MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07ec2c9cdd71be2769952cb169ec7db7625ba8790d95cf3d977b9544d8efbcf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07ec2c9cdd71be2769952cb169ec7db7625ba8790d95cf3d977b9544d8efbcf9
SHA3-384 hash: eee532f024938f29986b1f34e7475b478fa89b428c133d4f5f589dc18a5206f99e298117845e99d6cdbf6c0103d97f32
SHA1 hash: 2a44961bc6099b553258adda6b0c5e7871f8069a
MD5 hash: 74f25f624f40c12bf270ec8c79c042af
humanhash: jupiter-cup-mango-freddie
File name:Orders.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:23'704 bytes
First seen:2021-04-19 15:05:21 UTC
Last seen:2021-04-19 15:51:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:QLrrrLprbGqV1043LVV0undbTgQoHu7u9GpXCXrCM3ZhrmbN0hj:83DLbTndbTQOaEpyRI0hj
Threatray 4'049 similar samples on MalwareBazaar
TLSH 2CB25C42B7E28649FF228B32ADE1DD225B79BF037503EB6FA9809044096374C759157F
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Orders.exe
Verdict:
Malicious activity
Analysis date:
2021-04-19 15:23:08 UTC
Tags:
trojan dtloader loader keylogger stealer agenttesla
Link:
https://app.any.run/tasks/be7a627b-b8c5-4dc1-a955-a1c8e9e463c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/138564/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.159.32669.8324.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/687144
Signature
.NET source code contains very large array initializations
Contains functionality to hide a thread from the debugger
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 392520 Sample: Orders.exe Startdate: 19/04/2021 Architecture: WINDOWS Score: 100 46 mail.jumatsedekah.com 2->46 48 jumatsedekah.com 2->48 62 Found malware configuration 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected AgentTesla 2->66 68 2 other signatures 2->68 8 Orders.exe 15 4 2->8         started        12 newapp.exe 3 2->12         started        14 newapp.exe 3 2->14         started        signatures3 process4 dnsIp5 50 mmwrlridbhmibnr.ml 172.67.220.147, 49718, 80 CLOUDFLARENETUS United States 8->50 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->70 72 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->72 74 Hides threads from debuggers 8->74 76 Contains functionality to hide a thread from the debugger 8->76 16 Orders.exe 2 5 8->16         started        20 cmd.exe 1 8->20         started        52 192.168.2.1 unknown unknown 12->52 78 Multi AV Scanner detection for dropped file 12->78 80 Injects a PE file into a foreign processes 12->80 22 cmd.exe 1 12->22         started        24 newapp.exe 12->24         started        26 WerFault.exe 12->26         started        28 cmd.exe 14->28         started        signatures6 process7 file8 42 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 16->42 dropped 44 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 16->44 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->54 56 Tries to steal Mail credentials (via file access) 16->56 58 Tries to harvest and steal ftp login credentials 16->58 60 2 other signatures 16->60 30 conhost.exe 20->30         started        32 timeout.exe 1 20->32         started        34 conhost.exe 22->34         started        36 timeout.exe 1 22->36         started        38 conhost.exe 28->38         started        40 timeout.exe 28->40         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/07ec2c9cdd71be2769952cb169ec7db7625ba8790d95cf3d977b9544d8efbcf9/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7wczhg5og7co2mvfsywt3d5w5rfxkdzbwk46pmxpokujwhpxt4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
13207816457e33a0430e6da6d1ab86d9797f9c2895a7491c142b5b8bfee3bb0d
AgentTesla
1e3772fb826af045d4d6aa5943be1c66bfca44858adaee941606ebce680373d1
AgentTesla
31705dc52cd25b1a406341a071401d39833225a184c0918214edf72cd3a77a57
AgentTesla
639aa73ed2700349b87c9a12879447b219dfd137f60f50611588e9ced7726392
AgentTesla
67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923
AgentTesla
6b6a6cb45c75ffda98874ecb88f2fbc1ec1737222116967459117d6d8d36ecc9
AgentTesla
6c172122db5af54bec6f1a6255169ff95ddebce78bc550814c701ef7e2664f58
AgentTesla
c2c8dd06ab505a3989373e72a3f565054a63716424f559592859024d2bade1d7
AgentTesla
ca7eebfdd882ee2f0c0fa96965ade9378129afcef2302faac6391b9fba82debc
AgentTesla
f408fd39d1ec47e7ba56e85ac76e167b2cb000acde2643ec8f36c571fcc1842f
AgentTesla
+ 4'039 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210419-br9twfszbs/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/07ec2c9cdd71be2769952cb169ec7db7625ba8790d95cf3d977b9544d8efbcf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 99fb89b43071f1c2b60514298ac2f28c27de776ea1bc0a2956304d83481daa81

AgentTesla

Executable exe 07ec2c9cdd71be2769952cb169ec7db7625ba8790d95cf3d977b9544d8efbcf9

(this sample)

  
Dropped by
MD5 fbbad25e8d851e2d3ab09ba868c5d190
  
Dropped by
SHA256 99fb89b43071f1c2b60514298ac2f28c27de776ea1bc0a2956304d83481daa81
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/138564/

Comments