MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7ea087df6c4c70925ed7a251405e8c1133654ad5ad5e3e3c8033a5f0c8f492a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	d7ea087df6c4c70925ed7a251405e8c1133654ad5ad5e3e3c8033a5f0c8f492a
SHA3-384 hash:	120c44f33786aa7955ddc81c1e558ff5895918ed91cfacbb0fb85cddb6fd6ee3b412aa2617b78ae4b922300dce8b6ecc
SHA1 hash:	8f1f3cfa393480e732d127f1cf39a8219a26e357
MD5 hash:	a4ec3b547e1e03c49cb60fa76f8c2935
humanhash:	purple-pip-georgia-foxtrot
File name:	PO#JB2210-0005.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'198'080 bytes
First seen:	2023-02-28 12:25:37 UTC
Last seen:	2023-02-28 13:54:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:hxgme9HkGUIUigvyWdVvkCVi1CA6/+o9x/6qW:3gme93URPd6xa+W1B
Threatray	1'033 similar samples on MalwareBazaar
TLSH	T10B45AE4893B34472FBDB12A51875228C4EB872CB3585F21B4F673751A522AFFB29F502
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	004c4d4d69694c00 (12 x AgentTesla, 5 x SnakeKeylogger, 1 x Loki)
Reporter	cocaman
Tags:	AgentTesla exe Shipping

Intelligence

File Origin

# of uploads :

# of downloads :

210

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO#JB2210-0005.exe

Verdict:

Malicious activity

Analysis date:

2023-02-28 12:26:51 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/273e74c4-9194-43a3-9415-8d6c890f525d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/370624/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Sanesecurity.Rogue.0hr.20230228-0437.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63fdf2dc2ea6b3696630042f/reports/b8f183f5-02bf-4d0f-a6f3-12e10f89acf7/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d7ea087df6c4c70925ed7a251405e8c1133654ad5ad5e3e3c8033a5f0c8f492a

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0e55b02f-23a5-4b3c-b8ea-4ede2eeab6ee

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1184211

Signature

Allocates memory in foreign processes

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/d7ea087df6c4c70925ed7a251405e8c1133654ad5ad5e3e3c8033a5f0c8f492a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-02-28 03:22:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=27vaq7pwytdqsjpnpisribpiyejtmvfnllk6hy6iam5f6depjeva._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

5a64665bdc77f9386891c1a251064decfdce7e9782bb4b47d95e2c14238d46f2

AgentTesla

7529d7b16d20ec060e5345cf57adb813d19e11542ba7a562a642c9831229a914

AgentTesla

a530d39c6e1b1505e94f7026eb82191062e6a0f62ddbb03a4bcf0eb295c3d518

AgentTesla

a84aad3732ea9ed162f345bddceeb44da8b25e0ab4fd4e55848c1804d00d652d

AgentTesla

aab69d08523d6a6e50f3f057aa975bc80644725fc3f458281d97c974170c4f7b

AgentTesla

f78e0eaeea2dc023c3101368c164271f4447a1b4a54fc5fc92a31aa1733792d8

AgentTesla

+ 1'023 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230228-pl6vysbc79/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

f36b2797c55e2c468fd4b8967595072eb7d8bbefa7141ed3b8be18a682bcc27d

MD5 hash:

959d1defd67f0fe6752f4630cae45dea

SHA1 hash:

fbd52ee8cc99e191a0431b799b48e50a22c193b4

Link:

https://www.unpac.me/results/bd9b8d4b-2cca-4d38-92f9-e1dfa72b1a9d/

SH256 hash:

517413f82f05113c18ca0e2e0799d6c6674721d38dace8a412535955e1470d70

MD5 hash:

2d8727f357ce068e9814a6d994812280

SHA1 hash:

e8284f8a5eb324ad04acdff92de7a10cbb62e251

Link:

https://www.unpac.me/results/bd9b8d4b-2cca-4d38-92f9-e1dfa72b1a9d/

SH256 hash:

eb9030a0c9d8c5736042f40963c716dc30086b245797ef1c9d90c3d06e81ca6b

MD5 hash:

beb918769ff7b7b8b646c46d86a15fab

SHA1 hash:

92f710891d52deb7c2d66b913ba0be975afe1217

Link:

https://www.unpac.me/results/bd9b8d4b-2cca-4d38-92f9-e1dfa72b1a9d/

SH256 hash:

c6e704bc2fc0f38952347a2d4a0ba1d23edcbfab36b793d9ba1412ad0b8558cf

MD5 hash:

06dc7f31999f92e527b6add15e6ee547

SHA1 hash:

80e7c90370b3011d1b192b525b3077c2ea635fc7

Link:

https://www.unpac.me/results/bd9b8d4b-2cca-4d38-92f9-e1dfa72b1a9d/

SH256 hash:

22bf79cc5f637cf433162937c2c0a982f759712717ff496a275f9f449b7f572a

MD5 hash:

f7fd1edaad3be2fdd02a11b1077e2704

SHA1 hash:

08f5e8993a5f685f7ad7f4c92b1cbf8ac91c6c94

Link:

https://www.unpac.me/results/bd9b8d4b-2cca-4d38-92f9-e1dfa72b1a9d/

SH256 hash:

d7ea087df6c4c70925ed7a251405e8c1133654ad5ad5e3e3c8033a5f0c8f492a

MD5 hash:

a4ec3b547e1e03c49cb60fa76f8c2935

SHA1 hash:

8f1f3cfa393480e732d127f1cf39a8219a26e357

Link:

https://www.unpac.me/results/bd9b8d4b-2cca-4d38-92f9-e1dfa72b1a9d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d7ea087df6c4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d7ea087df6c4c70925ed7a251405e8c1133654ad5ad5e3e3c8033a5f0c8f492a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.