjn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
240df6e0c1e74f0111380fa99bd67c4cb96f25d73f1875736678ef1dfe3ded23
MD5 hash:
3c2e568e591860b26aac052ec7a03670
SHA1 hash:
d6d9f18e64f599c23685cf26cbbb3f01eb2f5c1f
Link:
https://www.unpac.me/results/8daa2f67-c885-4234-bc65-fe218a85b784/
SH256 hash:
7f0e3daac06ca679fbb7263c95c377ba9e90d9a641de382b3e19ef280c39de18
MD5 hash:
85ae26ac5c15f321e5ad498a123acad9
SHA1 hash:
593db3dccbb92df55192b1fee2c8d465ebb3749a
Link:
https://www.unpac.me/results/8daa2f67-c885-4234-bc65-fe218a85b784/
SH256 hash:
0dbdcc70022aca31dbb52bb3ea1ee1304e537ee88e237b8f1cae31aadcfa75f2
MD5 hash:
a66b03f0fc7431afe5a5ce2051c7f499
SHA1 hash:
15e6f031128e765a614d15846280053489e6dac4
Link:
https://www.unpac.me/results/8daa2f67-c885-4234-bc65-fe218a85b784/
SH256 hash:
ae0d58682542587376e23aa5b1322a09c46200ba58684ab6ad9178760a341c5c
MD5 hash:
c5083dd8868e45452a1fb08867688bb7
SHA1 hash:
0f9efc5f861bf7b9d1e4029a34b42ea0f6601f37
Link:
https://www.unpac.me/results/8daa2f67-c885-4234-bc65-fe218a85b784/
SH256 hash:
7faf86e2c9fbd54192ebe7cb795e281aea66f0eef72bdef7240e1e543aedc614
MD5 hash:
41d8c370c67f7ac2d60a1e8a9bc6a324
SHA1 hash:
12412cd9a04b794a7768ada1d9b66b16fea9e01b
Link:
https://www.unpac.me/results/8daa2f67-c885-4234-bc65-fe218a85b784/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7faf86e2c9fbd54192ebe7cb795e281aea66f0eef72bdef7240e1e543aedc614

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 546d7c468debef93dca95f2f31b9f7da1988254a337779acf19fb41cce25b9b8

AgentTesla

Executable exe 7faf86e2c9fbd54192ebe7cb795e281aea66f0eef72bdef7240e1e543aedc614

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 546d7c468debef93dca95f2f31b9f7da1988254a337779acf19fb41cce25b9b8
Cape
Cape
https://www.capesandbox.com/analysis/114401/

Comments