MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7a69557063abaa6a5ad2438ebeea38e92f111848b50ff1b29d36b0fd8ffd2a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7a69557063abaa6a5ad2438ebeea38e92f111848b50ff1b29d36b0fd8ffd2a3
SHA3-384 hash: 422ac67fdb21890535a681fca1a07c2c2c22db8847b7d4f59d21ebcbdd02b8bae3fa9884f0a83b013339779fa3c97543
SHA1 hash: 3fd013bc8728cb62e8e5340fc50a87fbd6cc93f2
MD5 hash: 053e2f0c336003014f67b71f3fb178e8
humanhash: princess-eighteen-sixteen-six
File name:CALCULATION REPORT.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:720'896 bytes
First seen:2022-01-21 10:21:01 UTC
Last seen:2022-01-21 14:13:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Hx0+li0GsAyoCWhESu7en7lx49nHlUAsbyzpQcq6+ievYF:3GsAuQp2n9vpQH6+ievYF
Threatray 632 similar samples on MalwareBazaar
TLSH T156E4DF0132F88B45D8BE8BFA8836109017BEB94AA835E75F5DC1B1DF0CB1B819766753
File icon (PE):PE icon
dhash icon 1efef2c2e4a0e0e0 (16 x AgentTesla, 3 x Formbook, 3 x Loki)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221398/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.37153.21892.24051.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expand.exe ftp.exe obfuscated packed remote.exe shell32.dll
Link:
https://www.filescan.io/uploads/61ea8915d32385db63147211/reports/69bc11e3-7ca8-4699-a528-afd4a19be711/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d4560cb-3735-4a4b-b1b1-32b2341a7951
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925112
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 557590 Sample: CALCULATION REPORT.pdf.exe Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 14 other signatures 2->67 9 CALCULATION REPORT.pdf.exe 7 2->9         started        13 catch.exe 5 2->13         started        15 catch.exe 2->15         started        process3 file4 49 C:\Users\user\AppData\...\TOZJLyRUOQQj.exe, PE32 9->49 dropped 51 C:\Users\user\AppData\Local\...\tmp4216.tmp, XML 9->51 dropped 53 C:\Users\...\CALCULATION REPORT.pdf.exe.log, ASCII 9->53 dropped 77 Adds a directory exclusion to Windows Defender 9->77 17 CALCULATION REPORT.pdf.exe 2 5 9->17         started        22 powershell.exe 22 9->22         started        24 schtasks.exe 1 9->24         started        79 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->79 81 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->81 26 powershell.exe 15->26         started        signatures5 process6 dnsIp7 55 smtp.tranpotescamdonic.us 17->55 57 us2.smtp.mailhostbox.com 208.91.199.225, 49821, 49825, 587 PUBLIC-DOMAIN-REGISTRYUS United States 17->57 59 192.168.2.1 unknown unknown 17->59 45 C:\Users\user\AppData\Roaming\...\catch.exe, PE32 17->45 dropped 47 C:\Users\user\...\catch.exe:Zone.Identifier, ASCII 17->47 dropped 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->69 71 Tries to steal Mail credentials (via file / registry access) 17->71 73 Tries to harvest and steal ftp login credentials 17->73 75 2 other signatures 17->75 28 conhost.exe 22->28         started        31 conhost.exe 24->31         started        33 conhost.exe 26->33         started        file8 signatures9 process10 signatures11 83 Adds a directory exclusion to Windows Defender 28->83 35 powershell.exe 31->35         started        37 schtasks.exe 31->37         started        39 catch.exe 31->39         started        process12 process13 41 conhost.exe 35->41         started        43 conhost.exe 37->43         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f7a69557063abaa6a5ad2438ebeea38e92f111848b50ff1b29d36b0fd8ffd2a3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 10:21:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
54
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=66tjkvyghk5knjnneq4ox3vdr2jpcemernip6gzj2nvq7wh72krq._file
Verdict:
malicious
Similar samples:
025284221fc921e25dffb77825e526c94205372dea931233dc6d5ce8ce35c462
AgentTesla
176f35bde47c4bec6c1b3df8f1b8a8ad5f47040be0889123e988e8fcd0022320
AgentTesla
40c324542b9ade8ca19512fc97c0c68582f1626803ef5cedb833b6533d48279a
AgentTesla
53870aefd3a2ecf727142d294e55b106a70eba55996cb1ec50963e0bc49bfb09
AgentTesla
7008ea692d929cb39dc75735c2020128de663f205441a1dc9eb04727e2058226
AgentTesla
89c9a52351f75b5be88f745b84dbb5c16930cca9d932f33b008993167e022e70
AgentTesla
b575c6747299894b60f1546924d45e720a1e0761b7dbe4498e5758ebcb786a73
AgentTesla
cfda08d0d131008a1773c627f0508e861101d642bb66ce531a165452bf57a115
AgentTesla
+ 622 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220121-mdnnasehbp/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Sets service image path in registry
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
f666077075960e80dd70efd4deec22cd6e48cfa13ddf051066a9bb7d09ec69f5
MD5 hash:
13a76462dd2d14d4efa2c2311b80203a
SHA1 hash:
b6cac268702e5df3a93b3f8717b08cd2149f4792
Link:
https://www.unpac.me/results/a2a0c5a4-4b9b-4cf2-b563-8f7d28009951/
SH256 hash:
b094430d82ea5b31510b25ffadd0810ebb8b17094319fd29e1968f93b2319cd3
MD5 hash:
ed3630f32582fef7eb4dd7a306beffd3
SHA1 hash:
87d6bb24ba7be0680d0056985af0cfcc8987bc6e
Link:
https://www.unpac.me/results/a2a0c5a4-4b9b-4cf2-b563-8f7d28009951/
SH256 hash:
800d439ea0ce07db668cf5e23eb2d0bb95aa0a97a4ff53f5be3aa8dac61682ff
MD5 hash:
e3938e74a6ffadbebfcde4cfeaa391bc
SHA1 hash:
1a73e71e4c3c299bf0a72fadd6abad57ec3803f8
Link:
https://www.unpac.me/results/a2a0c5a4-4b9b-4cf2-b563-8f7d28009951/
SH256 hash:
f7a69557063abaa6a5ad2438ebeea38e92f111848b50ff1b29d36b0fd8ffd2a3
MD5 hash:
053e2f0c336003014f67b71f3fb178e8
SHA1 hash:
3fd013bc8728cb62e8e5340fc50a87fbd6cc93f2
Link:
https://www.unpac.me/results/a2a0c5a4-4b9b-4cf2-b563-8f7d28009951/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f7a69557063a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7a69557063abaa6a5ad2438ebeea38e92f111848b50ff1b29d36b0fd8ffd2a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f7a69557063abaa6a5ad2438ebeea38e92f111848b50ff1b29d36b0fd8ffd2a3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/221398/

Comments