MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 021cfdac35b7f0cb8f6ba460a33994d0128883ad281812b380978bc5127abbbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 021cfdac35b7f0cb8f6ba460a33994d0128883ad281812b380978bc5127abbbc
SHA3-384 hash: e0ba092b0f946e875d796158736873a9ec6a026037673a035a535f3b2af1751840e181451cd00c158abc641dc29731af
SHA1 hash: 901f65348b82ee9006a56f077e8849eb7bf0b460
MD5 hash: 4a7f818874a86fc5f981e46733b2d7f5
humanhash: winner-zebra-charlie-early
File name:NEW ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:790'528 bytes
First seen:2023-05-10 14:38:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:qQ8ZfT/bdwhH5inDFFQUSdEPsuIJxfc2nWpChzAWK58mxQL+:n6LDGhZiBFQFuP4/UG5K+VL+
Threatray 1'054 similar samples on MalwareBazaar
TLSH T19EF4E111722A9B2BC7A843FF0628454113B87716BD67E23C6EDF11CDEC22F504A65EA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
NEW ORDER.exe
Verdict:
Malicious activity
Analysis date:
2023-05-10 14:39:25 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/055cc12a-59ce-4d44-9bbf-aa18527bfed5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/388236/
Detection(s):
SecuriteInfo.com.Variant.Lazy.338474.24469.3995.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/645bac86890517bfb2b844f4/reports/cc685932-d268-4ada-8768-e8ef6250ec2e/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/021cfdac35b7f0cb8f6ba460a33994d0128883ad281812b380978bc5127abbbc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5ed9fa2-85da-47de-a80b-7892af12d8b1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1230142
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 863121 Sample: NEW_ORDER.exe Startdate: 10/05/2023 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic 2->68 70 Found malware configuration 2->70 72 Sigma detected: Scheduled temp file as task from temp location 2->72 74 6 other signatures 2->74 7 NEW_ORDER.exe 6 2->7         started        11 zRshgsL.exe 5 2->11         started        13 zRshgsL.exe 2->13         started        15 elsRiGyROD.exe 2 2->15         started        process3 file4 48 C:\Users\user\AppData\...\elsRiGyROD.exe, PE32 7->48 dropped 50 C:\Users\...\elsRiGyROD.exe:Zone.Identifier, ASCII 7->50 dropped 52 C:\Users\user\AppData\Local\...\tmp2DB7.tmp, XML 7->52 dropped 84 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->84 86 May check the online IP address of the machine 7->86 88 Uses schtasks.exe or at.exe to add and modify task schedules 7->88 90 Adds a directory exclusion to Windows Defender 7->90 17 NEW_ORDER.exe 17 10 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        26 NEW_ORDER.exe 7->26         started        92 Multi AV Scanner detection for dropped file 11->92 94 Machine Learning detection for dropped file 11->94 96 Injects a PE file into a foreign processes 11->96 28 zRshgsL.exe 11->28         started        30 schtasks.exe 11->30         started        32 zRshgsL.exe 13->32         started        34 schtasks.exe 13->34         started        signatures5 process6 dnsIp7 54 smtp.quartziax.com 17->54 66 3 other IPs or domains 17->66 44 C:\Users\user\AppData\Roaming\...\zRshgsL.exe, PE32 17->44 dropped 46 C:\Users\user\...\zRshgsL.exe:Zone.Identifier, ASCII 17->46 dropped 76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->76 78 Tries to steal Mail credentials (via file / registry access) 17->78 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->80 36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        56 208.91.199.223, 49703, 49704, 587 PUBLIC-DOMAIN-REGISTRYUS United States 28->56 58 smtp.quartziax.com 28->58 60 api.ipify.org 28->60 40 conhost.exe 30->40         started        62 smtp.quartziax.com 32->62 64 api.ipify.org 32->64 82 Tries to harvest and steal browser information (history, passwords, etc) 32->82 42 conhost.exe 34->42         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/021cfdac35b7f0cb8f6ba460a33994d0128883ad281812b380978bc5127abbbc/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 10:17:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aiop3lbvw7ymxd3lurqkgomu2ajira5nfambfm4as6f4ket2xo6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1815892a1d6a47e7d5c2108743f78e20cf5b2283ceba13f232c780dddc3c5324
AgentTesla
3706066f775904b6ac4d07b179d3f7846c15c085ddeff5633c72a555d9529748
AgentTesla
5a46bd65bf5067b29396df720a7f67abb3a773ee9ffa19587242bfeb6f5c4d15
AgentTesla
847e04095e646bc56458e498de0e8741d873b777567a0372b59d27d4f1d3b625
AgentTesla
a4b5f7aed3df1aaffcac4423faf222b78da209a22d2f6bd74cdf46d2b1498670
AgentTesla
bb2672735b9660902bf39ac41917389096203c4586d4460b59cb3737bf8e2814
AgentTesla
e44e1135888701ba8cbf462efa9d992a2fa1f83e52c471f65c62c16fdecade26
AgentTesla
fd6a88c61e8b5b68f3f70d8aab48dabdfc21d96d81f823647d310ccbe1fd968a
AgentTesla
fe5441d6898cf0dea8ca087588a0b8cbc0154a011f4b81de03d370a237b86ebf
AgentTesla
fee8b0a5bd69e9ca4d343dbf309b19ecc9a510dc26f7d84d1095fbb494763a99
AgentTesla
+ 1'044 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230510-r1bdpsac3y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
080ea9b31958f8eca529b29e9adeec39b3d3bd53394c46988cdf9a2457ddf75e
MD5 hash:
34b7af0fb25b87e9a991ca9f661aa8a5
SHA1 hash:
c80305213c03de63d0214828d8205add6e1d7a2b
Link:
https://www.unpac.me/results/5be619ac-74fd-46b4-a3c7-be63942ed965/
SH256 hash:
c72ca892abebd8794a9544913d071c3c91356f5075509717727e180e87cb98ba
MD5 hash:
25383385b11436b817ed4dc0419f4e24
SHA1 hash:
9441f35f45a30503ebb2c717209f29341b5b48b6
Link:
https://www.unpac.me/results/5be619ac-74fd-46b4-a3c7-be63942ed965/
SH256 hash:
ad517824e943522b337745080ffc9ae1f04330a0bafd3c7f80ed570efe029054
MD5 hash:
c993996f2f73c18aa90b4d6815afe159
SHA1 hash:
4d71320e377771c67e744fe9cb648de3b7cdb5ac
Link:
https://www.unpac.me/results/5be619ac-74fd-46b4-a3c7-be63942ed965/
SH256 hash:
6f014ed5f2492c1e4dba51ba00e7f3278feabf9882d295f6d4e650c992508444
MD5 hash:
5509a68357957231d48ff31d09ca324e
SHA1 hash:
37b4933abead0fc2de7d2fcc161c3e5b883b6777
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/5be619ac-74fd-46b4-a3c7-be63942ed965/
Parent samples :
ff93a2e2fc9a3ff0bfe4ae5b9bef84478972cc403c1c68ce1de414e19acfa6ea
f58fea7363083d8ad73358f871c6483ab17d804ce34eb6558c62b3350ad368df
42a1b1333505c88f790a7fbc5c39856f94cbddaeeffa5be29ae38fb5f567350d
021cfdac35b7f0cb8f6ba460a33994d0128883ad281812b380978bc5127abbbc
ea5d05e0b638ccc55cf1c7d641e6ca67ceb79ac5e4be6ed178402cad263efc7e
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/5be619ac-74fd-46b4-a3c7-be63942ed965/
SH256 hash:
021cfdac35b7f0cb8f6ba460a33994d0128883ad281812b380978bc5127abbbc
MD5 hash:
4a7f818874a86fc5f981e46733b2d7f5
SHA1 hash:
901f65348b82ee9006a56f077e8849eb7bf0b460
Link:
https://www.unpac.me/results/5be619ac-74fd-46b4-a3c7-be63942ed965/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/021cfdac35b7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/021cfdac35b7f0cb8f6ba460a33994d0128883ad281812b380978bc5127abbbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 021cfdac35b7f0cb8f6ba460a33994d0128883ad281812b380978bc5127abbbc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/388236/

Comments