MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f90917d47ebcebd2c52add9889d9a3a345965b1d8561071100da5c8100553db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	5f90917d47ebcebd2c52add9889d9a3a345965b1d8561071100da5c8100553db
SHA3-384 hash:	d472a2ba4d0b8401ede1bacc6e0713c6f7a27d41138e66b04eb7101429b2024f1e92de6820be0fc3ac4ce96a78b6a699
SHA1 hash:	2e30b91f6ff50880dfd923e263fb366b1e8e743a
MD5 hash:	47a3a3d3dab8009c682dd24aee6b9fc4
humanhash:	yankee-salami-green-victor
File name:	Order OIhzWt1GLrUH81i.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'414'656 bytes
First seen:	2021-08-02 05:32:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:da/F76DOUfx8Dgyfx8DgYwM5cj8a+RTJppLgO9CMrfavXtXUvGdNwDZ:cF76d58Dgy58DgasFOmcCyaOGdCZ
Threatray	7'701 similar samples on MalwareBazaar
TLSH	T1CB65DF9A7540DABBD61C12B59115D8E042A9AC14D223F7EF7E6231B333F1A794B24CF2
dhash icon	316d4d4d5d453135 (1 x AgentTesla)
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

826

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Order OIhzWt1GLrUH81i.exe

Verdict:

Malicious activity

Analysis date:

2021-08-02 05:37:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2b282575-3484-4bd0-849d-4a4cf6388cf4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/175664/

Detection(s):

SecuriteInfo.com.Artemis47A3A3D3DAB8.25493.26368.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dd6360e4-2e24-4bff-a363-760572b4065a

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/825261

Signature

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the hosts file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/5f90917d47ebcebd2c52add9889d9a3a345965b1d8561071100da5c8100553db/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2021-08-02 05:33:11 UTC

AV detection:

12 of 46 (26.09%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l6ijc7kh5phl2lcsvxmyrhm2hi2fsznr3blba4iqbws4qeafkpnq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

66c452b78b6021522f6b726773698cf4bc94e3e6a6b220ca930996afb30fab7c

AgentTesla

6d4d2a2d69e81b0f6b91a437aaf0869956306c347f0b2ed492168f95d6b24d93

AgentTesla

7d7924e92e2e23345b47169e428d4bc85cd5140e733e90512d28cef9e7d0c38a

AgentTesla

7e2f14e47ce41dff01f74023757a74a7352ff9ce7ee39d2f78b61ff2a5993897

AgentTesla

978adbd45151d6b915f683cef40113cc2fa08ab0686682b2ce44b9f5b33bb4dc

AgentTesla

a5b4a1aa53134e93a392b7b90cc7c5d4a939d4f61bdf330de08d49fa1b4356ed

AgentTesla

c6b6c3ad94852d0fb8d6cf6d3aa2c4bfd14c627287317a72995a4c59a12d331e

AgentTesla

e9342d5c2ca95888a7589ef0fa20636b3534e64a8e7b419e772977c04745dcc7

AgentTesla

efc33e49a1f2bb8a2caf20a3609c44170c3739c90c1e2f4f236961e13279a3b3

AgentTesla

+ 7'691 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210802-nxx3ynt4j2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

81ac01c83166f4873f48a508c63371cbcea001ef9f56baa3d4379228508cfe0d

MD5 hash:

5bf8a3c056d6b166db360324296087fc

SHA1 hash:

be91a4a4088652a3b0801169e08659783edcd271

Link:

https://www.unpac.me/results/f048472e-57d5-4822-b5d2-445e506769b4/

SH256 hash:

02aeab4eaefe8f12e121ef5ef6fdc1275e3d7642c27f831bed139cbed55acf88

MD5 hash:

15579cc1054bb57b6b039a2b36083bc0

SHA1 hash:

3304e5a2686c5d5a910c98c184f9efc51381335b

Link:

https://www.unpac.me/results/f048472e-57d5-4822-b5d2-445e506769b4/

SH256 hash:

cfef97ff706312dff4edd998aeee22f1283221631ebb0cc954bebbb701c1465c

MD5 hash:

a0f625a3d3348903f3c902f588c0e4f5

SHA1 hash:

20d1f0b74abe6f500e8c21119f55281926210ac0

Link:

https://www.unpac.me/results/f048472e-57d5-4822-b5d2-445e506769b4/

SH256 hash:

5f90917d47ebcebd2c52add9889d9a3a345965b1d8561071100da5c8100553db

MD5 hash:

47a3a3d3dab8009c682dd24aee6b9fc4

SHA1 hash:

2e30b91f6ff50880dfd923e263fb366b1e8e743a

Link:

https://www.unpac.me/results/f048472e-57d5-4822-b5d2-445e506769b4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5f90917d47ebcebd2c52add9889d9a3a345965b1d8561071100da5c8100553db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	quakbot_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	silentbuilder_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/175664/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample