MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed79b7d477df4d47af43c7061bdb5e0a952d8870df213eb42f8cfe475e18bd8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed79b7d477df4d47af43c7061bdb5e0a952d8870df213eb42f8cfe475e18bd8d
SHA3-384 hash: e0052a2aeebade19117f77e12320efbc1b84af7d1bafde03e76a4828a555968234221071242034e628c992c2c80ee6e0
SHA1 hash: 283e63e1469f53fc8172214cd89ce938d0055793
MD5 hash: 61c30295f46d1f616bc3882d3f7536f0
humanhash: golf-river-don-juliet
File name:Demanda de pedido.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:610'816 bytes
First seen:2023-04-21 06:04:13 UTC
Last seen:2023-05-13 22:49:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:+uf3rXorFkTbpYzSry3JnSmCghOtny5ftbqpb8JhiPfYW9M:Rf3U5EbmSry3J1C6pf1s+A2
Threatray 342 similar samples on MalwareBazaar
TLSH T141D4D0E1712B6782C77AFEF0236961311FF252B7E640D52DBE0E24C679317C046986EA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla ESP exe geo


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.nereus.cl:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
291
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Demanda de pedido.exe
Verdict:
Malicious activity
Analysis date:
2023-04-21 07:50:00 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/4d52e03e-5b92-4ca5-9e4c-84e2261059b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383902/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/644227902eb85408cdf67a55/reports/ad0142e2-f1df-42cb-8f66-a84862b4b64c/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/ed79b7d477df4d47af43c7061bdb5e0a952d8870df213eb42f8cfe475e18bd8d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/896ec482-78fa-41bd-bdbe-6f26e511c98d
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1218460
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed79b7d477df4d47af43c7061bdb5e0a952d8870df213eb42f8cfe475e18bd8d/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-20 21:48:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5v43pvdx35gupl2dy4dbxw26bkks3cdq34qt5nbprt7eoxqyxwgq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ce32c16206589dd28d7dd0b8d72c5ea452eae2a448e66dd76c25e7a66b64525
AgentTesla
1a37b22c671459258c8f420f9a6934dda93eb9c700ea86f390193dea31316724
AgentTesla
911726d8a917e91553bc20985c0b4562768ba02202b5555be7a0e6ff6e0797c3
AgentTesla
98d4406e8ee40991fc7008774e833e0b6cf758ffedd7e06023a926a06646591d
AgentTesla
9c5a321ef423a10c264e0bc599091753b279c557b18b2f655bcd4eaf7d883ee5
AgentTesla
b6073f0fe939a36e9147fa93626285d80d85bee98ba66b5238dea87eb4e4f354
AgentTesla
b828e57eb67420551529ae16c87e86a405a6805698df6957a45f409edcfa7733
AgentTesla
c7db7fa3a5aeba74a3733ed0d0c3a8007c973c122ee73ac0161c2e56d24d1f07
AgentTesla
efcb803043e60001aea737d0033b2b91c52d3a3d13d1c22c94f79511cfed17a3
AgentTesla
+ 332 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230421-gs7f3aee26/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
b59eda7618c195a4d5cbffc557c12111cbdd0843d7c7b530708e99982e73032e
MD5 hash:
4a2e568271a7fe4b4b70e7ff06316d6a
SHA1 hash:
fd89058e38e0ec1a87e13fc8d125028f094d4a46
Link:
https://www.unpac.me/results/b3c7a28e-8cd4-4292-a74a-8c7e1487c1cc/
SH256 hash:
283e6c38e894c9acfca3bb594f9513cb36c3998e3a943586de902e0fa826b31b
MD5 hash:
7254b560cb6b894d494b0db58c4f2da7
SHA1 hash:
5f8e20188ed5a144d013c40166c11486e2c59996
Link:
https://www.unpac.me/results/b3c7a28e-8cd4-4292-a74a-8c7e1487c1cc/
SH256 hash:
6d2914ac58ea14350758971047034e53169f95c8b3c0b5ece6b6836e24f4d28f
MD5 hash:
691c81e448f4451476f820e1376ed3dd
SHA1 hash:
5d5567f07ef08f865d0faf552ab5736da270a087
Link:
https://www.unpac.me/results/b3c7a28e-8cd4-4292-a74a-8c7e1487c1cc/
SH256 hash:
8fb38bf49dc8401366e72a94338662507531aa6686ec35bb930084a12c82e100
MD5 hash:
8873ef90ebfe8ed62adfa517fe7e3660
SHA1 hash:
5a9984084d4c8a25f647009b8e7c328d36434f22
Link:
https://www.unpac.me/results/b3c7a28e-8cd4-4292-a74a-8c7e1487c1cc/
SH256 hash:
0c4b52a23d423aee5a1653e08541cd88adabf0a86713fbbd7fb8e5a53f67cd20
MD5 hash:
a93909a7218da480bf54249f480680f1
SHA1 hash:
46255d0916e038db1b592d0945349efaaab0f7be
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/b3c7a28e-8cd4-4292-a74a-8c7e1487c1cc/
SH256 hash:
ed79b7d477df4d47af43c7061bdb5e0a952d8870df213eb42f8cfe475e18bd8d
MD5 hash:
61c30295f46d1f616bc3882d3f7536f0
SHA1 hash:
283e63e1469f53fc8172214cd89ce938d0055793
Link:
https://www.unpac.me/results/b3c7a28e-8cd4-4292-a74a-8c7e1487c1cc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ed79b7d477df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/ed79b7d477df4d47af43c7061bdb5e0a952d8870df213eb42f8cfe475e18bd8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ed79b7d477df4d47af43c7061bdb5e0a952d8870df213eb42f8cfe475e18bd8d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383902/

Comments