MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7e0b7858aa72468917565c8661068670da4707a87b10387ca9c31604f908003. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7e0b7858aa72468917565c8661068670da4707a87b10387ca9c31604f908003
SHA3-384 hash: 1b906f89628df1c38da7431fcad66b12d350d5b86849946f419fefa7d906078883cbc21492ea116ea1958ccab0045cf5
SHA1 hash: 9ba487b6937194ed1a4d4b678aec0b584d5f9375
MD5 hash: 162e82db2fef25d2260f56ffaff75aff
humanhash: indigo-december-bakerloo-hawaii
File name:z1RC_DEVUELTO.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:621'056 bytes
First seen:2023-06-23 12:13:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:OwK54/mNUAZdM5sLd3iGjF5e3/GdVlsMRPV544chvzAJV:rK54/QUodMG5iGjF5Q/Gdne4clzAX
Threatray 4'040 similar samples on MalwareBazaar
TLSH T13FD423186604BD2BE5B65C7A28969214B3B6A2613366C3CE7DC7307A1FD3FC425139CB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon a0300898f47e361c (7 x AgentTesla, 2 x Formbook, 1 x Loki)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
z1RC_DEVUELTO.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-06-23 12:15:47 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/e66a6632-a571-4a17-947b-e512bd7d9110

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/402187/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2133.2395.9424.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64958c8b20eac562407a15c5/reports/62e2a1cc-dfef-4ac1-863f-74c759e15c6a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d7e0b7858aa72468917565c8661068670da4707a87b10387ca9c31604f908003
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/566a0e82-901b-4fcd-b855-19a78770a9ff
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1260435
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d7e0b7858aa72468917565c8661068670da4707a87b10387ca9c31604f908003/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-23 02:18:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=27qlpbmku4sgrelvmxegmedim4g2i4d2q6yqhb6ktqywat4qqabq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
24c833b34f54668f74ebc8f23d79777b766fcc52b7a4006f9b6936b56ef11a17
AgentTesla
2f10fa5c438a3d36f5156ff280926c9135bbc7b8f6e260dc322da83c0b7076f3
AgentTesla
2ffb5ab12548ae624d295f7e17a2f4115cfe1382d87cb548d6576efd546d7989
AgentTesla
4d6e6965c6ab38f3ebd1a2ec242f4226b6807386ce5a1755678e242023d04f7e
AgentTesla
779a609fb967044a625ac9771921cdbcd4f07991f407014a1576e092826f11ec
AgentTesla
a8ddb09a16d9a6989c8bdd783722c939082bc42b871b3cbfe1cfd8532176fe0c
AgentTesla
c261674efa44bd9deebcf6b478ffc330fc97f73b8ca586cc8c79ff6de693bd1c
AgentTesla
d5e90ce1f8eb541722c1fca05abb1f729b7a886c44c9aa93b1477a6183c9476e
AgentTesla
+ 4'030 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230623-pebfgaga7s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
AgentTesla
Malware Config
C2 Extraction:
https://discordapp.com/api/webhooks/1121612882715623484/I3cFeTaVK2D0rHmgWLpHuvfqCnR2asHRO1YrHsPXlTw37lxNdRPsAbGv-Hl0Qva5OkvV
Unpacked files
SH256 hash:
5449ea3e1ac16e78556410be1bd386f737727db59171b8552ce1acf9909be473
MD5 hash:
db1329ef63cf8de6dd8b7bd9fe1040ce
SHA1 hash:
f5f8242d4aa30590ae36cb6603e62ddfb4181ee3
Link:
https://www.unpac.me/results/4665ad4c-e200-47df-8fae-37cd3aa3dc5b/
SH256 hash:
116b3173b2778949662c7394791b163f303ae1d2e5a064ff0d3746897cc2fa44
MD5 hash:
83d3e09093b3f4529235b2a34563a568
SHA1 hash:
bb571f152a89630832c905965a4d42d2854d2f01
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/4665ad4c-e200-47df-8fae-37cd3aa3dc5b/
SH256 hash:
9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5
MD5 hash:
adac60763fcfe4d5f4ad323046e79500
SHA1 hash:
9ced772a90ddec9fffde8c745225ad289f3f087e
Link:
https://www.unpac.me/results/4665ad4c-e200-47df-8fae-37cd3aa3dc5b/
SH256 hash:
973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130
MD5 hash:
3794c5f7b240e4184d6ea90c5bdd9ec6
SHA1 hash:
26b9c4a753779b4994fe38c16dfe70b07efd3e0d
Link:
https://www.unpac.me/results/4665ad4c-e200-47df-8fae-37cd3aa3dc5b/
SH256 hash:
d7e0b7858aa72468917565c8661068670da4707a87b10387ca9c31604f908003
MD5 hash:
162e82db2fef25d2260f56ffaff75aff
SHA1 hash:
9ba487b6937194ed1a4d4b678aec0b584d5f9375
Link:
https://www.unpac.me/results/4665ad4c-e200-47df-8fae-37cd3aa3dc5b/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d7e0b7858aa7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7e0b7858aa72468917565c8661068670da4707a87b10387ca9c31604f908003

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d7e0b7858aa72468917565c8661068670da4707a87b10387ca9c31604f908003

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/402187/

Comments