MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1307aabd4251736619cc78c16a7b35bd5d35d68e03c1d6fe48b250b2a17c3f16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1307aabd4251736619cc78c16a7b35bd5d35d68e03c1d6fe48b250b2a17c3f16
SHA3-384 hash: 8746635f046ba7eeb1be29b093e46226ff8dd01275326e6d9fdb5ca4bf498c6c4ed7dc925581e28a35241bb39f60b746
SHA1 hash: fc8382a99e4383e8e5799d6be4c0627d9cd146e6
MD5 hash: 17f6405fffb0032159a90fa6818ba577
humanhash: angel-william-ten-vermont
File name:order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:813'568 bytes
First seen:2023-02-23 14:38:35 UTC
Last seen:2023-02-23 16:28:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:0J8ejKE556P4/j0Qytl2D3KcY+5HkvDYn3y8SiYU5:y5roQoM3N5Hkrm3uvU
Threatray 870 similar samples on MalwareBazaar
TLSH T1AA056B8662B09033FDDE80AD07341ACF1E31B252710DE6675F7B2A989D1ACFBB5D8251
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0c3269d44569300c (17 x AgentTesla, 8 x Formbook, 7 x SnakeKeylogger)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order.exe
Verdict:
Malicious activity
Analysis date:
2023-02-23 14:39:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/471f9aa8-1048-4a4e-ada0-00fa44158953

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369304/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f77a8842bf85850e446202/reports/e8cc9c32-7457-4057-8be1-d0e58e459981/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1307aabd4251736619cc78c16a7b35bd5d35d68e03c1d6fe48b250b2a17c3f16
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d792371-a181-450d-b190-4827ee61cd78
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181370
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 814201 Sample: order.exe Startdate: 23/02/2023 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected AgentTesla 2->57 59 Machine Learning detection for sample 2->59 61 Initial sample is a PE file and has a suspicious name 2->61 6 order.exe 3 2->6         started        10 MpZZj.exe 3 2->10         started        12 MpZZj.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\Local\...\order.exe.log, ASCII 6->25 dropped 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->63 65 May check the online IP address of the machine 6->65 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->67 14 order.exe 17 5 6->14         started        69 Multi AV Scanner detection for dropped file 10->69 71 Machine Learning detection for dropped file 10->71 73 Injects a PE file into a foreign processes 10->73 19 MpZZj.exe 14 2 10->19         started        21 MpZZj.exe 2 12->21         started        23 MpZZj.exe 12->23         started        signatures5 process6 dnsIp7 31 api4.ipify.org 104.237.62.211, 443, 49702, 49704 WEBNXUS United States 14->31 33 us2.smtp.mailhostbox.com 208.91.199.225, 49703, 49710, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->33 41 2 other IPs or domains 14->41 27 C:\Users\user\AppData\Roaming\...\MpZZj.exe, PE32 14->27 dropped 29 C:\Users\user\...\MpZZj.exe:Zone.Identifier, ASCII 14->29 dropped 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->45 47 Tries to steal Mail credentials (via file / registry access) 14->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->49 35 smtp.aliyvun.com 19->35 37 api.ipify.org 19->37 39 208.91.199.224, 49712, 587 PUBLIC-DOMAIN-REGISTRYUS United States 21->39 43 2 other IPs or domains 21->43 51 Tries to harvest and steal browser information (history, passwords, etc) 21->51 53 Installs a global keyboard hook 21->53 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1307aabd4251736619cc78c16a7b35bd5d35d68e03c1d6fe48b250b2a17c3f16/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-23 09:02:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cmd2vpkckfzwmgompdawu6zvxvotlvuoapa5n7siwjilfil4h4la._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
175b18fc4d1ce73099a94c25d5fee0af5704e47b37803137368bdf416fc8a364
AgentTesla
5cc899a8dd9072ce72a49004c5b9f7cc074e4e7c4088fa89b25767182976e31e
AgentTesla
85913d4430d1da9a29e295d98d21997c90edf6d3dea08c709c81e5c8302c3e0f
AgentTesla
8f81fd0cd66548518e82ab4238cf83a55989de7b1ab9099ef43892d0272b41e5
AgentTesla
9a8c1fe1c53db8a44a8971664845fc5a63f34199504f3156101d8005059247a9
AgentTesla
b7edcf412d229e488db5a92975a1b2398f4bc4e7dc0317f9e226b706140994f2
AgentTesla
f23e3fb55ed796ffce910533d5e6886e4c84d22195054c16540baf515b0113c2
AgentTesla
f372f32242ba5521234305f8d8cb0f314b89be5417f875e9f2789348fab3d3c1
AgentTesla
+ 860 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230223-r1ar6sgb64/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
1d00813c890e48e5844de06f49dbb6a913791c88af9e2c54c97c00217c96824a
MD5 hash:
5e97528bf0b71b00e3dc5b62eadc45b6
SHA1 hash:
e15dccc483dcd9d2d0be1b0a6db5403555d5a5e1
Link:
https://www.unpac.me/results/bb362932-35e6-4c81-89c8-06993d7f29ba/
SH256 hash:
49bddd89a7d2ef0c678d2ea9462ac4e667bed2fde1dda9e766939bc9b2f88f3e
MD5 hash:
aef951bfc2f320b909e5b2d93d79f58f
SHA1 hash:
cb1587910249c800a52dc452a227444681e633d4
Link:
https://www.unpac.me/results/bb362932-35e6-4c81-89c8-06993d7f29ba/
SH256 hash:
0f523bb97d792e427dc1d2babc691221def301288310098b7145d083f19e4e7c
MD5 hash:
b959fd775c3452b9eb6eea6989077d70
SHA1 hash:
c50ff815c250d0faf20682af3637556ba43bee62
Link:
https://www.unpac.me/results/bb362932-35e6-4c81-89c8-06993d7f29ba/
SH256 hash:
8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7
MD5 hash:
7f225c69df031bf0560aed3847a1221a
SHA1 hash:
4d5f3ccdb2c6015d2b2a73326c0f32b173af2819
Link:
https://www.unpac.me/results/bb362932-35e6-4c81-89c8-06993d7f29ba/
SH256 hash:
835ccda1e9ae6b270554915a6654ff1b1cb46a33ff56012737293c170a0a5bd9
MD5 hash:
3be9d9b1439d509acffa4fdabdb707f1
SHA1 hash:
1855518c15e44c3685b638883ccc0acb2ab42e0c
Link:
https://www.unpac.me/results/bb362932-35e6-4c81-89c8-06993d7f29ba/
SH256 hash:
1307aabd4251736619cc78c16a7b35bd5d35d68e03c1d6fe48b250b2a17c3f16
MD5 hash:
17f6405fffb0032159a90fa6818ba577
SHA1 hash:
fc8382a99e4383e8e5799d6be4c0627d9cd146e6
Link:
https://www.unpac.me/results/bb362932-35e6-4c81-89c8-06993d7f29ba/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1307aabd4251/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/1307aabd4251736619cc78c16a7b35bd5d35d68e03c1d6fe48b250b2a17c3f16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1307aabd4251736619cc78c16a7b35bd5d35d68e03c1d6fe48b250b2a17c3f16

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/369304/

Comments