MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d934876f79640779e73e21ad156e74687aa91feeaa1f244dffdc516f8863e05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d934876f79640779e73e21ad156e74687aa91feeaa1f244dffdc516f8863e05
SHA3-384 hash: 55ca9dbc2bc7daa38d891f491abdeeed120584043913597f42f1b8a620ee1810bf95a421c23dfaffe86ca34f26ee52eb
SHA1 hash: 9e103dcdbdc3e47d714e4e4d9c0ec7b68e7fecda
MD5 hash: 03141ea1c24747327d62c1f621b1d31d
humanhash: undress-diet-salami-purple
File name:Order Lists.pif
Download: download sample
Signature AgentTesla
Create hunting rule
File size:556'032 bytes
First seen:2023-04-14 07:53:03 UTC
Last seen:2023-04-14 16:41:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:W8y5rmspXnjcGxdnCyE4jrTtZe+Re0+rLL4I/oJqkHvXn2MXiZCc:Wl93jLzCyLPeUe0+vL4BPkU
Threatray 2'098 similar samples on MalwareBazaar
TLSH T1B1C41313356C2732D27C67F6142E0A205B761933F079EB199D8E40EF1EA9B864B91F87
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe pif

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order Lists.pif
Verdict:
Malicious activity
Analysis date:
2023-04-14 07:55:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8c7a9bae-0ecb-48de-aa0d-7bd77da287b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382219/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/6439069b59a1287810bc1ed7/reports/f2d2d38d-77b4-4003-9329-eb5261852dd9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1d934876f79640779e73e21ad156e74687aa91feeaa1f244dffdc516f8863e05
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db6b445a-9709-4b88-8cbb-763185dbe904
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213749
Signature
.NET source code contains potential unpacker
Contains functionality to register a low level keyboard hook
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d934876f79640779e73e21ad156e74687aa91feeaa1f244dffdc516f8863e05/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-14 07:54:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwjuq5xxszahphtt4inncvxhi2d2vep65kq7erg77xcrn6eghycq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
23b3b5a24a51826ddb55a28333f4bfb9455f891f946e7d71a8d1eb3bab1f02f2
AgentTesla
2713d5f063d131de0d8ab8c4768401364b4f512c7b79cf6ab14f8d596a725af2
AgentTesla
3a7511034e72aa8874f3763cb01604464c74571237bc08906578ed9dcf2c137f
AgentTesla
5e07308b25241de53ccc1a6f833e13bf63ad9bf9fe3f4786b28fdd959702a50d
AgentTesla
655260800846128f96bb9bd7e4926711a5b75df01f36ae7dfa5b2197f1105f67
AgentTesla
6ab23b6c600f2f84df0442f21ba552973126809d9b26557d2f815e60c135517a
AgentTesla
74f0cd3a4b819ccc977a778fccba82e096dec880a6dba59641fedbdcfb4f7292
AgentTesla
9975c3c2c7bb393e635997f7e9060557ddc22931a8d700e558b7bb2c8d6ff892
AgentTesla
f388b5e3cf8b41bf483a00dcd8d53cc02c298ec970510f68190e33992b184440
AgentTesla
f9aae697de8f7e3a68c93b050e7006e87be5773b57f32622efcfe2dae56461ca
AgentTesla
+ 2'088 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230414-jq1xlsae2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
37ca4b23e7bb82701b5e195f4fc4b7d4cfc7a05241d252740d0a6f8f07e21a8a
MD5 hash:
eca2a1f777f59644a547ffae7e749bea
SHA1 hash:
dbdf777656289b5d1f5c7ead5ede0cff76cbed90
Link:
https://www.unpac.me/results/e7f977c0-938a-46ca-bd5e-b819e389c061/
SH256 hash:
c2725eb59ad90679f9b422af37b07d33c00bfa0e46c153ca9e7879731662c4ac
MD5 hash:
49b27c7def4df99940af674c4b90b55c
SHA1 hash:
d87c2a6c7885ed303ab70d25bb257a267b66c06e
Link:
https://www.unpac.me/results/e7f977c0-938a-46ca-bd5e-b819e389c061/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/e7f977c0-938a-46ca-bd5e-b819e389c061/
SH256 hash:
b4927682d5c689be7e88e747b9ebc98933ca704caf594f8f65835491fb34c0f0
MD5 hash:
8df6302899be2cdea13c99c6d209c3bb
SHA1 hash:
86880c580bfcedd07b6b8084e608d6a20a5542bd
Link:
https://www.unpac.me/results/e7f977c0-938a-46ca-bd5e-b819e389c061/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/e7f977c0-938a-46ca-bd5e-b819e389c061/
SH256 hash:
1d934876f79640779e73e21ad156e74687aa91feeaa1f244dffdc516f8863e05
MD5 hash:
03141ea1c24747327d62c1f621b1d31d
SHA1 hash:
9e103dcdbdc3e47d714e4e4d9c0ec7b68e7fecda
Link:
https://www.unpac.me/results/e7f977c0-938a-46ca-bd5e-b819e389c061/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1d934876f796/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d934876f79640779e73e21ad156e74687aa91feeaa1f244dffdc516f8863e05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1d934876f79640779e73e21ad156e74687aa91feeaa1f244dffdc516f8863e05

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382219/

Comments