MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb
SHA3-384 hash: acf9e3533b701fc2880b1830abd26d8519b6b7ae7c1bb817c0a19a4adb3817697e0c52265729a43efe41d2576dfb0757
SHA1 hash: 91c8e91b3f62b251a77a081ee942ba03a98724fd
MD5 hash: 831d4a721603de375526e83516add339
humanhash: speaker-carbon-william-spaghetti
File name:New Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:820'736 bytes
First seen:2020-08-31 05:53:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f0f59407d43757262de08456add0c23 (4 x Loki, 1 x AgentTesla)
ssdeep 12288:ruSEZTeOlj6XcvUP8T9KWj4qtAV+M5fV8gBDm9m6seye47B6XYScP:y1s40GUw9hXVW2gBDCmbe+4XYh
Threatray 9'651 similar samples on MalwareBazaar
TLSH 8505C062B2F04833D1A71A3D9C0B9778A839BE513E289D466FF5DC4C9F397813825297
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.sgbcg.com
Sending IP: 113.11.251.241
From: Vladimir Baotic <aralinahabi@gmail.com>
Subject: Hi; am Vladimir, from ( Hyundai Heavy Industries Co., Limited ).
Attachment: New Order.zip (contains "New Order.exe")

AgentTesla SMTP exfil server:
mail.sunkyoungvina.com:587

AgentTesla SMTP exfil email address:
an@sunkyoungvina.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53258/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Clipper.8.17875.9529.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/454878
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279817 Sample: New Order.exe Startdate: 31/08/2020 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 9 other signatures 2->44 6 newapp.exe 2->6         started        9 New Order.exe 2->9         started        11 newapp.exe 2->11         started        process3 signatures4 46 Multi AV Scanner detection for dropped file 6->46 48 Detected unpacking (changes PE section rights) 6->48 50 Detected unpacking (creates a PE file in dynamic memory) 6->50 54 5 other signatures 6->54 13 newapp.exe 2 6->13         started        52 Maps a DLL or memory area into another process 9->52 15 New Order.exe 2 5 9->15         started        20 newapp.exe 2 11->20         started        process5 dnsIp6 26 mail.sunkyoungvina.com 45.117.170.2, 49723, 49740, 587 SUPERDATA-AS-VNSUPERDATA-VN Viet Nam 15->26 22 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 15->22 dropped 24 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 15->24 dropped 28 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->28 30 Tries to steal Mail credentials (via file access) 15->30 32 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->32 34 Tries to harvest and steal ftp login credentials 20->34 36 Tries to harvest and steal browser information (history, passwords, etc) 20->36 file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 00:11:42 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b527mzyeq43i6s5j6xhudh4pszbtulcbo26s2b6euewqza4whk5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
05568298144f10100f3882592a8be0a1754c579f581a3db6316d014c7f8ca8f3
AgentTesla
1328e0030337b326a962b3369cc8dd2b474de98267e8e9fdc3684f4e5ecb9984
AgentTesla
1a55a181a00b302c127b8871d999942cd3f9b83cfb3172cca4894fbbea1b668f
AgentTesla
3117dd759398a481d1664d1731ebc73fe140ac04e711b19a8a8bb6a22d607f3d
AgentTesla
a9103ccf2939a9a9b54d8c50aa993af6fcf3ddda4e0491f1987fe09a83f98ab3
AgentTesla
a93339bcc8ab06b5ef34abc63ba05c692b285ab47ff5d13b70959a52b3f53455
AgentTesla
bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6
AgentTesla
d6ade904fb2225703807124276b3c9f8eeeb737d7f44aacc82eb63eee77cfa5d
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
f64f6cdf34223961fe65653d8fd5d66dc2fdc3e5d56422cdc5923765f78cf47d
AgentTesla
+ 9'641 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx keylogger stealer spyware trojan family:agenttesla persistence
Link:
https://tria.ge/reports/200831-xx7t92fkb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 0e103c7539cd3e961dc94175504c6a269eb5845a1e85c1c8936ad6303cae9c8f

AgentTesla

Executable exe 0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb

(this sample)

  
Dropped by
MD5 0b8229dfc9672b2437c49732cd68ef2e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53258/
  
Dropped by
SHA256 0e103c7539cd3e961dc94175504c6a269eb5845a1e85c1c8936ad6303cae9c8f

Comments