MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d707e65e3bd779d5dd0567c2602b9d1e835849db1e2ddb4af9913d88195aa128. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d707e65e3bd779d5dd0567c2602b9d1e835849db1e2ddb4af9913d88195aa128
SHA3-384 hash: 1c9d5b88faf52b2452bdcd291f1e82024159c2a1e553810416a5b2c20a85e24b54d381e9b7ec0fd2f0cee7cd6d8c007f
SHA1 hash: 7076a4abc927e7277d05d76dbc26f075e6b05aee
MD5 hash: 24cd228e96ef100ad7b473c76677b961
humanhash: cola-quebec-venus-blossom
File name:Bank Details_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'029'120 bytes
First seen:2023-03-13 11:42:44 UTC
Last seen:2023-03-13 13:34:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:B03l1K8tUyZmMRxEy0gL0iifhv+nvMGXrRlgKiM2WMGD8GKURZMCNzaxqkPOOfRp:m0fv+vNiCp4GKURZMEkPOeWpfp5
Threatray 1'383 similar samples on MalwareBazaar
TLSH T1AB256AC25374481EFD601E7E335864B3DE93CC99E8DBB2AF1A87BC2A64F844405DD962
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bank Details_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-13 11:45:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b8b9f686-346e-4227-9852-effea97bc768

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374013/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1878.11560.23467.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/640f0c47e746e0a329daa25a/reports/1cfd7d82-8974-4cc8-b77f-a2b1cabf568f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d707e65e3bd779d5dd0567c2602b9d1e835849db1e2ddb4af9913d88195aa128
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11e07f34-b9d2-44cd-a1af-07c6ac03e733
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1192449
Signature
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d707e65e3bd779d5dd0567c2602b9d1e835849db1e2ddb4af9913d88195aa128/
Threat name:
Win32.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2023-03-13 08:24:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=24d6mxr32545lxifm7bgak45d2bvqso3dyw5wsxzse6yqgk2ueua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
120de63b8f726ad218289a7562f96160b9a01b5cc62bf98761628b1667502bfa
AgentTesla
216509ca0f82c10daa1b7ea155f150766effa1270b1cc4d946f7b6d26851f092
AgentTesla
498a462f90680268425f0be93b68cf289a0aafa02c9159e2f708a55d7c694896
AgentTesla
5b62fd08b3a979449bc21a217e7057e710e5a66ab1f4159a935db45629e24156
AgentTesla
7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430
AgentTesla
94eb87f7e3499f7875eea1009b89bbd70aa5c99b1f82754aac3db216a88dfa58
AgentTesla
c5bcba031555d4b9a8356b606db8577d2e600b4bbda4e970b4da3e2637123f65
AgentTesla
e511d9f6dbbb6a20e67e82dbd6ecc48b3bccc60237bba12eabb288152ae72838
AgentTesla
f711597a4eb7c26df4f434b6ba92ba617918340e1fafcf106aadfb0ff4902775
AgentTesla
+ 1'373 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230313-nvkteacc51/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b8877238b6459130d57677dcc70e394950469c7090b2e70973184d7696ee3a32
MD5 hash:
6ba7a5936360514981731ebd2d845c46
SHA1 hash:
bbe1c9f1489ebd1344a066a8f9939b2b67792186
Link:
https://www.unpac.me/results/c2f0ee72-dc2b-454a-b044-fe46daa0a0bc/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/c2f0ee72-dc2b-454a-b044-fe46daa0a0bc/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
db38dc32dbedb084148c8b65763c5c1ffe7c93af3ba081db1eb3fa1762771f97
MD5 hash:
362761028bb67598fd600d00f7744376
SHA1 hash:
92a387caa6718c0e7e355fcf3b1ddd845c1be523
Link:
https://www.unpac.me/results/c2f0ee72-dc2b-454a-b044-fe46daa0a0bc/
SH256 hash:
8bef0ec74b927ac081ee6de8852a0f6355e12f2fee84c559973143a440be6e83
MD5 hash:
5f722a6c12149fed72723488b5d960f8
SHA1 hash:
8e8379dff4eb546fec46811332af009bb972cbcf
Link:
https://www.unpac.me/results/c2f0ee72-dc2b-454a-b044-fe46daa0a0bc/
SH256 hash:
f9e1934f0dc45470e9811e7f4ce0444c9533ad07c9d556b65ad08c6f227f140b
MD5 hash:
9437aaaa99727eb00bc0b0a52f7a6a68
SHA1 hash:
4140a9068222b5d053ee0c1b28ff9e7f9b75aa19
Link:
https://www.unpac.me/results/c2f0ee72-dc2b-454a-b044-fe46daa0a0bc/
SH256 hash:
d707e65e3bd779d5dd0567c2602b9d1e835849db1e2ddb4af9913d88195aa128
MD5 hash:
24cd228e96ef100ad7b473c76677b961
SHA1 hash:
7076a4abc927e7277d05d76dbc26f075e6b05aee
Link:
https://www.unpac.me/results/c2f0ee72-dc2b-454a-b044-fe46daa0a0bc/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d707e65e3bd7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d707e65e3bd779d5dd0567c2602b9d1e835849db1e2ddb4af9913d88195aa128

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d707e65e3bd779d5dd0567c2602b9d1e835849db1e2ddb4af9913d88195aa128

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/374013/

Comments