MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd623927e95233e76397ee4d5e38efdd851ce068690dbfb489499cec480eb138. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd623927e95233e76397ee4d5e38efdd851ce068690dbfb489499cec480eb138
SHA3-384 hash: d89791af17bd31eb0a481a4e78b255f9a16a2ae64a270a87f9c51bbce345acd0ae49a103d6775009bc61fc5201ce8351
SHA1 hash: 10e916d97f102ae2323657821b6e6e0247c2879e
MD5 hash: aeb27d7bc8efea454d810e655838b212
humanhash: solar-alaska-low-magazine
File name:PI.7.7.2021.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'222'656 bytes
First seen:2021-07-07 05:05:24 UTC
Last seen:2021-07-07 05:52:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:v+V+HCzGqM7R1iuEvZp+L5UDn2Kqu4g0biYuWOBfWlB:v+VRG5RJ7L5w2oKbiBBBE
Threatray 6'410 similar samples on MalwareBazaar
TLSH 2745CF7A60338B92DEAFC7F90331652E4F6DAFFD914AB2741844B47900F4B4D4A6192B
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI.7.7.2021.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-07 05:07:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/de439b8b-fff0-4b94-8485-0148637de4c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170098/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DLO.genEldorado.32337.8037.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7674a45-ac2a-451b-970e-ade00f430226
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812682
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dd623927e95233e76397ee4d5e38efdd851ce068690dbfb489499cec480eb138/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 04:27:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3vrdsj7jkiz6oy4x5zgv4ohp3wcrzydineg37nejjgooysaowe4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03bf3837d12349b60810641787e63fe73cc1136022cb97e7ce6575d22cd00f34
AgentTesla
2684761e515818d91fb705bd74babffe9519789b3c4c4e1ebde638a2a354ab92
AgentTesla
4f6d15e0a5a3dddd32bf3d244321742f2c47eae5d42c1124283c12328bcc1962
AgentTesla
7e8a3a6800429de4f4a827dda3218caa09d65e5c3e0d52ad30ed0ba208ee281e
AgentTesla
a1feadf16ad13dde154e2cbd1ea50df42ad148765496292d15b30e2b642160dd
AgentTesla
a3da054acdec041cec534afabc094efd15d497fab37050917589a8ca2ee0f0fd
AgentTesla
be99f4cf0f0bf5a1cb9037621b4a14dc9ac61b58fc22facfe6c9ead7a9297c86
AgentTesla
dadfcbf2bb1e7a6e7f4241f480d0dc9107587575fe2167dd82507c28ed3c4296
AgentTesla
dbffc779723c87d09447432bee7157ecd7422c635af06164f9a587f3d31bc209
AgentTesla
febfc061dbfdf4ae495f3799be54f4f3490ab964a150960d296c2989c1e6ecaa
AgentTesla
+ 6'400 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210707-ymqpwdf2rs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
5b7b077dabb0fd8dd45c77afb191d2b754ffbed17c4752d7c12ec05f4caed637
MD5 hash:
b04c8b25f835858cdc26cbcdc13b67ed
SHA1 hash:
f3f3d18ca31b270100a5c1fcf34d6dbee719e35b
Link:
https://www.unpac.me/results/31d01b69-94ad-4f02-bce8-a25e633f1289/
SH256 hash:
d0dd2caed46caa5be71f1d6d2b8766b6aa6c6f346d178d9da59104ada132ad0d
MD5 hash:
45ff2c3dfcbc954cc133a3c8c03d20b6
SHA1 hash:
8938a222a9da30cded2ca6ac3e72d107cc7fed89
Link:
https://www.unpac.me/results/31d01b69-94ad-4f02-bce8-a25e633f1289/
SH256 hash:
78dbd7dc194b75aab1021f637539b673075f51db8a785e0426bf52cc8c4694a9
MD5 hash:
b4edab4359c64604d911d0fb6aada826
SHA1 hash:
0febceb5e991e0c869a3c5fbd32e592b9e66f5db
Link:
https://www.unpac.me/results/31d01b69-94ad-4f02-bce8-a25e633f1289/
SH256 hash:
dd623927e95233e76397ee4d5e38efdd851ce068690dbfb489499cec480eb138
MD5 hash:
aeb27d7bc8efea454d810e655838b212
SHA1 hash:
10e916d97f102ae2323657821b6e6e0247c2879e
Link:
https://www.unpac.me/results/31d01b69-94ad-4f02-bce8-a25e633f1289/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd623927e95233e76397ee4d5e38efdd851ce068690dbfb489499cec480eb138

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 9627f98b6a50fed8620dae19198edfce38b9ac6e405431ef3b02f90a3904aaa2

AgentTesla

Executable exe dd623927e95233e76397ee4d5e38efdd851ce068690dbfb489499cec480eb138

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 9627f98b6a50fed8620dae19198edfce38b9ac6e405431ef3b02f90a3904aaa2
Cape
Cape
https://www.capesandbox.com/analysis/170098/

Comments