MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a1c8710af1b5feb8d8842941840551b2ccfd241e1057bc55a594774b38755a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a1c8710af1b5feb8d8842941840551b2ccfd241e1057bc55a594774b38755a2
SHA3-384 hash: a437a18fded14e27a5bec429cf15fbd64ca1deb9582355b1c6b20ad38f41dd2bcd62cd965b502a9e796f08b9915f6c32
SHA1 hash: a369a3a1ba32ae59bc7af9a09b306fd462257d7e
MD5 hash: 2d9fec71138deabaddae107744dea677
humanhash: september-sierra-colorado-whiskey
File name:Inquiry-Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'028'096 bytes
First seen:2021-07-16 13:08:19 UTC
Last seen:2021-07-16 13:50:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:w3UimeotDb3UC93uZMw+lkqvYkPZof+jupEm7YeC8xb59E5s9181xGlHq1YtG0qW:wEiZCN1uKL3ifjpEmUedj9EesGBw0q
Threatray 7'156 similar samples on MalwareBazaar
TLSH T11B25F12137806F8FCB6E4D76C1625814E3F0D4272617E692ACE322DE64CDB4A9B115FE
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiry-Order.exe
Verdict:
Malicious activity
Analysis date:
2021-07-16 13:09:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d8850236-e436-4173-a348-145920e3a379

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172204/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.931.8252.18875.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/269f7572-1954-49e5-b09a-3fadb1d8675e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817473
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449884 Sample: Inquiry-Order.exe Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 5 other signatures 2->37 7 Inquiry-Order.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\ORVoCyHDWF.exe, PE32 7->19 dropped 21 C:\Users\...\ORVoCyHDWF.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp9C16.tmp, XML 7->23 dropped 25 C:\Users\user\...\Inquiry-Order.exe.log, ASCII 7->25 dropped 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 43 Uses schtasks.exe or at.exe to add and modify task schedules 7->43 11 Inquiry-Order.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 mail.privateemail.com 198.54.122.60, 49772, 587 NAMECHEAP-NETUS United States 11->27 29 192.168.2.1 unknown unknown 11->29 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4a1c8710af1b5feb8d8842941840551b2ccfd241e1057bc55a594774b38755a2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 09:34:59 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jioioefpdnp6xdmiikkbqqcvdmwm7usb4ecxxrk2lfdxjm4hkwra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1684642dcdd3c932404f6fd5de002dab97aa1ffb3213e9d09f0e2b8b3addaf7d
AgentTesla
2b08660c05385174828189e7d4386af6e82dad631bf33a3ac6b75b1ee2928b51
AgentTesla
319317193be5eadd1f42f45e397d611c995452308320606c5f6e7d97869b6c8f
AgentTesla
4fa37c31a5207940aa9e0d00fc393f91532e6da3a7dcabba9ab902e33a14afbe
AgentTesla
5b9fe0bbd0638b97634496cb4cd1a6b29da81ae64cc441b67d6fd825d992b9d9
AgentTesla
5ce37eda5b443fa4aba2f5152b0856ef9c3341641ac3c8e7750088301220c6d5
AgentTesla
669e6bcb89355a0e4e293c60f3afd47c671f0d01e7cab9fe00fe48b7e878cf90
AgentTesla
877a10d92f5b06000711b96af3b0705ff13494b7eb38804adcf3f207457cf51a
AgentTesla
9d393dc3fda68914e201012280b9eed4fd76c0dd077817c83c9e05cdf5d3cab8
AgentTesla
ad2fa7de2b185433a3cdc8af606b887bbcf831d30286596ca929f9cae6d516cc
AgentTesla
+ 7'146 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210716-qbwv4b9p3x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
37fb6bcd79a7a34957220bc6a7cff5a12d2438d34aa8330329217b8b6b2dbf5d
MD5 hash:
ebfef9f88ae481c44a8185a98773baee
SHA1 hash:
f8fb128f066e6a8f0a898ea6d1ed512a8cff423e
Link:
https://www.unpac.me/results/51afa6fe-8b33-46a8-bd12-5494d47e5fc1/
SH256 hash:
48c0fa25e37b7e7b036b7712883402bbb47645d019737962b6a897e9eec4f90d
MD5 hash:
022b5ca6732fea68c417a56397714167
SHA1 hash:
9b8b803d1f83e10775a110cf2889f28b6c15360f
Link:
https://www.unpac.me/results/51afa6fe-8b33-46a8-bd12-5494d47e5fc1/
SH256 hash:
13fcf79590a1b2ed01892540486855a4ea8e14d6da4f261e487ace54c83a3ab4
MD5 hash:
baf87c7ac648bc5906b5ad61ab232905
SHA1 hash:
7bb45c4554b492be05cab8b4d28146bb24eefcb8
Link:
https://www.unpac.me/results/51afa6fe-8b33-46a8-bd12-5494d47e5fc1/
SH256 hash:
5e76cf80866fb3c25381758dcc910b532d1b22ed4ac98c8a103c5dfae5809d80
MD5 hash:
aaa30e60beab143e577edc4899e2f305
SHA1 hash:
b51825d84899e4848135ca81d518ab840d0c8d9a
Link:
https://www.unpac.me/results/51afa6fe-8b33-46a8-bd12-5494d47e5fc1/
SH256 hash:
4a1c8710af1b5feb8d8842941840551b2ccfd241e1057bc55a594774b38755a2
MD5 hash:
2d9fec71138deabaddae107744dea677
SHA1 hash:
a369a3a1ba32ae59bc7af9a09b306fd462257d7e
Link:
https://www.unpac.me/results/51afa6fe-8b33-46a8-bd12-5494d47e5fc1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a1c8710af1b5feb8d8842941840551b2ccfd241e1057bc55a594774b38755a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172204/

Comments