MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 574f46006cfd1caa512756f6a27e6ce2140124d77f1a979c2c12d0d63652cd5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 574f46006cfd1caa512756f6a27e6ce2140124d77f1a979c2c12d0d63652cd5c
SHA3-384 hash: bb153efc7d813b95bda3931338d67ab952e75b0522c0e35554dfa5df120eb52f6d12dc41b0047d57eb83ce56b6208faa
SHA1 hash: 5a676329d7ccb0a0e06b516553f0e05f4de820ca
MD5 hash: e473e0d02609c994b68fbcf14d73698a
humanhash: lima-mars-mexico-sodium
File name:order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:961'536 bytes
First seen:2020-08-14 08:49:37 UTC
Last seen:2020-08-14 11:01:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a0c33d818fc4e67f31e25997fee8a14 (1 x AgentTesla, 1 x RevengeRAT)
ssdeep 24576:vQxO8esPYZJKX3eERqJRQfIonDPF7n3DcI21Uf+oF+/Z:YxTPY+neERqJRQgonzF7n3DcI2x
Threatray 28 similar samples on MalwareBazaar
TLSH 44157D2427509C33D967153F9D70F228261D3F240AA6398BA2929F1FB7562E7CB13726
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: abelgreat.dynu.net
Sending IP: 142.11.245.222
From: Margret Z<MARGRETZ@MNET.CO.ZA>
Subject: Tender/Bidding
Attachment: INVOICE2.doc

AgentTesla payload URL:
https://onedrive.live.com/download?cid=09629E9967C87661&resid=9629E9967C87661%21148&authkey=AOYMkSiES-DFlR4

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45657/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Modifying an executable file
Sending a UDP request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/429064
Signature
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 267022 Sample: order.exe Startdate: 15/08/2020 Architecture: WINDOWS Score: 76 25 Yara detected AgentTesla 2->25 27 Machine Learning detection for sample 2->27 29 Machine Learning detection for dropped file 2->29 31 2 other signatures 2->31 7 order.exe 3 2->7         started        process3 file4 21 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 7->21 dropped 23 C:\...\c9b9b8af022a4b269584b794e5506841.xml, XML 7->23 dropped 33 Writes to foreign memory regions 7->33 35 Allocates memory in foreign processes 7->35 37 Injects a PE file into a foreign processes 7->37 11 cmd.exe 1 7->11         started        13 MSBuild.exe 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started        17 schtasks.exe 1 11->17         started        19 WerFault.exe 23 9 13->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/574f46006cfd1caa512756f6a27e6ce2140124d77f1a979c2c12d0d63652cd5c/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 08:51:06 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5humadm7uokuujhk33ke7tm4ikacjgxp4njphbmclinmnsszvoa._file
Verdict:
suspicious
Similar samples:
2b5d96d018098da5990f2d6d721ab925efd4422c13cccf031775b6fddd5f801e
AgentTesla
464e7363198201699fa0503be713d1776fb07eefc63830cd08494f26ec93ba8b
AgentTesla
50d83791145d6b09c47fc90279d568bff571181c97d9dad9ab63c3e9c9b935af
AgentTesla
5b9992f4588e6337ada6ed55a1f39fe4a229f31070a04df1c32d18e3c1b0a0b7
AgentTesla
66178c5a45af58b7b0710d3867d501cbef090c10817fd1ebf5555477c2c32098
AgentTesla
735371cde40d19b56069dc9cbf5c68e138b12bf9b188ef448abb7b36be143eb4
AgentTesla
8433ac6d87185d65251a833f4f37ac4095395d2751da1ff95e8d9d4e53656480
AgentTesla
cac726f6b0bcb60af61033a9a59ae886ee7466f65e20185cd44be43c80386e7d
AgentTesla
d3dc0fad4580b2c3d0f5bfe27fd99d66b20f2a2c65c219218f9e6628a9df5d2b
AgentTesla
d4ce64cdc542c8733eb5b0445875887874d467ee1f13ef1a2bd6e7d568d3f97d
AgentTesla
+ 18 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Link:
https://tria.ge/reports/200814-jkyqxy7bme/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
AgentTesla Payload
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/574f46006cfd1caa512756f6a27e6ce2140124d77f1a979c2c12d0d63652cd5c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Word file doc fa7e0a35dc579756e574a23f1c780af6b7ab12210e98036370bf45bc09bc5015

AgentTesla

Executable exe 574f46006cfd1caa512756f6a27e6ce2140124d77f1a979c2c12d0d63652cd5c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/432996/
  
Dropped by
MD5 52e74e283b5eb5379b7e1e449ed62843
  
Dropped by
SHA256 fa7e0a35dc579756e574a23f1c780af6b7ab12210e98036370bf45bc09bc5015
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/45657/

Comments