MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 15 File information Comments

SHA256 hash:	1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3
SHA3-384 hash:	e2f93c7dfcce0d01ae979255dade4701121e5b8f265caef181856940e0874b8e42806fa0f818f31c9d1ef521d5919ec2
SHA1 hash:	ac9f5a051227302049aa5136a26f30a3707db55c
MD5 hash:	8eab5e4d034fde42eb31add0cb923a97
humanhash:	finch-mars-fix-mango
File name:	NEW ORDER--GO23B005--DEC 2023.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	637'952 bytes
First seen:	2023-12-01 13:57:57 UTC
Last seen:	2023-12-04 12:55:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:14uUdaP5mn0llWSQSSKJOzIT5HiSRJ56/:ydaP5mn0llNQN2OzCti2z
Threatray	3'356 similar samples on MalwareBazaar
TLSH	T17ED4CF015BF20E9BD57D1EB4AC31264183B8C157B2CBE7A75AA87EF418877E09B424D3
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

336

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

NEW ORDER--GO23B005--DEC 2023.exe

Verdict:

Malicious activity

Analysis date:

2023-12-01 14:00:42 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/46e7c07c-4674-4adb-a3f0-81bfe803abb5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/461719/

Detection(s):

Sanesecurity.Rogue.0hr.20231201-1635.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Ransom.Loki.Generic

Link:

https://www.hybrid-analysis.com/sample/1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a03d635a-2387-418f-99e5-2426375a6e85

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1351418

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-12-01 13:58:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dpq6wp6jat6fvhu6kvpd7jfcw2s2fgmrpvnpvgqvoadzdfjyp6rq._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

0f6154350e73fcd971f98f7bf3fd43773edd1cca24c16d259a4c755958970332

AgentTesla

1eda1b310543e616e8b7b97e8e5f13597fb3a67ed9658b3daba2f49361563689

AgentTesla

4e38578b5c0bfa9b222837756d0c2387d218aaa990b47befb98571cec82f6b32

AgentTesla

8a0caf3a314acdd946e058b936136c755e7701c1384b1f632075c0bc8d958bcf

AgentTesla

915b5b0d16f54f50af35902863670a73a5ce5dfeabc25cfe3bfa23cc637651fa

AgentTesla

c1cb5a4a27cf88c43845d65d73c7ca0706b00f8c999301061b745ce922c1bd12

AgentTesla

e278ecca391be13103b9584a01fd2bbd4fabdfef4756e3870e48140a304894e2

AgentTesla

f8aa3880202328a119071117878db0c3b5dc03a5cae3cb16e00cd2353598a913

AgentTesla

+ 3'346 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/231201-q9s5faac51/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

0191aa50276c0db86fc7fd2fd3fce3823546da73166ff34e3833065b60dcfd0c

MD5 hash:

eea30052940f56770127082642786a8c

SHA1 hash:

fd03b7fa3776e2118c50f049463a25b8ac78e404

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/579383b0-4ccd-4020-bc4d-233aac129a26/

SH256 hash:

c7aec0b70f354d6cb8db9664e6c9d29af15867d9d5c534239d76de8dbf2cd0cf

MD5 hash:

dfe831964cbbf44340b6c73549664f58

SHA1 hash:

9bf5dd543bce3cfb44c395aabf0fbed1a6bff38c

Link:

https://www.unpac.me/results/579383b0-4ccd-4020-bc4d-233aac129a26/

SH256 hash:

6a7ccdb633c8b1dea86f657b1559b9607c39c2bc0738be720b034ce54654da5e

MD5 hash:

b1f2f915a10e7e91a6a7ffbb132d003a

SHA1 hash:

542a6f0b3a8f3d0d115c0cb5bc868d5662d294c5

Link:

https://www.unpac.me/results/579383b0-4ccd-4020-bc4d-233aac129a26/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/579383b0-4ccd-4020-bc4d-233aac129a26/

SH256 hash:

3220f2e18f454bac107afcb18a9027bd6e57a7692d9972af500b3e0c33e6e209

MD5 hash:

6e53137dc24986ba8732ae0eca0aba01

SHA1 hash:

11812f140c1b62d822490865fc91f19070e9cbd5

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/579383b0-4ccd-4020-bc4d-233aac129a26/

Parent samples :

1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3
6d7ca76f65a253a1587d1f5a94d7ff27d0babf11b830fd778efb96ebd8196442
8879bff7f26b389b8d375928fc6095a3847f8602e00822e3f2f67705e2d85cc0
80a2010e0a0ade699a0c4bc3d5f739491d4ea6ccf4abe39b8232ef39dc7aa430
90c7b6bd3fd954125e071fca9a96c398d2c7c337e150b79c3629285858dd476c

SH256 hash:

1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3

MD5 hash:

8eab5e4d034fde42eb31add0cb923a97

SHA1 hash:

ac9f5a051227302049aa5136a26f30a3707db55c

Link:

https://www.unpac.me/results/579383b0-4ccd-4020-bc4d-233aac129a26/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1be1eb3fc904/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 282698e5a19ee6121597b9715a72e3d71630d71cd44d6873316c4d23f63095be

AgentTesla

exe 1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/461719/

Dropped by

SHA256 282698e5a19ee6121597b9715a72e3d71630d71cd44d6873316c4d23f63095be

Dropped by

MD5 9ccdd282a8896cce587a869e2ddeaa0b

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample