MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd7e560247eb18e1a27cfd3c46f10c06bcae05562df4b2862ec53caa76e80422. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	fd7e560247eb18e1a27cfd3c46f10c06bcae05562df4b2862ec53caa76e80422
SHA3-384 hash:	3ce28fc62d6a3d9dbce3a56c53fbe2710eb0b9abead3ce84789e41054148b4b669e95aac172e07dd0d62f2bd21388e8f
SHA1 hash:	910000453b8aeca51e0887c9e0ed62270ca85bb4
MD5 hash:	fc823514083f7b068ec30271361e88fb
humanhash:	mango-ohio-paris-sierra
File name:	823.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	877'568 bytes
First seen:	2021-07-13 16:49:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:sLK0XN5GnTOdU+CHpZgMBB61HdZa0EH27fpdZrsoJjpb2eedUiFbbL1Rlp7BXtI:vXB61rJEHopbo0Vz0XtTe
Threatray	6'695 similar samples on MalwareBazaar
TLSH	T1D0159D3C23FEA409F237FF719FA4F3849E6676B69225914D59C4020A5862D80FE77932
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

823.exe

Verdict:

Malicious activity

Analysis date:

2021-07-13 16:52:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4bc59f15-f73b-427d-94ea-22553d6388a9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/171471/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.925-1.UNOFFICIAL

Win.Packed.Taskun-9874486-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/078c1bbf-f2ba-460e-ba43-9457ff809eac

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/815759

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/fd7e560247eb18e1a27cfd3c46f10c06bcae05562df4b2862ec53caa76e80422/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-13 12:49:32 UTC

AV detection:

7 of 46 (15.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7v7fmash5mmodit47u6en4ima26k4bkwfx2lfbroyu6ku5xiaqra._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2361e8542045dddfaa5e2e6dfc49db670b687dcfa00e7877830de468bc076e38

AgentTesla

528c4017fc8019572354de7746bba7978bb1ce0c9508e42644799712fb5ea869

AgentTesla

5bb1ec5f6be562ca2beec31d45c6cce4b811283b225e3f2654dbfbe5cc8f07de

AgentTesla

988015476a43d916c6d49009eaa2e262246ac18eaf1615113262cd3540708450

AgentTesla

9c945e3dd82b26e5b6e2bc96a1aa6fdc1365235e6479c143340073fc831048fe

AgentTesla

c6cacd1d2bfb210318a62cabce8045f5735cd9a0e58c3aea8d3ec2174f6d7abb

AgentTesla

c7607bcbc0acfdf8733dff8a4f709009236da553d300abc2d0df98b3e6c70f58

AgentTesla

df54a04599bb3953ffcf067a4308e01dafe8ac2c9064bdd3fbc3a441725a06f2

AgentTesla

fe71bef6acadf2feb1a19c9e51543be0cacb245a5ce034b7510c72912996580e

AgentTesla

+ 6'685 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210713-ef5thwxfln/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

AgentTesla Payload

AgentTesla

Malware Config

C2 Extraction:

http://ahrend-cz.com/win/inc/f462c05ed33f1c.php

Unpacked files

SH256 hash:

5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4

MD5 hash:

b0e14c3526d6623ae9b7b5f5e0efde76

SHA1 hash:

f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc

Link:

https://www.unpac.me/results/1e5df342-15e9-46da-bb45-5a92b27a8858/

SH256 hash:

a7a610e55874c3697bdbe3517bd1abb0b1c8458f2a090da763647e5917ed6f4f

MD5 hash:

150884cd7c67fe5a52bdd0ab9016da2a

SHA1 hash:

d6fa2e3a33e5c0b7a8eafa8f2a9d4eb60abd54c8

Link:

https://www.unpac.me/results/1e5df342-15e9-46da-bb45-5a92b27a8858/

SH256 hash:

1bf211c0fe79d0cf1ef584406e5452bd66c134d289ffe4a6e43331f5c1c350bd

MD5 hash:

0e22c5ce3f532bbd578e5edefbe35278

SHA1 hash:

af88920c750ea40db47ae9e69ac7c6fc688d616d

Link:

https://www.unpac.me/results/1e5df342-15e9-46da-bb45-5a92b27a8858/

SH256 hash:

39ba9fc02362fc50b27a21c2ad4f040d0fa3534b1364b921b8aefad55bf49aa9

MD5 hash:

50493e164dca3830a03f4cdb8815dbc1

SHA1 hash:

910e6d4ad598049caa3f7d4ef7c2013e66da6fc6

Link:

https://www.unpac.me/results/1e5df342-15e9-46da-bb45-5a92b27a8858/

SH256 hash:

fd7e560247eb18e1a27cfd3c46f10c06bcae05562df4b2862ec53caa76e80422

MD5 hash:

fc823514083f7b068ec30271361e88fb

SHA1 hash:

910000453b8aeca51e0887c9e0ed62270ca85bb4

Link:

https://www.unpac.me/results/1e5df342-15e9-46da-bb45-5a92b27a8858/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.54

Link:

https://yomi.yoroi.company/submissions/fd7e560247eb18e1a27cfd3c46f10c06bcae05562df4b2862ec53caa76e80422

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171471/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample