MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5b705e1be26c11deef73ef07f01c2403c63eeda1587bd7604e3a4dceec2bf05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5b705e1be26c11deef73ef07f01c2403c63eeda1587bd7604e3a4dceec2bf05
SHA3-384 hash: a73477c1874874340ee3c060e9a18b4000e41896aed9a2c01ea4dfe3cfdfa0db591487bdb6b9d7dc1f4b62a7e69f42f7
SHA1 hash: 95e422b7612ed3262577d4a35c8a135552c94df7
MD5 hash: 7a7b91d6b66cd23fa879506eaa0cb829
humanhash: west-comet-delta-arkansas
File name:payment overdue (2).7z
Download: download sample
Signature AgentTesla
Create hunting rule
File size:649'290 bytes
First seen:2023-12-01 10:04:48 UTC
Last seen:Never
File type: 7z
MIME type:application/x-7z-compressed
ssdeep 12288:IXRp6d4oY1dhwhKWtGMzfo3cyjuola/d+4HU6e9+hXpKE5ls:IXRp6d4oGhLWLzfo3cOlaISjhXQ+s
TLSH T171D423038426D1B979721BBECA3BD40D9200295F49B36966BFF511DB117262298F3BEC
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter cocaman
Tags:7z AgentTesla payment


Avatar
cocaman
Malicious email (T1566.001)
From: "yu.sun@fuyaogroup.com" (likely spoofed)
Received: "from fuyaogroup.com (unknown [91.92.248.50]) "
Date: "1 Dec 2023 02:03:54 -0800"
Subject: "Overdue Outstanding Payment"
Attachment: "payment overdue (2).7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:payment overdue (2).exe
File size:857'600 bytes
SHA256 hash: 951f66b51f796de5f9298aa1f97c49e392083f6b570fb31df72610999fb50769
MD5 hash: 13e7ae190b0ab1250c199ac339217231
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/e5b705e1be26c11deef73ef07f01c2403c63eeda1587bd7604e3a4dceec2bf05/results/dashboard
Verdict:
Malicious
Labled as:
Mal/Drod7zip
Link:
https://www.hybrid-analysis.com/sample/e5b705e1be26c11deef73ef07f01c2403c63eeda1587bd7604e3a4dceec2bf05
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5b705e1be26c11deef73ef07f01c2403c63eeda1587bd7604e3a4dceec2bf05/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-01 07:21:49 UTC
File Type:
Binary (Archive)
Extracted files:
40
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4w3qlyn6e3ar33xxh3yh6aocia6gh3w2cwd325qe4osnz3wcx4cq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231201-mjvnsshb7s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e5b705e1be26c11deef73ef07f01c2403c63eeda1587bd7604e3a4dceec2bf05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z e5b705e1be26c11deef73ef07f01c2403c63eeda1587bd7604e3a4dceec2bf05

(this sample)

AgentTesla

Executable exe 951f66b51f796de5f9298aa1f97c49e392083f6b570fb31df72610999fb50769

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 951f66b51f796de5f9298aa1f97c49e392083f6b570fb31df72610999fb50769
  
Dropping
AgentTesla
  
Dropping
MD5 13e7ae190b0ab1250c199ac339217231

Comments