MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26a5ba324e68fadad510279040a3d0b894d76bc066d77e7f2ee1c489d0b829ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26a5ba324e68fadad510279040a3d0b894d76bc066d77e7f2ee1c489d0b829ba
SHA3-384 hash: 783ccb0ba40c7ead93bd3daabd3de022e54cf1e518fa488124638670ee555213c0bdeb9272996806f62dc43943ca751d
SHA1 hash: 9a182923c74e027818ec41dc3c7599a5f18fa5ce
MD5 hash: d895a666714328e7deb80458dac454cf
humanhash: august-wolfram-hamper-lima
File name:New Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:902'144 bytes
First seen:2022-07-12 07:44:37 UTC
Last seen:2022-07-12 08:47:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:7ysWnPznm1geoIojjm9kGwYjtGNy/7p6JbDQh+iq5RVdzqDBSVoAIPGZShIDDKuV:pSP4FqssNaec0BAoVdoMKu9iq
Threatray 19'198 similar samples on MalwareBazaar
TLSH T14815F125FE66CE92D2590A37C8F70B5423B49672C302EF8F2BE511256C133A75C86ED5
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 18a219d4d4198a10 (20 x AgentTesla, 12 x Formbook, 10 x SnakeKeylogger)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
New Order.exe
Verdict:
Malicious activity
Analysis date:
2022-07-12 07:53:48 UTC
Tags:
agenttesla trojan rat
Link:
https://app.any.run/tasks/b871ef26-9259-40d6-b4cd-8e1be23370d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/286464/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.27471.25742.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/62cd267f81790e51fe5a9e54/reports/88167124-6ff4-41a4-8586-2ff56cade73b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/45061776-26ed-4ca6-a07c-ebedca5b76ec
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1029202
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 661697 Sample: New Order.exe Startdate: 12/07/2022 Architecture: WINDOWS Score: 100 70 Malicious sample detected (through community Yara rule) 2->70 72 Yara detected AgentTesla 2->72 74 Yara detected AntiVM3 2->74 76 10 other signatures 2->76 7 New Order.exe 12 2->7         started        11 prAyoao.exe 17 2->11         started        13 prAyoao.exe 2->13         started        process3 file4 50 C:\Users\user\AppData\...\YfYXxGuzxj.exe, PE32 7->50 dropped 52 C:\Users\...\YfYXxGuzxj.exe:Zone.Identifier, ASCII 7->52 dropped 54 C:\Users\user\AppData\Local\...\tmpB22E.tmp, XML 7->54 dropped 56 C:\Users\user\AppData\...56ew Order.exe.log, ASCII 7->56 dropped 78 Adds a directory exclusion to Windows Defender 7->78 15 New Order.exe 2 9 7->15         started        20 BackgroundTransferHost.exe 13 7->20         started        22 powershell.exe 24 7->22         started        34 2 other processes 7->34 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->80 82 Machine Learning detection for dropped file 11->82 84 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->84 24 prAyoao.exe 11->24         started        26 powershell.exe 11->26         started        28 schtasks.exe 11->28         started        30 WerFault.exe 11->30         started        32 WerFault.exe 13->32         started        signatures5 process6 dnsIp7 58 webmail.wrcs.in 103.138.189.137, 587 GBLINK-AS-APGBLINKNETWORKSOLUTIONSPRIVATELIMITEDIN India 15->58 46 C:\Users\user\AppData\Roaming\...\prAyoao.exe, PE32 15->46 dropped 48 C:\Users\user\...\prAyoao.exe:Zone.Identifier, ASCII 15->48 dropped 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->60 62 Tries to steal Mail credentials (via file / registry access) 15->62 64 Tries to harvest and steal browser information (history, passwords, etc) 15->64 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->66 36 conhost.exe 20->36         started        38 conhost.exe 20->38         started        40 conhost.exe 22->40         started        68 Tries to harvest and steal ftp login credentials 24->68 42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/26a5ba324e68fadad510279040a3d0b894d76bc066d77e7f2ee1c489d0b829ba/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-12 07:45:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2s3umsond5nvviqe6iebi6qxckno26am3lx47zo4hcitufyfg5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3cff2b73d77305ffe8c02b009feca9ad0fbdbbbfeec0a1db831caa127f58ef73
AgentTesla
766c317f32e6d60a1eafbb6df187189a28a5acb8e7bfe4448204c9d7c8363916
AgentTesla
781a63f173507bbaf99c4937f324e8b1e746f807583f48328e6005ce6aae003b
AgentTesla
78e1fbae10c16b140343e4b74ce4a005518c2811869aa37e38cb8c3e5d4b1d16
AgentTesla
9549182c055153e44fdaaacdddd4a58d343600de6b93df05e7800f715d496f2d
AgentTesla
ebdbd8487dfdaebc34214de4e2f6fdfc5b5cfb30b9fa98ca9269a4cfae16cb93
AgentTesla
f1a566ebee3c225b2683813ce31c30f6e7648c1dcdd03c991a2d2e99c11bc6d7
AgentTesla
f46fe0537b24b1682cf6468dd8c1eb82d91ed26e8d3de246dcb7153582ef9212
AgentTesla
f8f3a24e97b0c9e4941baab62a4eeb64b9cc7e82ad97398b95b58fbf1289fb24
AgentTesla
+ 19'188 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220712-jldaragfeq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
75552b5a5ee3c974041d14faa590ae2c2ed0418f893646f2c8d656d7cfbe46e2
MD5 hash:
ff0ae86eaab019d5abd0ed69442af13e
SHA1 hash:
f6b5bb43c8e3f709cd8b4d74147d38c6758a9fdc
Link:
https://www.unpac.me/results/aef9e197-aa42-4f36-a945-c35a1c665ef7/
SH256 hash:
883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15
MD5 hash:
ecb3f27eb8279c51608c8ea8f8050655
SHA1 hash:
82385d75444ab5fccacf37e2746c7dce73faa7f3
Link:
https://www.unpac.me/results/aef9e197-aa42-4f36-a945-c35a1c665ef7/
SH256 hash:
7b722870196066d9c2e90b0992d3822301dd6e4ea873f4f849b8ff4458f311c5
MD5 hash:
a5df19ec02c6a8557d19e0aa7dfb4f69
SHA1 hash:
6332b46efeb42afbd91cc82dd7780f2b4209cde0
Link:
https://www.unpac.me/results/aef9e197-aa42-4f36-a945-c35a1c665ef7/
SH256 hash:
ec9b687816c46e7ad4400394a5e5a1a140feedda4bfd317c5d054beae3f6ee09
MD5 hash:
c2b16075b863f490ba3825f6e719ab62
SHA1 hash:
09ff8720f2612058c57f1500489f9f90cac9cf5f
Link:
https://www.unpac.me/results/aef9e197-aa42-4f36-a945-c35a1c665ef7/
SH256 hash:
6f4cda18157722edcd242e0c10cc18deea5aa3a349680aa8b157720dc8829993
MD5 hash:
c5a6bba1ea2cadec4cdf5477e62ea64b
SHA1 hash:
f4376d51073613df4951bf087c7af89997f59edc
Link:
https://www.unpac.me/results/aef9e197-aa42-4f36-a945-c35a1c665ef7/
SH256 hash:
26a5ba324e68fadad510279040a3d0b894d76bc066d77e7f2ee1c489d0b829ba
MD5 hash:
d895a666714328e7deb80458dac454cf
SHA1 hash:
9a182923c74e027818ec41dc3c7599a5f18fa5ce
Link:
https://www.unpac.me/results/aef9e197-aa42-4f36-a945-c35a1c665ef7/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26a5ba324e68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26a5ba324e68fadad510279040a3d0b894d76bc066d77e7f2ee1c489d0b829ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 26a5ba324e68fadad510279040a3d0b894d76bc066d77e7f2ee1c489d0b829ba

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/286464/

Comments