MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 545a4e3b7985223b2edb4f9a3a776d0c6cba118ebce4a22de8c0c07c6b67d2cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 545a4e3b7985223b2edb4f9a3a776d0c6cba118ebce4a22de8c0c07c6b67d2cf
SHA3-384 hash: 2ceebe3a52b9933f7afdd99d87d2b94a6a129a724b33b87948b5f5093f8d08da466c19070bed35791693813f8e5f83c5
SHA1 hash: 366a3a414b29de954c1e5885be4dcbb02b2918ba
MD5 hash: 87313d2f55ddd9b329bfd39f148e4d16
humanhash: north-aspen-north-maryland
File name:Order 6189.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:879'616 bytes
First seen:2023-06-20 06:42:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:vNcalYtYq7J3At5iHOq+ZQ8HV/2Z//yI191XILz0vM6J0d0tX806JBHjFMY:DQYqtm8OqK3V+lqwv3Bd806J1
Threatray 3'090 similar samples on MalwareBazaar
TLSH T16315E02036B90F56D17997F90042A23107BEAA6A783ED7585ED3F0DB1A62F450E52F23
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AgentTesla exe RFQ

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order 6189.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 07:32:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ce519e0f-4e3f-4b64-a240-1c9bb84e6867

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400858/
Detection(s):
Sanesecurity.Rogue.0hr.20230619-1034.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/64914a770d4f96f7b605da5c/reports/fee7d5b9-c0df-4489-8644-3ab9ff4ad396/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/545a4e3b7985223b2edb4f9a3a776d0c6cba118ebce4a22de8c0c07c6b67d2cf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad477804-912f-4ea9-9080-132839418c4d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257939
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 890959 Sample: Order_6189.exe Startdate: 20/06/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 5 other signatures 2->57 7 Order_6189.exe 7 2->7         started        11 HeDuxny.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\HeDuxny.exe, PE32 7->31 dropped 33 C:\Users\user\...\HeDuxny.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp7AAB.tmp, XML 7->35 dropped 37 C:\Users\user\AppData\...\Order_6189.exe.log, ASCII 7->37 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 May check the online IP address of the machine 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 69 2 other signatures 7->69 13 Order_6189.exe 15 2 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 21 HeDuxny.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 mail.mylaconsultancy.com 57.129.1.142, 49704, 49707, 587 ATGS-MMD-ASUS Belgium 13->39 41 api4.ipify.org 173.231.16.76, 443, 49702 WEBNXUS United States 13->41 43 api.ipify.org 13->43 71 Installs a global keyboard hook 13->71 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 104.237.62.211, 443, 49703 WEBNXUS United States 21->45 47 192.168.2.1 unknown unknown 21->47 49 api.ipify.org 21->49 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->73 75 Tries to steal Mail credentials (via file / registry access) 21->75 77 Tries to harvest and steal browser information (history, passwords, etc) 21->77 29 conhost.exe 23->29         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/545a4e3b7985223b2edb4f9a3a776d0c6cba118ebce4a22de8c0c07c6b67d2cf/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 07:21:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=krne4o3zqurdwlw3j6ndu53nbrwluemoxtskelpiydahy23h2lhq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1f1987c42f73ffac95703d0f7c9445819e46f1471eb6049a51b66e0c7e730804
AgentTesla
3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f
AgentTesla
39893af7f960c76c20ab2b99e5caa2acabab3c7fc01e47791586f451eba5be5b
AgentTesla
3d0816e876a59f4e3b56bd2105122ef69499f79bab375b0956716494eb286dbd
AgentTesla
3d9b67b5dc857a2663548b9335d48dde0a880f6b61490f0cced767399a166f2b
AgentTesla
82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59
AgentTesla
868c32e8f0d323bf24fbb9c6d073198cdb50a072905ba1f43f3725dceac6863d
AgentTesla
91321c08c110e660a62e8d49e19a6f501d1cc617ddf6abdd88ae7e15b443d242
AgentTesla
beeb040b9ea080d5d326ecfdd0429cd872ce09138c70eb2975433f3f9878adf5
AgentTesla
f2927830e4233d9249db711122cafe8f85bf91afa44409b63aacf64b28176356
AgentTesla
+ 3'080 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230620-hgxcdsae62/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/a9e9ce8a-0c93-4008-bcff-c15c49f30269/
SH256 hash:
45bb4dec6f87a581d244fffc647167468589a308e135b230dfa9487fed5f9f80
MD5 hash:
bbec9a2e4b654cf8c981dbe439ec3fd6
SHA1 hash:
ca0b1d78a6454bfa28822c71f49ecb6308a8582b
Link:
https://www.unpac.me/results/a9e9ce8a-0c93-4008-bcff-c15c49f30269/
SH256 hash:
24b077fd9b344cd944a736f24ada8b80c7285f7343ff9dc56b58769bde27e4f6
MD5 hash:
64fcc151459a284a183dbbc044aa2142
SHA1 hash:
a33fa55f857e654bb5688c116680217e673bb600
Link:
https://www.unpac.me/results/a9e9ce8a-0c93-4008-bcff-c15c49f30269/
SH256 hash:
ca9067bf7d79c15f136ec864efc0fccd24a0a0dd8e1a067e5365343970632c0e
MD5 hash:
e5d2de6c5567ba49a1d3ec86c828ba47
SHA1 hash:
90722c650438d2a1d10aff0b7bf50ce4e4055c05
Link:
https://www.unpac.me/results/a9e9ce8a-0c93-4008-bcff-c15c49f30269/
SH256 hash:
36cb70021e8a153c22312876626b4143dc1cca60862d667d2af0c95a1fb9e8ac
MD5 hash:
98bdc695f132d8e6151d27a362bbdaa8
SHA1 hash:
16b2264b54698e42fb2ad13fa41b3358b42b80ea
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/a9e9ce8a-0c93-4008-bcff-c15c49f30269/
Parent samples :
36cb70021e8a153c22312876626b4143dc1cca60862d667d2af0c95a1fb9e8ac
1c834a9e0b395b4544646c67f8a12972256500cbabb5b71a7433548e8b558920
6171f1157e6d3840397d27a5f484f8595770ad153d5969aa96a058114243cfa8
545a4e3b7985223b2edb4f9a3a776d0c6cba118ebce4a22de8c0c07c6b67d2cf
c906a3041425da5b92aca8c125d3d9295839b5edd1bb17b22fdd80f1f18a1293
SH256 hash:
545a4e3b7985223b2edb4f9a3a776d0c6cba118ebce4a22de8c0c07c6b67d2cf
MD5 hash:
87313d2f55ddd9b329bfd39f148e4d16
SHA1 hash:
366a3a414b29de954c1e5885be4dcbb02b2918ba
Link:
https://www.unpac.me/results/a9e9ce8a-0c93-4008-bcff-c15c49f30269/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/545a4e3b7985/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/545a4e3b7985223b2edb4f9a3a776d0c6cba118ebce4a22de8c0c07c6b67d2cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 1acb529b2915329dcc9d5176d1f6986f6453629761843194e53c8bb5d70633c2

AgentTesla

Executable exe 545a4e3b7985223b2edb4f9a3a776d0c6cba118ebce4a22de8c0c07c6b67d2cf

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1acb529b2915329dcc9d5176d1f6986f6453629761843194e53c8bb5d70633c2
Cape
Cape
https://www.capesandbox.com/analysis/400858/
  
Dropped by
MD5 0ec05501d79478bd8b519f6dec069d5a

Comments