MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 203c54db6ea49b332902effc5e4b8c9365f966bd744b00372da7baef4b45184e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 203c54db6ea49b332902effc5e4b8c9365f966bd744b00372da7baef4b45184e
SHA3-384 hash: 2ebc981dd3d8bc9c2035df9f47fd39e90c7896ea33d6a8775bf6dd9a214e8b9e47486eaa9279269a7d50ad887319db23
SHA1 hash: 9f3329f0e442340ad2c7049bb7f7b488851dda64
MD5 hash: 114544ab1868f27ef24cb813406e06c0
humanhash: washington-delta-freddie-may
File name:new order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:621'568 bytes
First seen:2023-05-04 23:17:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ZJPg/egQVt0pZgzVmcweMHrOM4/Nu1EpokkmEDe7CN57uS8mSLO:ZJPDVm+TMGN+EpokDol/p8mSL
Threatray 721 similar samples on MalwareBazaar
TLSH T195D46B525065CE5FFE2ADBB08575FF85A7F1B07324E1D0201FB961C9CAA5F012E48A2E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter threatcat_ch
Tags:AgentTesla exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
new order.exe
Verdict:
Malicious activity
Analysis date:
2023-05-04 23:19:39 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/2843b79a-9817-4229-adf3-1e07d36e7eef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386656/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64543d2a79130eaa1e93d813/reports/41a307c5-ba5b-495b-87e9-fad50a88a0d5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/203c54db6ea49b332902effc5e4b8c9365f966bd744b00372da7baef4b45184e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e2b635b-3294-4581-8f8c-ef070cd9e6ae
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1226581
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 859544 Sample: new_order.exe Startdate: 05/05/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 8 other signatures 2->55 7 new_order.exe 7 2->7         started        11 haUPLrhGzBWZ.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\haUPLrhGzBWZ.exe, PE32 7->31 dropped 33 C:\Users\...\haUPLrhGzBWZ.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpF2E7.tmp, XML 7->35 dropped 37 C:\Users\user\AppData\...\new_order.exe.log, ASCII 7->37 dropped 57 May check the online IP address of the machine 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 new_order.exe 15 2 7->13         started        17 powershell.exe 20 7->17         started        19 schtasks.exe 1 7->19         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 21 haUPLrhGzBWZ.exe 14 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 checkip.dyndns.com 158.101.44.242, 49684, 80 ORACLE-BMC-31898US United States 13->39 41 checkip.dyndns.org 13->41 43 192.168.2.1 unknown unknown 13->43 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 193.122.130.0, 49685, 80 ORACLE-BMC-31898US United States 21->45 47 checkip.dyndns.org 21->47 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal ftp login credentials 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/203c54db6ea49b332902effc5e4b8c9365f966bd744b00372da7baef4b45184e/
Threat name:
ByteCode-MSIL.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 19:23:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ea6fjw3ousntgkic576f4s4msns7szv5orfqanznu65o6s2fdbha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
11d5f5ceb48ca7a34ddf39853c57a5128e4f5edb51b603a0ad775ed59b5024dd
AgentTesla
37617e571066d7e620392e8be59f962ae9c20dade410e7291b345bf669b0c59d
AgentTesla
5027d53a0f057968982a4c2610a105ce2fe89d9e2de1ffc70177c750be3a8385
AgentTesla
60b3645a7d02232fd97ba076bdb88e6a801f462ce972d79366df9261a9f62720
AgentTesla
8612a4be1e824a7d1062b9c37210e39cfd3677970b859ca80a46e8a1e7e424d2
AgentTesla
bfede26656dbab01c01f5187f8a5d9b63cd0f8bba301e8c1d145bda515960f02
AgentTesla
d7f55b222b8d9a235401bc900230aff5b37da8cc7e9431459da35b380c5c55bf
AgentTesla
de567e5c1f4968bfb083ffcb111e1d0613780a47c58767af65fbd90c27507b4b
AgentTesla
e710d551910b6751fc61ebe64138b020526a8d6d24ff282c96d7f74249da0a5b
AgentTesla
e7ebcd95f56f4c089d56ba8519b2ef3abe3d765abbf56a9959071fe6914f16da
AgentTesla
+ 711 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/230504-2982fahe3y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6201063260:AAFNunaDOhtoeTfrWIWz56huyZbdHssBU3s/sendMessage?chat_id=5932819427
Unpacked files
SH256 hash:
af0925e4c632166ff87032bc43ea4f85a3805db3782a49724d125f44c0731114
MD5 hash:
b9897ba5e468e516e162fd3790a9ddbc
SHA1 hash:
db264c796e4a36a45af11e8a7bf71cf0dadce0f0
Link:
https://www.unpac.me/results/bb8efb20-dde2-4088-a279-662001b8e412/
SH256 hash:
890db6fd277d09a68a1839f567b355b41b9e35999cb1d8523d34ec4dbd7033da
MD5 hash:
176da40d688353f6f3ed6a6b7473ef76
SHA1 hash:
b74b5fc96323d3025889dd23933980f82e6b20c0
Link:
https://www.unpac.me/results/bb8efb20-dde2-4088-a279-662001b8e412/
SH256 hash:
94e55544403b1dd8461dbc405f231625c8f8fc4114bb8477a988dfd89731b070
MD5 hash:
4483a53c8760130b940b5a8bcecb71e7
SHA1 hash:
9d3ebdc71bdb539add9325f4211dc4dad48cc21d
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/bb8efb20-dde2-4088-a279-662001b8e412/
Parent samples :
eab658dc337806cf9d581da4cb44cfdea0a7ed1d9a5007848faeaa0b624fed3b
eb9b75de38d85a10701424dccef23e23ed5fe323b52871cde5b4054f4dc6c087
4018954cd403dd6290586606332d069967bb4bad1302bf071475d94423aaaa1e
5027d53a0f057968982a4c2610a105ce2fe89d9e2de1ffc70177c750be3a8385
d7f55b222b8d9a235401bc900230aff5b37da8cc7e9431459da35b380c5c55bf
203c54db6ea49b332902effc5e4b8c9365f966bd744b00372da7baef4b45184e
87405f169e42b52d9561d79b89f6898cc735f0edc26905baecf21673244455ad
e09602a4f8e956bcadcefd160458c0e669d176a1915edb9715e7d7aee549efed
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/bb8efb20-dde2-4088-a279-662001b8e412/
SH256 hash:
917bc6336e7d81e8be85a9b07110a5adfbce072f972d21df596b8069f7ae3850
MD5 hash:
01c7b1649e6e927dbc403ecd034810bf
SHA1 hash:
1e94d77f3be5bcc3a37958025cbf22c8861967d9
Link:
https://www.unpac.me/results/bb8efb20-dde2-4088-a279-662001b8e412/
SH256 hash:
b8bb9addd7cc9e8ed045d58846410ed953d2ca0f486e80df79b633104cdf7ebf
MD5 hash:
48fa422c378a1759f4192489742a5dfc
SHA1 hash:
451a5c48bacbdc0397661cd04784bec1fce772ac
Link:
https://www.unpac.me/results/bb8efb20-dde2-4088-a279-662001b8e412/
SH256 hash:
203c54db6ea49b332902effc5e4b8c9365f966bd744b00372da7baef4b45184e
MD5 hash:
114544ab1868f27ef24cb813406e06c0
SHA1 hash:
9f3329f0e442340ad2c7049bb7f7b488851dda64
Link:
https://www.unpac.me/results/bb8efb20-dde2-4088-a279-662001b8e412/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/203c54db6ea4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/203c54db6ea49b332902effc5e4b8c9365f966bd744b00372da7baef4b45184e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 203c54db6ea49b332902effc5e4b8c9365f966bd744b00372da7baef4b45184e

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386656/

Comments