MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8
SHA3-384 hash: 475da8f25325910faa41eff0f8e338fa65cdd449e03d5bb79d8c2d21bcc9a3371e876e8dc01d2d58968d2e5d63d558c9
SHA1 hash: 3eead112f1b68216216448b542eda77b912ee622
MD5 hash: 7c90ca895e479a73935190d4519b259e
humanhash: cup-sweet-failed-three
File name:Hesap ekstresi 19.01.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:527'408 bytes
First seen:2023-01-19 12:52:53 UTC
Last seen:2023-01-19 14:31:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:mYa6p3pzCqVuCSoziqw0b4E6+05Gp776q7sk6o7zF30SxIL3cyUWrJJkRE4G8BT1:mYT52q0NdBj8+KRQEV9QgX
Threatray 25'412 similar samples on MalwareBazaar
TLSH T1CEB4F043BA1289D7C8A447BD19A6D32C2B60BF294893570B73357B6BB870A475D0F3D8
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 30e0d2c1e8f8e4c4 (1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Hesap ekstresi 19.01.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-01-19 12:57:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3df41929-0bb8-499d-80fd-e4c7d834cc44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354514/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.30000.1335.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/61453/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  10/10
Confidence:
83%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63c93d32bda854045c1956d8/reports/de5623db-0595-4e04-8983-e249b3732559/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8eb21c03-99e1-4b51-a3ee-bbb533c92d14
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154974
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8/
Threat name:
Win32.Trojan.InjectorX
Create hunting rule
Status:
Malicious
First seen:
2023-01-19 12:24:06 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u7jl2huwrlva5algjks2vpkcrjl5ck6ik43bcvb224vfozqrqc4a._file
Verdict:
malicious
Similar samples:
76e24ca3952bbed5f20751c0cb99fc498999cb23d61972e826bad32dda60f7b5
AgentTesla
77a8dd63bb9b99da6daa8291b894e4a1dc05d8476abd943d728798760fb1422b
AgentTesla
8c4cc2077f0eab36be58bb86b34035f1b9c133902630526f609ff0c194f4f236
AgentTesla
a482218c80bb91030f21119952bad2383fc9a5b69dfcd954b5b80585858fbd56
AgentTesla
e981e1db1021b07c50b3d819e4ac62f5b1cad2bc64c591fd59c427f57ecb1fb6
AgentTesla
f80686e2d4265e07d5693ba67db39f0956e420de32e78012d2735d8bde358ce1
AgentTesla
+ 25'402 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230119-p4qxfsfh94/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e98b1ffe-ab1c-499f-a7a1-0cb89b714a1b
Unpacked files
SH256 hash:
88b9eda74a0edef7de92182f86d52fb3fca53af463c7375f69a83322c2b9dcd8
MD5 hash:
b4f9ad1ef85e0cf52e8842cfa98e7964
SHA1 hash:
ee4a4c7f62d8fa7a0e07813a3a2c5ae4a921bb7b
Link:
https://www.unpac.me/results/71da3862-4ce6-48e5-b2eb-9c27149082eb/
SH256 hash:
3f737e02ed36dc5bb7f88cb4c2e7b8bbcd11ac077930523ad8b5a28183d16f6d
MD5 hash:
656e06b56d6ef506b78855a79ac800bd
SHA1 hash:
becf776240daf29fc934239bf3ce25b411168098
Link:
https://www.unpac.me/results/71da3862-4ce6-48e5-b2eb-9c27149082eb/
SH256 hash:
7245faa41a74795b251ba213361e8e2913833d311e73c284e3167fc41d590f4c
MD5 hash:
8fbe8dd0f934386d639203e74274a96c
SHA1 hash:
e5c6e3d695df6e9ee9eb463f912b08fd3c746a80
Link:
https://www.unpac.me/results/71da3862-4ce6-48e5-b2eb-9c27149082eb/
SH256 hash:
a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8
MD5 hash:
7c90ca895e479a73935190d4519b259e
SHA1 hash:
3eead112f1b68216216448b542eda77b912ee622
Link:
https://www.unpac.me/results/71da3862-4ce6-48e5-b2eb-9c27149082eb/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7d2bd1e968a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/354514/

Comments