MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f5f5f5134295164f769b3a5555c86ab37b94284a7fc61cd1bbbdd496b80c25b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f5f5f5134295164f769b3a5555c86ab37b94284a7fc61cd1bbbdd496b80c25b
SHA3-384 hash: 71dd234966c1a6d718778b31378df65b84a95f92d20c878889431b241688a5b93e54c2594140836ece5e1531128cd172
SHA1 hash: 0f2b98ee6967a599347a5880ba308cef155758b1
MD5 hash: 7f4fd0681d3a4feb838e6fa73e8b50b8
humanhash: lamp-paris-salami-fish
File name:orderistPDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:361'984 bytes
First seen:2021-07-16 12:43:30 UTC
Last seen:2021-07-16 13:50:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:tbg96ZkGXtI8p12kWfaouqy3ALuBTut9m/vawrfu6zmBtlEcJYah:KSeS12kcaoBluBA9Ovawrfu6aBtlXYah
Threatray 6'930 similar samples on MalwareBazaar
TLSH T19674124896DC56F5D05446FFAD97B92022B1FF362409ED9A5DCC308C9934B0232BEE9E
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
orderistPDF.exe
Verdict:
Malicious activity
Analysis date:
2021-07-16 12:47:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6ada62c7-9206-4bf2-8332-373d8ee22545

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172195/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37243943.11972.30269.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2c2d6d0-830d-4847-ba3c-d8a526dbce09
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817452
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powershell Test-Connection to delay payload execution;
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 449863 Sample: orderistPDF.exe Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 57 www.yahoo.com 2->57 59 new-fp-shed.wg1.b.yahoo.com 2->59 83 Found malware configuration 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Yara detected AgentTesla 2->87 89 6 other signatures 2->89 9 orderistPDF.exe 4 9 2->9         started        13 spreadsheet.exe 2->13         started        15 spreadsheet.exe 2->15         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\spreadsheet.exe, PE32 9->49 dropped 51 C:\Users\user\AppData\...\orderistPDF.exe, PE32 9->51 dropped 53 C:\Users\...\spreadsheet.exe:Zone.Identifier, ASCII 9->53 dropped 55 3 other malicious files 9->55 dropped 91 Writes to foreign memory regions 9->91 93 Uses powershell Test-Connection to delay payload execution; 9->93 95 Injects a PE file into a foreign processes 9->95 17 orderistPDF.exe 9->17         started        20 wscript.exe 1 9->20         started        22 powershell.exe 19 9->22         started        31 2 other processes 9->31 97 Multi AV Scanner detection for dropped file 13->97 25 powershell.exe 13->25         started        27 powershell.exe 13->27         started        29 powershell.exe 13->29         started        signatures6 process7 dnsIp8 75 Multi AV Scanner detection for dropped file 17->75 77 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->77 79 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->79 81 Wscript starts Powershell (via cmd or directly) 20->81 33 powershell.exe 20->33         started        61 192.168.2.1 unknown unknown 22->61 63 www.yahoo.com 22->63 65 new-fp-shed.wg1.b.yahoo.com 22->65 35 conhost.exe 22->35         started        67 2 other IPs or domains 25->67 37 conhost.exe 25->37         started        69 2 other IPs or domains 27->69 39 conhost.exe 27->39         started        71 2 other IPs or domains 29->71 41 conhost.exe 29->41         started        73 4 other IPs or domains 31->73 43 conhost.exe 31->43         started        45 conhost.exe 31->45         started        signatures9 process10 process11 47 conhost.exe 33->47         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0f5f5f5134295164f769b3a5555c86ab37b94284a7fc61cd1bbbdd496b80c25b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 00:46:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5pv6ujuffiwj53jwosvkxegvm33squeu76gdti3xpous24ayjnq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04429647bba9090cd3500f585a8a5ec39891f8b8a88f4f647a67a9d35e3ed217
AgentTesla
16687d1c2945be78cbcabfb542520fc4f0a153b820aed024d8dd0032be6a7b0f
AgentTesla
3f2cba483eead01ce5217afd98d8308007cf4b4b5e81bd658d27b9f31abc4b77
AgentTesla
70356e0ef7569fb8a94a30a3fe49c81046c9e86078de02e4bfcc6bcf55671430
AgentTesla
73db8576ad079efbe1376a00f6d027d0e9aeb173f594ee7161dbd5c62f9f215d
AgentTesla
764bbdd65e3d06d3a808d3abeb6b6dd3b5467fba53deb1b16c3b01e5e847f1c9
AgentTesla
791232ba8efdbe3778e195b4a96173183e44d101af42f0b308cca758ccd4d17c
AgentTesla
86e7e9abc8ae431280935625545da1a813509462ec27d6d7ded6ef0a6b8eb43a
AgentTesla
9ca380b9e68f8aab9d08c3357ce286ce087c81c96b64923f6401dc31679b5453
AgentTesla
bbde4210ae31bc0d1a2b038dba97b9aea0a3d9ac9e0dc5a11475208b61506d9b
AgentTesla
+ 6'920 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210716-r58yllen4a/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
7ee1139233ce91318b0b46701b427fb30802dc543084b563966c90bc4baa3f6a
MD5 hash:
5ca7f041e027d4d5079cb815eda7889f
SHA1 hash:
d7e7075322fb417cebd67882b69b80b2c3a19088
Link:
https://www.unpac.me/results/31e6afa2-70d6-4354-a831-3559dbe0162e/
SH256 hash:
f7d0613a7f74f3a82061725280f63b191ec2eb3d9159398fb348bcc86727b88f
MD5 hash:
f4a626661af1f7da71c28e7ae0e31ea5
SHA1 hash:
cc3694ece7afa21854eecc393c38bc7cdab7443e
Link:
https://www.unpac.me/results/31e6afa2-70d6-4354-a831-3559dbe0162e/
SH256 hash:
f52e55075793f59f8a2eece66a2ec9edfdbe708a79497193a8d186d79442168b
MD5 hash:
958967a41bb1f1ae6ac28d0ad920f195
SHA1 hash:
b9f4f4091cfdaaa3b94b9440560b1cdf409ce26b
Link:
https://www.unpac.me/results/31e6afa2-70d6-4354-a831-3559dbe0162e/
SH256 hash:
8a477415cbf05f93e6fb494d677107870b4b88e44a571c4e1c32ae8a42f4abfd
MD5 hash:
28e6ed580ad79b349048d9e9247bb816
SHA1 hash:
584fe8efa76d3f058a0507e9894aa84aa7bca564
Link:
https://www.unpac.me/results/31e6afa2-70d6-4354-a831-3559dbe0162e/
SH256 hash:
0f5f5f5134295164f769b3a5555c86ab37b94284a7fc61cd1bbbdd496b80c25b
MD5 hash:
7f4fd0681d3a4feb838e6fa73e8b50b8
SHA1 hash:
0f2b98ee6967a599347a5880ba308cef155758b1
Link:
https://www.unpac.me/results/31e6afa2-70d6-4354-a831-3559dbe0162e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f5f5f5134295164f769b3a5555c86ab37b94284a7fc61cd1bbbdd496b80c25b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/172195/

Comments