MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 386d1d77650707bdbaae831b56662183b946b8c8588ec5860f1bede73b05f9a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 386d1d77650707bdbaae831b56662183b946b8c8588ec5860f1bede73b05f9a4
SHA3-384 hash: 45c0dbb4f2496a4473af65786597eeb340d8d5470c138b3a6994dadcf59d3c0033822b5710af6b7ff0201a8fc9b2715f
SHA1 hash: 5a0d5fd5eda898425eab182716fcfefeec7d3045
MD5 hash: 7872384b818051ce7708b5da1625b4b3
humanhash: uniform-california-bravo-louisiana
File name:New Order052.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:38'912 bytes
First seen:2022-05-27 06:30:53 UTC
Last seen:2022-05-27 07:40:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 384:AMPCRE2ZwYdlDbw+CQiC8ehPEJNIoCpYC740jjOS0arKo:ABRZqYdR9Je+xqJ0mS0p
Threatray 17'449 similar samples on MalwareBazaar
TLSH T15903E61DAF5C8F21C6095EFACA87F58502A19DC2750BCB5E24E5321E0AF2BE6CD7D901
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 4730d8d4d4d830c7 (4 x NanoCore, 3 x SnakeKeylogger, 1 x BluStealer)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla C2:
http://74.201.28.111/terhy/qc/inc/dfb2a0c54d487e.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://74.201.28.111/terhy/qc/inc/dfb2a0c54d487e.php https://threatfox.abuse.ch/ioc/641114/

Intelligence

File Origin
# of uploads :
2
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
New Order052.exe
Verdict:
Malicious activity
Analysis date:
2022-05-27 06:31:17 UTC
Tags:
trojan rat agenttesla opendir stealer
Link:
https://app.any.run/tasks/6e901bb7-72be-4095-9c1b-64cd4d56774d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274879/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.6832.28301.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe installutil.exe obfuscated packed vidar
Link:
https://www.filescan.io/uploads/62907063054dcf0ecaf51ce8/reports/1096196d-51c5-4f5d-af96-ee3650f66839/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1002474
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Creates multiple autostart registry keys
Document exploit detected (process start blacklist hit)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 634970 Sample: New Order052.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 7 other signatures 2->76 8 New Order052.exe 16 8 2->8         started        13 excel.exe 2->13         started        15 Ilqac.exe 14 3 2->15         started        17 2 other processes 2->17 process3 dnsIp4 68 3.124.188.36, 49773, 49788, 49794 AMAZON-02US United States 8->68 58 C:\Users\user\...\Vbvqxmatjxkftjc45i.exe, PE32 8->58 dropped 60 C:\Users\user\AppData\Local\...\Ilqac.exe, PE32 8->60 dropped 62 C:\Users\user\...\Ilqac.exe:Zone.Identifier, ASCII 8->62 dropped 64 C:\Users\user\...64ew Order052.exe.log, ASCII 8->64 dropped 92 Creates multiple autostart registry keys 8->92 94 Writes to foreign memory regions 8->94 96 Injects a PE file into a foreign processes 8->96 19 InstallUtil.exe 16 8 8->19         started        24 InstallUtil.exe 8->24         started        26 Vbvqxmatjxkftjc45i.exe 14 3 8->26         started        28 cmd.exe 1 8->28         started        98 Document exploit detected (process start blacklist hit) 13->98 100 Injects files into Windows application 13->100 30 conhost.exe 13->30         started        102 Machine Learning detection for dropped file 15->102 32 cmd.exe 15->32         started        34 cmd.exe 17->34         started        36 conhost.exe 17->36         started        file5 signatures6 process7 dnsIp8 66 74.201.28.111, 49802, 80 DEDIPATH-LLCUS United States 19->66 56 C:\Users\user\AppData\Roaming\...\excel.exe, PE32 19->56 dropped 78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->78 80 Tries to steal Mail credentials (via file / registry access) 19->80 82 Creates multiple autostart registry keys 19->82 90 3 other signatures 19->90 84 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->84 86 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->86 88 Machine Learning detection for dropped file 26->88 38 cmd.exe 26->38         started        40 conhost.exe 28->40         started        42 timeout.exe 1 28->42         started        44 conhost.exe 32->44         started        46 timeout.exe 32->46         started        48 conhost.exe 34->48         started        50 timeout.exe 34->50         started        file9 signatures10 process11 process12 52 conhost.exe 38->52         started        54 timeout.exe 38->54         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/386d1d77650707bdbaae831b56662183b946b8c8588ec5860f1bede73b05f9a4/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-05-27 06:31:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
11 of 41 (26.83%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hbwr253fa4d33ovoqmnvmzrbqo4unogilchmlbqpdpw6ooyf7gsa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b7382ea2de070f5b428fc1cab6608b28f475e928ac8bc26ab30bbfa21703a5c
AgentTesla
5981e4680be680e021707c380061302007ca6bc40e987b711e7fc2c0b59f157b
AgentTesla
5d0676bfa91a4d8b232853490351f6b16afc582cbd181d0343b1d08dd97e0c2f
AgentTesla
91c7b4d4562824503e151f7cc5eddcc5df9a767f2857ca9579a6c9ad6e496ae0
AgentTesla
abf1733bc49c4c7a81fb6782921fa509c8c9e6543206602be3a3b293fde27eac
AgentTesla
cd86003ab8ab0e23a58b293d44c0cafba02fb92d7f7b7b5f2a32ab8d19f9759f
AgentTesla
+ 17'439 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220527-g92l5shbd9/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
AgentTesla
suricata: ET MALWARE AgentTesla Communicating with CnC Server
Malware Config
C2 Extraction:
http://74.201.28.111/terhy/qc/inc/dfb2a0c54d487e.php
Unpacked files
SH256 hash:
386d1d77650707bdbaae831b56662183b946b8c8588ec5860f1bede73b05f9a4
MD5 hash:
7872384b818051ce7708b5da1625b4b3
SHA1 hash:
5a0d5fd5eda898425eab182716fcfefeec7d3045
Link:
https://www.unpac.me/results/6f8808e6-279e-474e-a3d7-b4f07a34f018/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/386d1d77650707bdbaae831b56662183b946b8c8588ec5860f1bede73b05f9a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274879/

Comments