MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f
SHA3-384 hash: 62eef9193dc330d27d09fd0c85fc5e10b957f4225a46ba1b3c21e343e0b4804bc225ffada6b4dfaf9e711989db1e91c8
SHA1 hash: f197615adff4daace92fd2f0c4f266a6170aa464
MD5 hash: 6fe36f5cd0c522ca1241658ec2553db3
humanhash: gee-fourteen-triple-comet
File name:Pepsico Company Profile.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:664'712 bytes
First seen:2024-08-13 14:08:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:BY0bffsWYCGpoTt4wT3eFjtyiyCgchaxpvQfSgYE:BY0zjqgt/T38jty8hs4fPYE
Threatray 4'149 similar samples on MalwareBazaar
TLSH T1F1E423A8F39ED063DD621472526087A7AF34F02528D59316FB442A4D7DA2BE0BD0E3D3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter threatcat_ch
Tags:AgentTesla exe GuLoader signed

Code Signing Certificate

Organisation:Ddlkres Bespotteliges gunvald
Issuer:Ddlkres Bespotteliges gunvald
Algorithm:sha256WithRSAEncryption
Valid from:2023-09-15T02:48:24Z
Valid to:2026-09-14T02:48:24Z
Serial number: 55befdc6bf3edbd850d134e95c14fbfc9e019cb7
Thumbprint Algorithm:SHA256
Thumbprint: 046706a8e63b1c4e1a3f58e4d04233c7f45d3bdd1467deef8ebb9686ade5b7c6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
459
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://107.172.31.124/102/sihost.exe
Verdict:
No threats detected
Analysis date:
2024-08-13 11:55:08 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/9c9a0bce-dfd6-444a-bf20-84988d541429

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.NSIS.MalwareX-gen.19525.25553.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66bb6900aa5b40be0aa028bc
Tags:
Encryption Generic Static Injector
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Delayed reading of the file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66bb68fed6cbecd2e802fb0f/reports/f8c5b54d-9bbd-4f5d-93e7-c5196571a99a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1bf6a790-3824-41ad-92a2-90142a3e3f2c
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1492247
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2024-08-13 08:45:30 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=47s7x23wa3643msgvhpu56xsrfviftjtlov55wjddxmzbiiqmkhq._file
Verdict:
unknown
Similar samples:
238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458
AgentTesla
29032ae14e315863a55a0851c3e1c9cb246beb4513a279d8b1bf7fac97be6ff7
AgentTesla
2bab4b4ef0cd5ce5f2dff0ddcbdfb7295c0d141fb4c88ec305268b24a3e23a5c
AgentTesla
3632e05e0742cd8f5d764ecaf243796aeb11ba5dfa858d4a2a2fae1d04734dcb
AgentTesla
79866667d5cd578a1c6eda54a748ff9d316fff39064eecd282bc2a9ad8a5ac7d
AgentTesla
9ada0ca121fe2b402b0da1728cd9f1fbb36d61a62fd40bbe8428756c329e04e8
AgentTesla
da9c5f609ebbcf19aef3d6992d451ccbe4fa77858660f6861146d1a486e1d98e
AgentTesla
e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce
AgentTesla
ebb0272ecef9d8bf07a71b9ead8718760d27c4fdc334fe2de7a8b93237e61044
AgentTesla
+ 4'139 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla credential_access discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240813-rf4vhsxgnc/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Credentials from Password Stores: Credentials from Web Browsers
AgentTesla
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6d825ba3-be01-4f1f-b955-34b0e039fd08
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/9bb00056-43ed-4bfe-a3a3-67e29871beb2/
SH256 hash:
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
MD5 hash:
68b287f4067ba013e34a1339afdb1ea8
SHA1 hash:
45ad585b3cc8e5a6af7b68f5d8269c97992130b3
Link:
https://www.unpac.me/results/9bb00056-43ed-4bfe-a3a3-67e29871beb2/
SH256 hash:
e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f
MD5 hash:
6fe36f5cd0c522ca1241658ec2553db3
SHA1 hash:
f197615adff4daace92fd2f0c4f266a6170aa464
Link:
https://www.unpac.me/results/9bb00056-43ed-4bfe-a3a3-67e29871beb2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e7e5fbeb7606fdcdb246a9df4efaf2896a82cd335babded9231dd990a110628f

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
URLhaus
https://urlhaus.abuse.ch/url/3104947/
  
URLhaus
https://urlhaus.abuse.ch/url/3104948/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments