MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0e7776bac7c4f0d6a2ba3314ffcf6f430130cd3f6f3ffc4b8496b31eec9043d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0e7776bac7c4f0d6a2ba3314ffcf6f430130cd3f6f3ffc4b8496b31eec9043d
SHA3-384 hash: 436eb6f86f356c9992ee133304b6e41fef19926bb32a5dac52d7e2d0089a4c4bc18ec6d0feb7a84b44ff6f9dbf6a857e
SHA1 hash: 993e3f753f91d34cf47577de756faff550c57ea9
MD5 hash: 56aed2990f9b4939304c6a3e86f92883
humanhash: river-illinois-seven-quebec
File name:Request for Quotation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:487'936 bytes
First seen:2022-11-25 03:18:31 UTC
Last seen:2022-12-08 12:45:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:YhukJjG7ncwnQolTAz4FzOr71pAKgR70wRNt91p/oebwN0GL6FVV2xqH+bCIVv26:Y8USnwQnO33AKgZZoebayFbbbIVAy3h
Threatray 656 similar samples on MalwareBazaar
TLSH T1EBA4237CB6CDE6ADCC4665BAC70EDC06C382A5D7488FE8CB49D8464232EB73204755B9
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for Quotation.exe
Verdict:
No threats detected
Analysis date:
2022-11-25 03:18:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4ae2e417-35de-4aa9-9428-15f599b8ee83

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338258/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1683.23789.7627.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mimikatz packed
Link:
https://www.filescan.io/uploads/63803426536377388865c6c1/reports/1c2afe5a-9116-41c0-a7e8-58995d338c3a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72d7de7e-e57a-4f77-b73f-1615bb3ceb55
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120838
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0e7776bac7c4f0d6a2ba3314ffcf6f430130cd3f6f3ffc4b8496b31eec9043d/
Threat name:
Win64.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 23:46:01 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dtxo25mprhq22rlumyu77hw6qybgdgt63z77rfyjfvtd3wjaq6q._file
Verdict:
malicious
Similar samples:
0a83c7e2b213646c2861d33fb49bd12c9fb43f1e19fafbfd618bd4b17a07aabf
AgentTesla
17781abe73e2c5aca6d20dd339a34f223a4dcb2de58bda4fa6679fdb83a5688e
AgentTesla
17fad325e9717e20c930f698f08f711320a505560e239b5de9df67c62258a3bd
AgentTesla
66242b095b2cfb53b52d1743a42aaa9fd94c6b53f58869c4b1c9d893a541e3a6
AgentTesla
67600d161c7a30d3a06b1f49332e26a4e9010536dca825ba294802934c4358e5
AgentTesla
7a3d9a2e7fbcdd35fa3c5c195892b4c7940c669cde48def4832aa7e91736d532
AgentTesla
803ce3a81dac97819000978aa8798f1d2464e12785d1625aa5ee01d0589ec8a2
AgentTesla
b5b8524f2b24683dbeb07c9af2ddc8175a7a7b8925fd2db5f9776be568c2135e
AgentTesla
f194cc1d2476f819084e0612933173c0a8302453d32f77331e39a5d96ef5e46f
AgentTesla
+ 646 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221125-dt6z5sgf45/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a47b5f0a-d720-49ec-9ace-cd9e059890ee
Unpacked files
SH256 hash:
d0e7776bac7c4f0d6a2ba3314ffcf6f430130cd3f6f3ffc4b8496b31eec9043d
MD5 hash:
56aed2990f9b4939304c6a3e86f92883
SHA1 hash:
993e3f753f91d34cf47577de756faff550c57ea9
Link:
https://www.unpac.me/results/76d7d055-ba6b-4a9d-bc84-c59c83a523a3/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0e7776bac7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/d0e7776bac7c4f0d6a2ba3314ffcf6f430130cd3f6f3ffc4b8496b31eec9043d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d0e7776bac7c4f0d6a2ba3314ffcf6f430130cd3f6f3ffc4b8496b31eec9043d

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/338258/

Comments