MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bad74ee3864f62fa44a2a45121679ed1ead32c1765a07c5ac2cf16bb970ba3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bad74ee3864f62fa44a2a45121679ed1ead32c1765a07c5ac2cf16bb970ba3a
SHA3-384 hash: 0fc8fdf074f9a4449530465eb7bbf3f0236c41b47c8051797a0c7436a3390d9ba810780701859c7914c0fc9ce680e000
SHA1 hash: e56b20eb463170405193fedc4be1b25fa93b0bb5
MD5 hash: 0927b8e253a5769be36d71ddb6473baf
humanhash: oven-bakerloo-pennsylvania-georgia
File name:Order#SQ031776.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:675'840 bytes
First seen:2023-04-07 12:47:10 UTC
Last seen:2023-04-11 09:00:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:bKEGQYTB8oIGDSeidcM9m3JmfUHYFT0MUW+bxb804aemnar56e4dIS7vbeMJRD77:bKEGQWB8oIH0ZdYFodbxb804aemnaseU
Threatray 56 similar samples on MalwareBazaar
TLSH T19BE49D521A624BD5D6B90D6407787A88167CAF429710633E7C83BD3F8CFBB4B50993E2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order#SQ031776.exe
Verdict:
Malicious activity
Analysis date:
2023-04-07 12:48:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9e30c349-b32e-4bf8-8eea-88b3ad53ffac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380781/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20230406-1634.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/643011032254dc891204a624/reports/6114a9b9-9fd4-4699-a60e-7cd78a16f0cd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1bad74ee3864f62fa44a2a45121679ed1ead32c1765a07c5ac2cf16bb970ba3a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fef6b621-6853-4572-81be-dfb07bfd3752
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1210203
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 843120 Sample: Order#SQ031776.exe Startdate: 07/04/2023 Architecture: WINDOWS Score: 100 38 maskanikenya.co.ke 2->38 40 mail.maskanikenya.co.ke 2->40 46 Sigma detected: Scheduled temp file as task from temp location 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected AgentTesla 2->50 52 3 other signatures 2->52 8 Order#SQ031776.exe 7 2->8         started        12 NEaiBp.exe 2 2->12         started        signatures3 process4 file5 30 C:\Users\user\AppData\Roaming30EaiBp.exe, PE32 8->30 dropped 32 C:\Users\user\...32EaiBp.exe:Zone.Identifier, ASCII 8->32 dropped 34 C:\Users\user\AppData\Local\...\tmpCFCC.tmp, XML 8->34 dropped 36 C:\Users\user\...\Order#SQ031776.exe.log, ASCII 8->36 dropped 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->54 56 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 64 2 other signatures 8->64 14 Order#SQ031776.exe 2 8->14         started        18 svchost.exe 8->18         started        20 powershell.exe 21 8->20         started        22 2 other processes 8->22 60 Multi AV Scanner detection for dropped file 12->60 62 Machine Learning detection for dropped file 12->62 signatures6 process7 dnsIp8 42 maskanikenya.co.ke 170.10.161.27, 49700, 587 STEADFASTUS United States 14->42 44 mail.maskanikenya.co.ke 14->44 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->66 68 Tries to steal Mail credentials (via file / registry access) 14->68 70 Tries to harvest and steal browser information (history, passwords, etc) 14->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->72 74 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->74 24 conhost.exe 20->24         started        26 conhost.exe 22->26         started        28 conhost.exe 22->28         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1bad74ee3864f62fa44a2a45121679ed1ead32c1765a07c5ac2cf16bb970ba3a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-06 08:33:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 34 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dowxj3rymt3c7jckfjcreftz5upk2mwboznaprnmftywxolqxi5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d5aa091a3ebf8d537d2da61e2c9c05f70bfff16eda241a89e583c05ea6164e3
AgentTesla
1bd48635c48d95fc4fb94e31c015d3663d06e05a0493de2be102d59db4c9f8d3
AgentTesla
1c016657f34ce6d4e22b93894605781f1315b462265588174fc9774f0013a519
AgentTesla
24eff453781c287faa8e26134cd992f207f03d34b8d2f0e45dd94156ecf6e43e
AgentTesla
48ccca41d831d4786acd2e9c29360037649ec5633f54d0aae8ccab77dc94db57
AgentTesla
5d89fd91fbb0c2d4d75df1bde8c233dc0fe3e576966a5ab65b231ecc58935272
AgentTesla
62413ad16a42665b9396e1cce548b6e212c5cf21d3d2d8ae8c02ba83bd69fa0e
AgentTesla
8ec8019892b2f4625446c785c98dce87ac6362cbbdef61f57c4787ec35bbb262
AgentTesla
ae64fb90225d89fc47da4f9759073771ec29788c66d87982c6dac4443d68a21f
AgentTesla
d26449a86fb463c573cd383b333c1d807165762718c9d4fd78c1cf15c70e1f98
AgentTesla
+ 46 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230407-p1r1caba5v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6ed5754774ca845ea9082b30abb01d1db00078035c800d347212d21778ae5b72
MD5 hash:
656856ebecb29670e0e8fa56046e5eb4
SHA1 hash:
954b5a1bca5190305e1245b041dddcd487e28924
Link:
https://www.unpac.me/results/1b2a6fdc-28cc-4b13-a53f-f8e9a3106a05/
SH256 hash:
25b48fdd1689bbd595121ec0066b4c9c5318e1acc84d018c4707c8fe33b34874
MD5 hash:
fef368729eb2abbf1f370b34ae1d5cef
SHA1 hash:
754f04a658d8f9ff552cd1ea26396d15244e5510
Link:
https://www.unpac.me/results/1b2a6fdc-28cc-4b13-a53f-f8e9a3106a05/
Parent samples :
25b48fdd1689bbd595121ec0066b4c9c5318e1acc84d018c4707c8fe33b34874
3b9f9fc739dfb6d59c22f7b0ee4134f404ae4faaea7b01896363a657f6db3643
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/1b2a6fdc-28cc-4b13-a53f-f8e9a3106a05/
SH256 hash:
496670389ca3d93717a23f0e58d19bb577f8d15e310c9f7a83fd81645ddfb652
MD5 hash:
9f99d77cd36e9402a2eea20a24c9a64f
SHA1 hash:
4614d7f71848da05bb2dacf21c69b56c8fde0320
Link:
https://www.unpac.me/results/1b2a6fdc-28cc-4b13-a53f-f8e9a3106a05/
SH256 hash:
48ceb55d8c1c13d9c360c3b3d08aa5e746c7bbca06005a63d4abc2c6dc7274c3
MD5 hash:
1baa6a7ba948d9eacb0f3cd5b453d126
SHA1 hash:
388baee1ca29b39d5894d5758f5593f9f53c15e9
Link:
https://www.unpac.me/results/1b2a6fdc-28cc-4b13-a53f-f8e9a3106a05/
SH256 hash:
1bad74ee3864f62fa44a2a45121679ed1ead32c1765a07c5ac2cf16bb970ba3a
MD5 hash:
0927b8e253a5769be36d71ddb6473baf
SHA1 hash:
e56b20eb463170405193fedc4be1b25fa93b0bb5
Link:
https://www.unpac.me/results/1b2a6fdc-28cc-4b13-a53f-f8e9a3106a05/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1bad74ee3864/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/1bad74ee3864f62fa44a2a45121679ed1ead32c1765a07c5ac2cf16bb970ba3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/380781/

Comments