MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7b563a3be2914bdeb8ead22e7adb1b3f2f0e0e33b35488268024512d151f8a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7b563a3be2914bdeb8ead22e7adb1b3f2f0e0e33b35488268024512d151f8a1
SHA3-384 hash: 3e6c4bd29661a17a101f87a95706b014fc440be0520b18a75a4d67733d66a791ed8bbd785740c36b28c8b41e690c49bf
SHA1 hash: 87d7acf8a48d2ea35d8174beb95ee12f1eaabb8d
MD5 hash: 7b6e9441427149a22bf0485cf5d9ec00
humanhash: mirror-ohio-sierra-two
File name:INV#20201015_DSV 02013848361_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:497'664 bytes
First seen:2020-10-16 10:22:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'481 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:8fbcuX3maQOJ9TIDIfq+BPHID7Xr/lbdRlO2h:AXGrKaDUqsID7bj
Threatray 76 similar samples on MalwareBazaar
TLSH 32B46CB8AA48966EE95E4C32C48D08E151287C5F5E87F277584336CFCC2A547DAB20F9
Reporter abuse_ch
Tags:AgentTesla exe Telegram


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vmail1.nohup.it
Sending IP: 185.23.31.39
From: Vincenzo Pugliese <vincenzo.pugliese@it-dsv.com>
Subject: Loading n. ordine 3042495
Attachment: INV20201015_DSV 02013848361_PDF.img (contains "INV#20201015_DSV 02013848361_PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/493374
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7b563a3be2914bdeb8ead22e7adb1b3f2f0e0e33b35488268024512d151f8a1/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 16:41:30 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y62whi56fekl324ovuroplnrwpzpbyhdhm2uratiajcrfukr7cqq._file
Verdict:
unknown
Similar samples:
071ba6fa9eef804d528534c2fc314365ab5a4b2dcffdd90eb2bffaabc57ab987
AgentTesla
303dec4a84eea1ada9965b8fac568aa883fccd240dd0959ca8c575f3079a7ccf
AgentTesla
344e623ca2c22240a52b952e83939f053675259b17f207cdd71453acab5d0060
AgentTesla
6064936e934c6da4c769953688b4ddc4da448563d1f0ea3708548b187c0b880e
AgentTesla
61a57f66dd47818dbde83c6b2eae0bfe5ecac215605e3fac4c4a2a30c270cc04
AgentTesla
6c66ed3a40b1964b2d4f5d86214ba8468e0313ae8f340bb91a8059f94318e47c
AgentTesla
7ce357f7c3475e91f3dd3880f4fbbaa6d50f7101044b8b24e2ca0ea70981286c
AgentTesla
e7d5f4ed2e66690a6df80a325edf4e6f1d20a2a650b989889d65d934d0ae5c1a
AgentTesla
e8da65e395c309509563df99675f2ddaa5339b55fd944867a479ffc5d3639946
AgentTesla
ea4d8d060bcd85bdb08cc7bd4f510a8539e84119011abb56e9e0158432e4de54
AgentTesla
+ 66 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201016-gz9yte5pa2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
3450244449f61a6bcf9cf7d7c1574bf896459c73efa1524fca0b849d245a252b
MD5 hash:
f9002baa6a44494226c6d320b61832ce
SHA1 hash:
07c4148c7fee8ab42e6466df5a4eb0e465e3c548
Link:
https://www.unpac.me/results/f8b4861e-ee5c-4d70-bbf6-d25de21edce2/
SH256 hash:
408e285a0623013bfcb2d96e11dbe7fb5a0166ff3a58dcffac327739ece56da2
MD5 hash:
f0deb8090f7f4a2f7ab7260582e827c7
SHA1 hash:
402a0d0d69430bc9e62f246bb604042fa393d1dd
Link:
https://www.unpac.me/results/f8b4861e-ee5c-4d70-bbf6-d25de21edce2/
SH256 hash:
c7b563a3be2914bdeb8ead22e7adb1b3f2f0e0e33b35488268024512d151f8a1
MD5 hash:
7b6e9441427149a22bf0485cf5d9ec00
SHA1 hash:
87d7acf8a48d2ea35d8174beb95ee12f1eaabb8d
Link:
https://www.unpac.me/results/f8b4861e-ee5c-4d70-bbf6-d25de21edce2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7b563a3be2914bdeb8ead22e7adb1b3f2f0e0e33b35488268024512d151f8a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 74ae004c107d3af9ab784dbf7075d766aae3865d4bdcff8810404ac2d5359b9e

AgentTesla

Executable exe c7b563a3be2914bdeb8ead22e7adb1b3f2f0e0e33b35488268024512d151f8a1

(this sample)

  
Dropped by
MD5 3d2e995cc9466bd045612e001b7afb60
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71889/
  
Dropped by
SHA256 74ae004c107d3af9ab784dbf7075d766aae3865d4bdcff8810404ac2d5359b9e

Comments