MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1116683e1e819baeac8353772c937bf8a9d051bd0840108af5bea54bff370607. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	1116683e1e819baeac8353772c937bf8a9d051bd0840108af5bea54bff370607
SHA3-384 hash:	93939143f9d76295d756ad22050aa4292907e44b995e69ce5db83ac886d91970552c787fa58e7a5e982478defed9932d
SHA1 hash:	c84322245a794847df1449dc65cf9ec7acffe153
MD5 hash:	f2c464d044ee7df36ce95bcb314f6a86
humanhash:	xray-earth-five-juliet
File name:	NEW ORDER CONTRACT.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	956'416 bytes
First seen:	2020-12-23 07:18:31 UTC
Last seen:	2020-12-23 09:00:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:TxWZSunzwIwVLggr1GNj0vn28WwDSfnWyF+:HXIokXfWyF+
Threatray	224 similar samples on MalwareBazaar
TLSH	CF159E343EE65418F273AF3ACAD86599CBBEF6633703E51F64E1234A0613A41ED80579
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

479

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

NEW ORDER CONTRACT.exe

Verdict:

Suspicious activity

Analysis date:

2020-12-23 07:27:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/94d9a74e-aaed-4802-b983-e9ab16d804c4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/109128/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.dc.15228.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/568959

Signature

.NET source code contains very large strings

Binary contains a suspicious time stamp

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1116683e1e819baeac8353772c937bf8a9d051bd0840108af5bea54bff370607/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-23 07:19:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=celgqpq6qgn25ledkn3sze337cu5aun5bbabbcxvx2sux7zxaydq._file

Verdict:

unknown

AgentTesla

237c747caafde8ad8feca8fd69ec5143842d213b09f4248f86813070fe380085

AgentTesla

2a411486f86d7a28869c33afc7efec53f718b0613f91b6a28a6d3343aeba8e63

AgentTesla

5f660b3ade2f06e699063a8ea77f25509dc4ea949bb8b590fefe22d94b70bbed

AgentTesla

70f4d4292ae1e84f9aba35df12e510161a98d453697ed8ce4bebb5fabdb71232

AgentTesla

7391f3917523baee91e92967c12e20c57448474696590fcbc6e5e6b3c5e21f78

AgentTesla

9ab99b021cac114dbf496c1b48e7f704799a1ca7d8b1e7e4366743f2e0ebcdfd

AgentTesla

b87399c6d528ab7bf017ea2c0d5a1b8d6eb5eb98c1837af426b4beff34372c01

AgentTesla

ce2369f1ba154a1fdd0599648dfbe32d6ad832c25d3f043bbe6b456cee609eeb

AgentTesla

e33ecba374a7d34a6c237fde198844930a82c27199c76f49bc0558e0caf1f4a4

AgentTesla

+ 214 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201223-65cv49alnx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Maps connected drives based on registry

Checks BIOS information in registry

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

AgentTesla

Unpacked files

SH256 hash:

1116683e1e819baeac8353772c937bf8a9d051bd0840108af5bea54bff370607

MD5 hash:

f2c464d044ee7df36ce95bcb314f6a86

SHA1 hash:

c84322245a794847df1449dc65cf9ec7acffe153

Link:

https://www.unpac.me/results/f9f80290-1689-4c39-bad1-7feda6658cd6/

SH256 hash:

ad5616e638fd76f42381042e9aa2835709b5e385fff6d07deb085515b799b95d

MD5 hash:

c3949c358ca512a930af0b40ada048d6

SHA1 hash:

403046c4e7b09efc57f621a9e4ac0f5078f39361

Link:

https://www.unpac.me/results/f9f80290-1689-4c39-bad1-7feda6658cd6/

SH256 hash:

01025bce19b2a7c4e9360f7b5a204cd7fd7fba511c8c31f8190b20bc6e6fb723

MD5 hash:

6766d1a44f4fb0f752cb9fc57e9694cc

SHA1 hash:

515d9fc0438d1d8f505f130a158ec2468ca43f65

Link:

https://www.unpac.me/results/f9f80290-1689-4c39-bad1-7feda6658cd6/

SH256 hash:

909e050cfd3d2d6665cb05582b2d7842738f6f88caefb1ed47a9d53e90d02525

MD5 hash:

ec23d87143074cf620bd039df826e2dd

SHA1 hash:

e51d764b07e4fc9fb5c4ca046555b5c781ddd2d0

Link:

https://www.unpac.me/results/f9f80290-1689-4c39-bad1-7feda6658cd6/

SH256 hash:

d084676b1ab8f10f6becd608c3bb1f7e8653dc8ad53676625a156416b5d6a79f

MD5 hash:

2ce25b46b317c72193c295bdecf02929

SHA1 hash:

ff9fbdc95d7e3e761293be44aec4efe9722c9056

Link:

https://www.unpac.me/results/f9f80290-1689-4c39-bad1-7feda6658cd6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1116683e1e819baeac8353772c937bf8a9d051bd0840108af5bea54bff370607

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z f97f4895c7d99c08039a74bfc7a1fd4939fc27cda8160e15671bfe28a307df6d

AgentTesla

exe 1116683e1e819baeac8353772c937bf8a9d051bd0840108af5bea54bff370607

(this sample)

Delivery method

Other

Dropped by

SHA256 f97f4895c7d99c08039a74bfc7a1fd4939fc27cda8160e15671bfe28a307df6d

Cape

https://www.capesandbox.com/analysis/109128/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample