MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7509cc8392157ea38f1d51187180d745a72f3941882fd6c6a10e6ce5a4417c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7509cc8392157ea38f1d51187180d745a72f3941882fd6c6a10e6ce5a4417c4
SHA3-384 hash: 9a3b91b4b3f1403613207cf23f203bf0552954a97f893cd91952fc35cf9612beae9a242611f09a19755ec4f7fc90a552
SHA1 hash: 328ac70e04feabe553289f74289344f237ee7d2c
MD5 hash: 9436f0782fc4a39e5461be48617ca3a8
humanhash: black-venus-fillet-november
File name:BL COAU7233640720_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:866'816 bytes
First seen:2021-09-14 02:52:14 UTC
Last seen:2021-09-14 04:22:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:FjF+THHb3BSjrOnSTk5CZbhCjdKTC4Bj0zQgmDzg:Fj8HHb3BSrOKZbccTC4Bjxlzg
Threatray 10'229 similar samples on MalwareBazaar
TLSH T188059738ED0B21B7EBAAD334E4BA150AA5F418BB33349D5EC192774D190760374DA3AD
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BL COAU7233640720_pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-14 02:54:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/94ef4eca-16c7-49ac-a0b8-a9933d9c07ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187615/
Detection(s):
SecuriteInfo.com.generic.ml.31606.10893.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Creating a file in the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6175083d9a5a1e91c5d1fe7d/reports/b2ec5172-4925-4d79-b93f-a3ce5b1cc65c/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5dae0dcd-1395-4f6c-b2dc-f7b7982b0c3c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850319
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Contains functionality to register a low level keyboard hook
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b7509cc8392157ea38f1d51187180d745a72f3941882fd6c6a10e6ce5a4417c4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 01:45:30 UTC
AV detection:
7 of 40 (17.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w5ijzsbzefl6uohr2uiyoganornhf44udcbp23dkcdtm4wsec7ca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
57b2a44351febaa40160b21423b5f084f15802290e82910cd3d94331eb3e3791
AgentTesla
5adc4cb387d4bb0d2a3c1377a61bac5fa66ba260e5a33f1ca7d65fef695b14d7
AgentTesla
7fcc227a274b3d5e1490799223181c246178a676b12de3c1c59d6a5d675febb7
AgentTesla
8d612b2743dcec9641417c32c472aca58eb0161e8609754fcf728c7ee57ee5ca
AgentTesla
a0fc7a3730fb9125bd92aa5f06e1942ae159a2030e228bc718fefac556a81a5c
AgentTesla
a3ed514949ec3a2bef161647cb6223a13db74b6d43bef963466fdd8104f2689c
AgentTesla
da302746a73a8909ef19576f7537679caaf265373d5f6485aacca17f51de7632
AgentTesla
dc3c0dc5884f2252d2632da5c719e49080197ae9e06dd7438a31c65b800d3f84
AgentTesla
e7d489df6c41d065986388f6673e9b179acf89d87acf58ca8a015d778a6c8dff
AgentTesla
+ 10'219 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210914-ddbjaseff3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/b2bd7efb-f877-412a-883f-522919f859ea/
SH256 hash:
9b02af0db8618059b81b463f3038a27bc218f60ee223bc2ab3e3a9fd9b8a6ba9
MD5 hash:
51734cf0b1e1cffbd124f6d118574b19
SHA1 hash:
5a66bd2412dc526494ac1cefdbaccd5a8e67bc21
Link:
https://www.unpac.me/results/b2bd7efb-f877-412a-883f-522919f859ea/
SH256 hash:
e363c5a352a2f0ed3702ebc5d9de35a9badc08c670d602f5761539e4ff97e5d2
MD5 hash:
707c9c48edbff11ff8be8748283da454
SHA1 hash:
17918946a448fc90b3ecc11c4fd441d0635daa8d
Link:
https://www.unpac.me/results/b2bd7efb-f877-412a-883f-522919f859ea/
SH256 hash:
b7509cc8392157ea38f1d51187180d745a72f3941882fd6c6a10e6ce5a4417c4
MD5 hash:
9436f0782fc4a39e5461be48617ca3a8
SHA1 hash:
328ac70e04feabe553289f74289344f237ee7d2c
Link:
https://www.unpac.me/results/b2bd7efb-f877-412a-883f-522919f859ea/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b7509cc83921/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7509cc8392157ea38f1d51187180d745a72f3941882fd6c6a10e6ce5a4417c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b7509cc8392157ea38f1d51187180d745a72f3941882fd6c6a10e6ce5a4417c4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/187615/

Comments