MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7e50c77235075031ab1fb6afe9896e57945c387816beac89e49f961f537d609. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	b7e50c77235075031ab1fb6afe9896e57945c387816beac89e49f961f537d609
SHA3-384 hash:	3af2ea5f4debdf7c05a2390de058b8229f939067b9f64dde27df478480e1c57bab66a08ade3b8da8b18cf5b765290419
SHA1 hash:	589e78b93d59036815b6d99232a82e6c99dd46f8
MD5 hash:	5f38b79438578be05c97414e5439b0f6
humanhash:	connecticut-dakota-pizza-gee
File name:	hesaphareketi-01.exe
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	718'848 bytes
First seen:	2023-12-13 19:19:03 UTC
Last seen:	2023-12-18 08:51:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'661 x Formbook, 12'252 x SnakeKeylogger)
ssdeep	12288:ycGaWw3jraNCnkYrHuDHLxSERN1fdwa7fdSSSlIalUFseDAGWZ6:3GGgMpqDH5X11jfcSOGFVOg
TLSH	T1AFE4230E6E8C754ECEAC7070DEB6745F0B7162722C5AE6597E9401862713EEEC5B2F08
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	64033a2c2c3a0568 (6 x SnakeKeylogger, 3 x Formbook, 1 x RedLineStealer)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

424

Origin country :

DE

Vendor Threat Intelligence

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/467320/

ClamAV Detected

Detection(s):

Win.Packed.Dropperx-10015353-0

Alert

Create hunting rule

Win.Packed.Seraph-10016137-0

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Сreating synchronization primitives

DNS request

Reading critical registry keys

Creating a window

Setting a keyboard event handler

Stealing user critical data

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

80%

Tags:

packed

Link:

https://www.filescan.io/uploads/657a03e65937bfdbca0fe746/reports/46f94bb1-5054-411d-8226-cb596fc22edb/overview

Hybrid Analysis Ser.Strictor.Generic

Verdict:

Malicious

Labled as:

Ser.Strictor.Generic

Link:

https://www.hybrid-analysis.com/sample/b7e50c77235075031ab1fb6afe9896e57945c387816beac89e49f961f537d609

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Agent Tesla

Malware family:

Agent Tesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/341d0b1e-95f4-4d61-8180-a90375a65fbb

Joe Sandbox AgentTesla, PureLog Stealer

Result

Threat name:

AgentTesla, PureLog Stealer

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1361703

Signature

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Costura Assembly Loader

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/b7e50c77235075031ab1fb6afe9896e57945c387816beac89e49f961f537d609

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b7e50c77235075031ab1fb6afe9896e57945c387816beac89e49f961f537d609/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.Strictor

Threat name:

ByteCode-MSIL.Trojan.Strictor

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-13 19:20:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

7

AV detection:

20 of 37 (54.05%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w7sqy5zdkb2qggvr7nvp5gew4v4ulq4hqfv6vse6jh4wd5jx2yeq._file

Threatray agenttesla_v4 agenttesla

Verdict:

malicious

Label(s):

agenttesla_v4

Alert

Create hunting rule

agenttesla

Alert

Create hunting rule

Hatching Triage zgrat

Result

Malware family:

zgrat

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla family:zgrat keylogger rat spyware stealer trojan

Link:

https://tria.ge/reports/231213-x1jmzaaae9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Detect ZGRat V1

ZGRat

UnpacMe

Unpacked files

SH256 hash:

b7e50c77235075031ab1fb6afe9896e57945c387816beac89e49f961f537d609

MD5 hash:

5f38b79438578be05c97414e5439b0f6

SHA1 hash:

589e78b93d59036815b6d99232a82e6c99dd46f8

Link:

https://www.unpac.me/results/5b0fa05d-9b14-4cbe-98d8-1b6cc8ab91dd/

VMRay AgentTesla

Malware family:

AgentTesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b7e50c772350/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

0.83

Link:

https://yomi.yoroi.company/submissions/b7e50c77235075031ab1fb6afe9896e57945c387816beac89e49f961f537d609

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe b7e50c77235075031ab1fb6afe9896e57945c387816beac89e49f961f537d609

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/467320/