MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26dad1e44b5d06bcee5cddb288e3cd623da7bfd1d44a68661e27796f32e3de70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26dad1e44b5d06bcee5cddb288e3cd623da7bfd1d44a68661e27796f32e3de70
SHA3-384 hash: e012bb27d6db9c8fe3b05c1b16f5f823af40da29efd7ce7b678b026d34348777215c70191827e90bad9c448b1203d114
SHA1 hash: 9ff92dd22877ae392fc8bd717916fb71198b913a
MD5 hash: 8f3822b0efdca3e1e7f4b56ea55de84c
humanhash: ink-bluebird-indigo-friend
File name:Order List SYINDAC_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:797'684 bytes
First seen:2021-01-28 06:24:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep 12288:s7BmRAF7WrkwOS1vmEI8i0IwD5740T290k1kD5DJaPPgzBMgcctEyvEwr7rI:sgRKekwp1v0Kb4tmhwPIzBHwO7U
Threatray 2'465 similar samples on MalwareBazaar
TLSH 1D05334539A2ABB3F6150271DD360B4DE20F19202137E70687466F6FF1C2A8E5A5FBD1
Reporter cocaman
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order List SYINDAC_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-28 06:27:43 UTC
Tags:
autoit rat agenttesla
Link:
https://app.any.run/tasks/b5a88d25-8177-4641-95ca-6c3281f42ffb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114631/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/592632
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/26dad1e44b5d06bcee5cddb288e3cd623da7bfd1d44a68661e27796f32e3de70/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e3nndzclludlz3s43wziry6nmi62pp6r2rfgqzq6e54w6mxd3zya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f83e70be0607dff6b747e235c79ea2fce53d2db4905f53d938aa7d1894ba29d
AgentTesla
15adffdd98424d4317bce40e3ba268620ae78df9aca409d4e18f2f9c57d26824
AgentTesla
1a1e74fbe89bed37913351432c163e204018655e51811aabb9e5fc6a06cf5887
AgentTesla
1bda01f0ea187a42b179d780e45f45e229caecdca515402f781df52bc8ca3420
AgentTesla
1ecb56fae94db17332e267fa2d786083ac82329386f8405152768cd231a40a57
AgentTesla
238dd9cb9b1c235e2babbc3f3b1372da8d76e4d94a4440776814957e0fd09f0b
AgentTesla
2d03d586cd5f7c3a9cdda77d45f78124acfef0879489a78081b6885eb75dcd2d
AgentTesla
a690487422504d796125e9df91b906d43a3584cb8b9da7d06fc8f50ce8126c33
AgentTesla
b9b2c05c193a6df71266380c102c635199a45263722c6395a0b03de819a01ee1
AgentTesla
fcc8681690501353e6d76cb30176c9972dd81817fe2d02a99ab0f669e78e349a
AgentTesla
+ 2'455 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210128-gvlj5rsyn6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Unpacked files
SH256 hash:
8cf5cf0efb072fac79a80001ad1fcaefc548ff159b57534e9f0331c8b1cdb3e2
MD5 hash:
5da5ad17cc53039f55fe216f897ef97f
SHA1 hash:
f563f00d68660dc1b5bcb62987c646be46c06c07
Link:
https://www.unpac.me/results/95d6cc13-2275-4604-ab38-e0ca939101ee/
SH256 hash:
e79ad3fb9751eeec0cfab09ebf148617ae2503ee1e800f05fbb16e2af30ff577
MD5 hash:
28b2f3ced073d194a70e65c1789a1b46
SHA1 hash:
ac176950e4a6b17d8ff17cb79afe8196c8f32548
Link:
https://www.unpac.me/results/95d6cc13-2275-4604-ab38-e0ca939101ee/
SH256 hash:
daf9d1e0e7d4af7317830e60eecb4f28a3623be4b121f82d1bbdfd259f13c1c2
MD5 hash:
e8fc0684185339246d01a942ad89c039
SHA1 hash:
a044e3d56ee5462caf656254c5baf6b35c4e35d2
Link:
https://www.unpac.me/results/95d6cc13-2275-4604-ab38-e0ca939101ee/
SH256 hash:
26dad1e44b5d06bcee5cddb288e3cd623da7bfd1d44a68661e27796f32e3de70
MD5 hash:
8f3822b0efdca3e1e7f4b56ea55de84c
SHA1 hash:
9ff92dd22877ae392fc8bd717916fb71198b913a
Link:
https://www.unpac.me/results/95d6cc13-2275-4604-ab38-e0ca939101ee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26dad1e44b5d06bcee5cddb288e3cd623da7bfd1d44a68661e27796f32e3de70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 3ba6bc8895f4f7b5cb211837965491b2609f68e950bc3cfc6a8b57afd4a7b423

AgentTesla

Executable exe 26dad1e44b5d06bcee5cddb288e3cd623da7bfd1d44a68661e27796f32e3de70

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 3ba6bc8895f4f7b5cb211837965491b2609f68e950bc3cfc6a8b57afd4a7b423
Cape
Cape
https://www.capesandbox.com/analysis/114631/

Comments