MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a052664d784432a0f9a707401e4095bef5d7703c32f9314dd5c9bdd5b273a1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a052664d784432a0f9a707401e4095bef5d7703c32f9314dd5c9bdd5b273a1d
SHA3-384 hash: 4d6ce4d040bc2dfe18ce9e35be99070a5d91fd99bde8540b9cb192e66e313725d027578ccbb9b6b7bb8f37b9c6dfdf8b
SHA1 hash: bb63c25fc5730c0766f6f0de491725bc034a8a1f
MD5 hash: 7de57138380dd92fbee7229d46adee4a
humanhash: coffee-chicken-pasta-nineteen
File name:New Order #21076.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:948'736 bytes
First seen:2021-01-25 16:10:55 UTC
Last seen:2021-01-26 06:25:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:cTDfabSe6yrFmHFakCErL0aK/ma9WB+VhHOej7iMTVtL/fH:aYr4HFtCE3eNbTVZ3H
Threatray 6 similar samples on MalwareBazaar
TLSH 7E15355131E0CA9FC53A42BA0664DC9C62A45EDDFD40863818BD799F362FE8E47C06B7
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order #21076.exe
Verdict:
Malicious activity
Analysis date:
2021-01-25 16:13:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d628d147-dcae-4436-9ec4-8659069f67b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113755/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.26460.632.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/589731
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5a052664d784432a0f9a707401e4095bef5d7703c32f9314dd5c9bdd5b273a1d/
Threat name:
ByteCode-MSIL.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-01-25 16:10:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=licsmzgxqrbsud42ob2adzajlpxv25ydymxzgfg5lsn52wzhhioq._file
Verdict:
unknown
Similar samples:
1fbdb4d5cc70b77728853bf7dd9c53b8f2cd49055503be07ea3a13e7459757c7
AgentTesla
23d1aeac6fe7d135fbb00e8316eb078183138b74f4adf33497a8fa8ae685e9b5
AgentTesla
606eeab956905f8a7f4ef02f7418e9a6ac4facbd2445fd1e3a1cb00a94113525
AgentTesla
817f8cd46ad17c8f466e99582e24cc335ff5be48d6f8fbc6d41dc466be8fbb35
AgentTesla
cc5f2535e7084ab756833bdabffa3067020fce7e285409089d14648ef3e5b6cb
AgentTesla
ec51e50ebea3906ef87c852c95b256e3948a9bb789981a9dd1fe673d78663e66
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210125-92r4xevkrx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
f2d193bacc3d76a7df3e5c273c907098c771a5ea0a1564dd92e1c214af3cd995
MD5 hash:
8a49d4d3e155354d647ea5e24241b960
SHA1 hash:
b33bdcbbdd702e8022bf3d42114b2f9f576510fc
Link:
https://www.unpac.me/results/3c3e2c20-e297-4f8d-b2a6-5d2acbf5c0a0/
SH256 hash:
827b1567aed83bb64c2f80fbc4a993897013a3ee7b0d3ebe6793e3403db4d140
MD5 hash:
9a057132c5036180525f94054c71a6eb
SHA1 hash:
4f8cae092d6447c25d55adb7efe7d275044273c2
Link:
https://www.unpac.me/results/3c3e2c20-e297-4f8d-b2a6-5d2acbf5c0a0/
Parent samples :
2f7e4765fc3bff8324b7353df04b086292c5a70f788d8193c95d1fc00f43f18a
3f8807728cce4b1e55293cd3577fdd36457c1568a23594d4cbfaeab45a10c574
9d4758703ed1e3968a75f93405df6202a6b1b749f7806965560c23237fdfe2b4
SH256 hash:
3a14174e8daa538179e0bed1ac5e66f134a497c0e64c563c3cbdcac37125e442
MD5 hash:
5021b066acd4987a47f455a5018e6418
SHA1 hash:
09a040406037e22cc78f7109609a2f02d2b251cc
Link:
https://www.unpac.me/results/3c3e2c20-e297-4f8d-b2a6-5d2acbf5c0a0/
SH256 hash:
5a052664d784432a0f9a707401e4095bef5d7703c32f9314dd5c9bdd5b273a1d
MD5 hash:
7de57138380dd92fbee7229d46adee4a
SHA1 hash:
bb63c25fc5730c0766f6f0de491725bc034a8a1f
Link:
https://www.unpac.me/results/3c3e2c20-e297-4f8d-b2a6-5d2acbf5c0a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a052664d784432a0f9a707401e4095bef5d7703c32f9314dd5c9bdd5b273a1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/113755/

Comments