MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fb990250eb44087277f87e8365a30dcdebba19c2c4c4c89287630ff329af399. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fb990250eb44087277f87e8365a30dcdebba19c2c4c4c89287630ff329af399
SHA3-384 hash: 03beec286586f43f1801cb71f353890128e6ceab0f74fe6328753d18b19332b0e0170d6d829a45389a676bf6bbf5fcaa
SHA1 hash: 5316795ad1ff00e6db5b0d9f4b598f81d02a55c0
MD5 hash: a0174d0ce23bdc10aac6a50ab7540412
humanhash: autumn-quiet-yellow-georgia
File name:a0174d0ce23bdc10aac6a50ab7540412.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:706'048 bytes
First seen:2021-06-20 08:09:34 UTC
Last seen:2021-06-20 08:48:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:uGN9waLJZseooocCdOAodFbXIlwKZyh73cHAbmqh:uGL5LseoNceOBslwQyOqh
Threatray 5'965 similar samples on MalwareBazaar
TLSH A8E417C43132AA4EDFE24B3A65304BB15D103F36179FADBE71E23B98563D951EA0016E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a0174d0ce23bdc10aac6a50ab7540412.exe
Verdict:
Malicious activity
Analysis date:
2021-06-20 08:12:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d74f8350-7bb1-447b-9ce1-2e1d9ce3d814

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167155/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.30680.14615.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/627fd541-a130-4e92-9392-799dccf98a8c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804877
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7fb990250eb44087277f87e8365a30dcdebba19c2c4c4c89287630ff329af399/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-06-20 08:10:17 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p64zajiowraioj37q7udmwrq3tplxim4frgezcjioyyp6mu26omq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12b582ab21f7f9cd0f7475461d4f3e12ea5b8ce8ea86010e062d6dc7b5d83473
AgentTesla
303cf0969720059305f095045e89ecb76c87f0b7473723ea9c09e534a99f1e21
AgentTesla
3346dbacdf7e0f240dd2ed2f99af41e4106e10039f096a8142fed178c4413fd9
AgentTesla
4a9f65c36f2f23acdba1e9d4aa7ac525822441e2a7ae14afcf8808dc86f0405c
AgentTesla
60a77ee5b32933d4ecd4c6302f62d1ff9ae732b24350c67ac0b6b84f253a867c
AgentTesla
8160d7520a2f9630dc0b3773b07d2a9fdf937f2b3b722980c96dfbc4db4a85a7
AgentTesla
9699f6623a555a81905b77679dc69befbd87063400029277ad651a316abf21a0
AgentTesla
9733220cd3a69b55438876d8fb6477f2ebec950de8151f4732d415468e58535d
AgentTesla
9bc678c39c87021ed3ad959283499e49679da53068017e1410580cd18b58054c
AgentTesla
de0419f15e231116f87b5ac3a8aeab734175c685920fce69c8c39836d1ab4491
AgentTesla
+ 5'955 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210620-mnw2mvca5j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
42996a170bf4a3d569fa8f000695426aa78d164b7b030c276177bb6cb0536db0
MD5 hash:
c487eeee33263bd87bf9b03466ef4eb5
SHA1 hash:
6d4d28f7bef76e1fd997883d0f1ba93e9656b844
Link:
https://www.unpac.me/results/1e5de731-09c2-4776-9e09-e3be55e57dd7/
SH256 hash:
8bf110da8420baf36c1ac25f4b84549ad95fc5c212b43202da470e8832c98463
MD5 hash:
371edb78375dcd4baf4d03f6987b2837
SHA1 hash:
6a74ad2242ee9551649ad1a2a9234abe2e866d93
Link:
https://www.unpac.me/results/1e5de731-09c2-4776-9e09-e3be55e57dd7/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/1e5de731-09c2-4776-9e09-e3be55e57dd7/
SH256 hash:
7fb990250eb44087277f87e8365a30dcdebba19c2c4c4c89287630ff329af399
MD5 hash:
a0174d0ce23bdc10aac6a50ab7540412
SHA1 hash:
5316795ad1ff00e6db5b0d9f4b598f81d02a55c0
Link:
https://www.unpac.me/results/1e5de731-09c2-4776-9e09-e3be55e57dd7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7fb990250eb44087277f87e8365a30dcdebba19c2c4c4c89287630ff329af399

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 7fb990250eb44087277f87e8365a30dcdebba19c2c4c4c89287630ff329af399

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/167155/
  
URLhaus
https://urlhaus.abuse.ch/url/1150070/
  
Delivery method
Distributed via web download

Comments