MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5244fa4cd53ba538933055ee4b4bec7f9579905c61868aac1bead60f773c3108. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5244fa4cd53ba538933055ee4b4bec7f9579905c61868aac1bead60f773c3108
SHA3-384 hash: c2e3afbea3016be95ad274eb1ddfe8787e20f5c9b977d6b8a587e76ab2d0efa711dcc267c173fcf63dacb9a3864002fe
SHA1 hash: 811a12f7fd96a48400194b4e80525a555283dc58
MD5 hash: 80b9bbec5d0651695a48684b4e35c395
humanhash: stairway-minnesota-triple-harry
File name:order 4500384851.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:294'231 bytes
First seen:2023-08-07 06:41:19 UTC
Last seen:2023-08-07 13:06:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya6srMpL6griQQrTO+VVCq2Q0QLxg1tcWFNuP03CdZmj:/YKrMpDrijh/Z0QLgcWFQPPmj
Threatray 5'228 similar samples on MalwareBazaar
TLSH T12754125011F8C0A7DAE24632493BCA27EEF0AD65B771130A7BB4BA1D7C76911EA0F311
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
270
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
order 4500384851.exe
Verdict:
Malicious activity
Analysis date:
2023-08-07 06:43:26 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/4e55b94f-7309-4caa-9ebe-c6f289a103de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/440965/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.17957.15181.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Restart of the analyzed sample
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64d0923b2a1db2a88abee6fc/reports/06baabd8-4f37-4761-badf-bc4169853d0f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5244fa4cd53ba538933055ee4b4bec7f9579905c61868aac1bead60f773c3108
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c86b0d8-35a3-4ba0-91cc-a631b2e367a4
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1286876
Signature
Antivirus detection for dropped file
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1286876 Sample: order_4500384851.exe Startdate: 07/08/2023 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Antivirus detection for dropped file 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 6 other signatures 2->64 6 gpyuea.exe 18 2->6         started        10 order_4500384851.exe 1 20 2->10         started        12 gpyuea.exe 18 2->12         started        14 gpyuea.exe 18 2->14         started        process3 file4 26 C:\Users\user\AppData\...\snkvjpvjba.dll, PE32 6->26 dropped 66 Multi AV Scanner detection for dropped file 6->66 68 Detected unpacking (changes PE section rights) 6->68 70 Detected unpacking (creates a PE file in dynamic memory) 6->70 82 2 other signatures 6->82 16 gpyuea.exe 14 2 6->16         started        28 C:\Users\user\AppData\Roaming\...\gpyuea.exe, PE32 10->28 dropped 30 C:\Users\user\AppData\...\snkvjpvjba.dll, PE32 10->30 dropped 72 Detected unpacking (overwrites its own PE header) 10->72 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->74 76 May check the online IP address of the machine 10->76 78 Creates multiple autostart registry keys 10->78 20 order_4500384851.exe 17 3 10->20         started        32 C:\Users\user\AppData\...\snkvjpvjba.dll, PE32 12->32 dropped 80 Maps a DLL or memory area into another process 12->80 22 gpyuea.exe 12->22         started        34 C:\Users\user\AppData\...\snkvjpvjba.dll, PE32 14->34 dropped 24 gpyuea.exe 2 14->24         started        signatures5 process6 dnsIp7 36 104.237.62.211, 443, 49701, 49703 WEBNXUS United States 16->36 38 api.ipify.org 16->38 40 mail92100.maychuemail.com 112.213.92.100, 49700, 49702, 49704 SUPERDATA-AS-VNSUPERDATA-VN Viet Nam 20->40 48 3 other IPs or domains 20->48 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->50 52 Tries to steal Mail credentials (via file / registry access) 20->52 54 Creates multiple autostart registry keys 20->54 42 173.231.16.76, 443, 49705 WEBNXUS United States 22->42 44 api.ipify.org 22->44 56 Tries to harvest and steal browser information (history, passwords, etc) 22->56 46 api.ipify.org 24->46 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5244fa4cd53ba538933055ee4b4bec7f9579905c61868aac1bead60f773c3108/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-06 23:27:51 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kjcputgvhostrezqkxxews7mp6kxtec4mgdivla35lla65z4geea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
193e2444ca045fd813211cd2c4093f882b6d0bfe183d7a66ad3492bf90b00d3c
AgentTesla
3a04516d71e6a24f0f20da46230239ca177e6c1d76cb887948344694e2a376a4
AgentTesla
498a462f90680268425f0be93b68cf289a0aafa02c9159e2f708a55d7c694896
AgentTesla
4c39d7bc897c365a5c93f4fa958362f6e98d6cbdf8f7dcd9f84aa16caa972855
AgentTesla
5b8c0c56e48b1a5046c75da4416a009d3c9e00ab046223139551ba6c7126e4a7
AgentTesla
89a0e99ef4a97ea1ad4212d7f539c9e851b97108f93a6ff64bbb0b5a5e8997d7
AgentTesla
ba698cd54cd138ebd1df234e780463070b9e108e980512fb33a857af1c3c6248
AgentTesla
e949856ccd8b9d36fb7c2322f2c09d2a969c0121c9b08361cf16dc08c316d3ad
AgentTesla
eb8e351b8fdaadf5429c19d052428ab81b91170406b937d0f3753e334a757fe3
AgentTesla
eda76d518118e4843804277202fb22ac8239f7231775f411d0b36c2980919786
AgentTesla
+ 5'218 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/230807-hgcb8afc4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
04dc4003c33e5e2f7023efc2fa2276760b5de54a6cd3316d70eddf1f8f28a9fa
MD5 hash:
b3f352471db2d795b720c16d528acc99
SHA1 hash:
a04dd0b979176e8be18d74e29f14118fc1dcb9fe
Link:
https://www.unpac.me/results/9cc0b5b1-ff22-4a95-8695-4848af5c7053/
SH256 hash:
7c7dae711d036d21531c86e799e066a860a66502effe68cd8ba3c0abef9473be
MD5 hash:
5c6236ffaab012b20c878cdbb0a5c9bc
SHA1 hash:
9c203a38eb1649d07c4fcfd013e2edff193c9179
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/9cc0b5b1-ff22-4a95-8695-4848af5c7053/
Parent samples :
e949856ccd8b9d36fb7c2322f2c09d2a969c0121c9b08361cf16dc08c316d3ad
ba698cd54cd138ebd1df234e780463070b9e108e980512fb33a857af1c3c6248
3a04516d71e6a24f0f20da46230239ca177e6c1d76cb887948344694e2a376a4
5244fa4cd53ba538933055ee4b4bec7f9579905c61868aac1bead60f773c3108
90457bb78ba96cefe86336dc292d5cceccf140ad44c680a01cdbd9e95d5ba93a
111955a5d7cb6b3059b043fd5cfd02827e0be24723c08133890836fc7b5c6121
163fdfd91953364306bcf8c6d69cada7306f0452fe3373e3247b5641123a0251
a0b6b9a0c87f57a88be1c4d631fb3d4f181eb545e7266d5c7463ff169f4b358b
40c36e5d6cec1bac32779ed8e2e2dceceae01a70115a23d3b3d32e9c56db86b3
e1fae54e9fb4d1c3d42119a980b7992cbadfda5c7051de61a2d1cef9d251c173
6f4954a23f51c48f450992f809848da3a8bb5c1d7c4bc262332fa2507f1a1cc9
f14adf8284d2d04072445b5744da50141332a86ec1f28fd7ca6e316b1a7e0b24
1520e3aac22234e1618a340dd4fd8015b661e07f43376291f86f4e59fe00a86a
b72cb2e4f13faeab3a9301367bfef0329f84700344f0ea29836f248004a11d70
51facce8035a547ae04ce3a005709418d6460bc49ca5dda71e8f32cc5ca2e137
17a097e7721e0542fb64dc7dd250c63b5ad3ed0a9ca2e23cb6df95e5a26f528d
9f3154e4f37ebd257119f4ae53522594b9d9f8cea1688472dd60fd14a4016fe6
SH256 hash:
18d8a6f7d449f2c0d446e658ce05bb4a543dee9aaef1de646a1f61b409113785
MD5 hash:
8fc164ff222a4bc0d5b8db2b735cffbb
SHA1 hash:
59eb826cace114af914d73f808ef4571794b599b
Link:
https://www.unpac.me/results/9cc0b5b1-ff22-4a95-8695-4848af5c7053/
SH256 hash:
5244fa4cd53ba538933055ee4b4bec7f9579905c61868aac1bead60f773c3108
MD5 hash:
80b9bbec5d0651695a48684b4e35c395
SHA1 hash:
811a12f7fd96a48400194b4e80525a555283dc58
Link:
https://www.unpac.me/results/9cc0b5b1-ff22-4a95-8695-4848af5c7053/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5244fa4cd53b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5244fa4cd53ba538933055ee4b4bec7f9579905c61868aac1bead60f773c3108

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 5244fa4cd53ba538933055ee4b4bec7f9579905c61868aac1bead60f773c3108

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/440965/

Comments