MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed7f74a7f08c133d454c3b2484a86e288cb35f236bc3889b4fcd2c8f033601f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed7f74a7f08c133d454c3b2484a86e288cb35f236bc3889b4fcd2c8f033601f6
SHA3-384 hash: 704233f74bf48b3bc3143e6a4805538994e5788537842a5ab211b1838db4f36c4610e0b64f531e573434e91cdcbe7556
SHA1 hash: a25e7fa87bee404fd21c0b0fa8bb7f4259269e08
MD5 hash: 3ad703be3ad38ae881f39d44cb72974f
humanhash: beer-london-wisconsin-twenty
File name:Sales Contract.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:292'352 bytes
First seen:2023-06-07 17:41:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:+38E9p5Y2o98uJbm44lyK+zrdQ3e6WRGlkiNzsYRBGklNaf:ozQAyKedQ3e6WRGbsGN
Threatray 3'462 similar samples on MalwareBazaar
TLSH T12E54015423E8AF5ADC7E77FE81611C61A3A2B4521017E25D2EC5B1CB7A37B001245FB3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Sales Contract.exe
Verdict:
Malicious activity
Analysis date:
2023-06-07 17:44:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6247d959-4a2d-4768-b68e-7a2a555401fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/396601/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.28312.3120.1684.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
comodo lokibot packed warzone
Link:
https://www.filescan.io/uploads/6480c16cb73c51f45e00e7f2/reports/1a16c164-1b9a-4b77-b43e-481eea172d9e/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/ed7f74a7f08c133d454c3b2484a86e288cb35f236bc3889b4fcd2c8f033601f6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8f01178-c73c-4d21-8832-220870b8bf2d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1250555
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: RegAsm connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ed7f74a7f08c133d454c3b2484a86e288cb35f236bc3889b4fcd2c8f033601f6/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-07 17:42:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5v7xjj7qrqjt2rkmhmsijkdofcglgxzdnpbyrg2pzuwi6azwah3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19b36c4993d5767c52507537eb984804e5c0aba02483993ed6dcf6fc92120888
AgentTesla
1a6889803b766ce102a10973126f946e3618a0f80c1cee6d902304d2ffae06c5
AgentTesla
511bd4f1051444242dda8ae6df80720106a6b4d60eab89658baffb142affe730
AgentTesla
813ee787efe7691b84a7286dfb567f0f6f377f3ac0f0d2dc200e106df9f8f222
AgentTesla
816dcc8bb5070ed2db687bdb064a383c946c8183f5e0c089f2453653be8a3086
AgentTesla
84c7973871a6a639c40534f9e3fd7135bd35cd1b0eee937cc849af90c903c4c2
AgentTesla
9267fc3af8040cbf3f53d4501c063d70e54574c98d7133a5c18c8d5b9686d901
AgentTesla
b6e2144718d44a1723211a5172b2827284335df121b4b61df35292cfae73fd88
AgentTesla
e5950c07075986a0e853f4e919e1c39f0e64a878ff97143a1d49ea5a4eb186df
AgentTesla
+ 3'452 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230607-v91azaec5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
f066c5988c957aa7314409799d8e21d7460ac80bd595993ced0fc593ec501edf
MD5 hash:
09c269cbaaa61a4507a25bc2768cb493
SHA1 hash:
c4f7ad2aac74148efa851b881f49cb1b6dac3887
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/7a06adc6-218c-4e35-93ea-4813935e4ecc/
SH256 hash:
db9a6815dc7f45b2ccf9ff257d143c9e5298a67e1e0418d10251724addd05c24
MD5 hash:
815f8a5e55b36c5c14b3344e8bf50811
SHA1 hash:
937eaa830463f84c893f1e15c2f634c6a9e199eb
Link:
https://www.unpac.me/results/7a06adc6-218c-4e35-93ea-4813935e4ecc/
SH256 hash:
a440b5929848e6071f401a94fc1a040f14094bf7701b151ff409aeaa60e05f95
MD5 hash:
909be53831182d523ccea3c428d59c4f
SHA1 hash:
8f8f99a97544638bdfc02b5f8054f833f46eccaa
Link:
https://www.unpac.me/results/7a06adc6-218c-4e35-93ea-4813935e4ecc/
SH256 hash:
ed7f74a7f08c133d454c3b2484a86e288cb35f236bc3889b4fcd2c8f033601f6
MD5 hash:
3ad703be3ad38ae881f39d44cb72974f
SHA1 hash:
a25e7fa87bee404fd21c0b0fa8bb7f4259269e08
Link:
https://www.unpac.me/results/7a06adc6-218c-4e35-93ea-4813935e4ecc/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ed7f74a7f08c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed7f74a7f08c133d454c3b2484a86e288cb35f236bc3889b4fcd2c8f033601f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/396601/

Comments