MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e23baead02d0a359125e72cddf8a5114f8167e3a1f11b6a79f0d1713531fabd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e23baead02d0a359125e72cddf8a5114f8167e3a1f11b6a79f0d1713531fabd
SHA3-384 hash: 08e64595c25c591b3c38f91a233c6252963609861391f2df52a08b1ebb742517cbcf6568c0b864998a5f67fd8d34f3ad
SHA1 hash: c870ab4e0c85c02a6928f49a87d2908d0c2f5af8
MD5 hash: 58766a0deb586602fbfc126b21db8797
humanhash: pip-video-johnny-jig
File name:ORDER14.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:4'018'176 bytes
First seen:2020-10-22 06:17:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 98304:09ezxlSBOChdrxeC8YhCDKWFduklblJlVrhPcna30IoMGfzkie0KYD6Qi:09ezxlSBVdleC89DhFfplJltenaEhLah
Threatray 42 similar samples on MalwareBazaar
TLSH 7C063322982D9FA2D8BC6FF2105A099B83702C1F67A0D1685D4BF6FB94B6302471DF57
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: stock.ovh
Sending IP: 51.178.87.221
From: wilsonlee <wilsonlee@ogcf-eng.com>
Subject: PURCHASE ORDER
Attachment: ORDER14.rar (contains "ORDER14.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74458/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.888.31638.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Forced shutdown of a system process
Blocking the User Account Control
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506595
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 302468 Sample: ORDER14.exe Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 22 Multi AV Scanner detection for dropped file 2->22 24 Sigma detected: Scheduled temp file as task from temp location 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 8 other signatures 2->28 7 ORDER14.exe 6 2->7         started        process3 file4 16 C:\Users\user\AppData\Roaming\dRuFeEBT.exe, PE32 7->16 dropped 18 C:\Users\user\AppData\Local\...\tmpF764.tmp, XML 7->18 dropped 20 C:\Users\user\AppData\...\ORDER14.exe.log, ASCII 7->20 dropped 10 schtasks.exe 1 7->10         started        12 vbc.exe 1 7->12         started        process5 process6 14 conhost.exe 10->14         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e23baead02d0a359125e72cddf8a5114f8167e3a1f11b6a79f0d1713531fabd/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 20:32:27 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dyr3v2wqfufdlejf44wn36ffcfhycz7duhyrw2tz6dixcnjr7k6q._file
Verdict:
unknown
Similar samples:
02e422396eb123142575e0dcee9f629941c42543ae8839a931e2cc8eefecb9c4
AgentTesla
5388c70ef1d9bfc414a92c3aa4ea34db6992ee705813b5b4a2b4c28b435cbf6c
AgentTesla
583e11d3579a63016e568fad73fb9f5ab64e32012ab1a0764f62191ced808078
AgentTesla
6e7a5741c5cb3b394efeefd5cac1c71d023df73e4c19a02b9de64ea1a1ae4241
AgentTesla
6eced51e9e9f798e79627188c69026a06a576021d112c8b94ed517f2576b009f
AgentTesla
6f0c98efd3149c8527cf3f700d123da142275f32c166cf2ca2b186d1acc1286c
AgentTesla
9e5f987ad43b66c469e9fed02999cfb62feff01049b5f1ef33804918bead665c
AgentTesla
b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4
AgentTesla
dc22665dc14ec019a9f8c421c938db597c2a1b9e439c4a0a0b6dc7b1330e75b8
AgentTesla
f2848bb06faec26cdb7bf8df01c598641d0d73c8b7c58a7aed106e9864942cf6
AgentTesla
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201022-kleh4xb182/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
UAC bypass
Unpacked files
SH256 hash:
173997c6509d5701b419447dac094b6ec7497d8210be807066495cf47e4979f5
MD5 hash:
d798c5a9ccbcf67a5153c111125ec985
SHA1 hash:
b1a94220971a175b6b737fdbd635d8031af3efa3
Link:
https://www.unpac.me/results/0c7a6216-2f96-472a-92e7-c17c69e6875e/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/0c7a6216-2f96-472a-92e7-c17c69e6875e/
SH256 hash:
b315ac4a1769e6a8fdc14ea43f2b56a5bc01329b5bd3b21f7dc85c6a0c601658
MD5 hash:
e60407c88a877f35f8aafc3b32a93225
SHA1 hash:
ac2370cfeca914e9419cdebea5ba2e56554b3cc3
Link:
https://www.unpac.me/results/0c7a6216-2f96-472a-92e7-c17c69e6875e/
SH256 hash:
03b33dc314e4e48df7f4268c06da860e4f9e2a6440d22c05a5ffe40b10b7b54e
MD5 hash:
e539377f7742afed7dcc4aa5cc4f1691
SHA1 hash:
ce34e5376247792e764b9e57fab51e4df6854997
Link:
https://www.unpac.me/results/0c7a6216-2f96-472a-92e7-c17c69e6875e/
SH256 hash:
1e23baead02d0a359125e72cddf8a5114f8167e3a1f11b6a79f0d1713531fabd
MD5 hash:
58766a0deb586602fbfc126b21db8797
SHA1 hash:
c870ab4e0c85c02a6928f49a87d2908d0c2f5af8
Link:
https://www.unpac.me/results/0c7a6216-2f96-472a-92e7-c17c69e6875e/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 36839b4fe7c2c78072dfbeb372071828b0bdf8f6ccdb57bcb99c9fe9e13c98f3

AgentTesla

Executable exe 1e23baead02d0a359125e72cddf8a5114f8167e3a1f11b6a79f0d1713531fabd

(this sample)

  
Dropped by
MD5 05686e711d07ef9bbc124fc0990ddc1b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74458/
  
Dropped by
SHA256 36839b4fe7c2c78072dfbeb372071828b0bdf8f6ccdb57bcb99c9fe9e13c98f3

Comments