MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64ad4ef2e4d2826235be5327f8066ac0446f5d53e21f9fed1e48ad03807d32c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64ad4ef2e4d2826235be5327f8066ac0446f5d53e21f9fed1e48ad03807d32c6
SHA3-384 hash: 9f9b8dfd71a494614bfcaee707426b6a31bc1a18108f8bd73295c3867fd4b7667eceb7db67dae6f8cbb87d3bcb5b270c
SHA1 hash: 4534906160d30d952de9dc565d76afade51ed271
MD5 hash: 5d8e3878fd878c20cea3a1c9eca1b28a
humanhash: oklahoma-papa-oxygen-washington
File name:Order List EO102.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:968'192 bytes
First seen:2021-09-20 06:07:33 UTC
Last seen:2021-09-23 09:02:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:/A6EFuN+FoJG2GOK498M7pORaXMMwKuDRAQ:FEFuN6oJGGoM7pnXf
Threatray 10'025 similar samples on MalwareBazaar
TLSH T1A725D03422948226E2BBA7F8D4319460873EBD469436D6DE1CC2ADDB3DF134D811AB5F
File icon (PE):PE icon
dhash icon 644edee4f4f0ccd4 (3 x AgentTesla)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order List EO102.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 06:08:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0aa36637-351e-40fe-8c5c-976c558f5726

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189202/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Taskun.4c.26472.4941.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun with the shell\open\command registry branches
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5514207-53ca-43de-bfeb-c8964fe94d39
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853744
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486175 Sample: Order List EO102.exe Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 10 other signatures 2->39 7 Order List EO102.exe 3 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\TIGQUYy.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpA894.tmp, XML 7->25 dropped 27 C:\Users\user\...\Order List EO102.exe.log, ASCII 7->27 dropped 41 Adds a directory exclusion to Windows Defender 7->41 43 Injects a PE file into a foreign processes 7->43 11 Order List EO102.exe 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 29 medicare-equipment.com 192.185.84.191, 49782, 49783, 587 UNIFIEDLAYER-AS-1US United States 11->29 31 mail.medicare-equipment.com 11->31 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/64ad4ef2e4d2826235be5327f8066ac0446f5d53e21f9fed1e48ad03807d32c6/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 02:11:27 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mswu54xe2kbgenn6kmt7qbtkybcg6xkt4ipz73i6jcwqhad5glda._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ce0a82bef3a8852e9cd21fa303880fe34243a8bf8940384a8303da6b4677a2c
AgentTesla
14db3f82df6b962247e632da97767bb052805916a4936000ee500ae87479c7d8
AgentTesla
5dd92be22d005624d865ddf07402eb852426fc97baa52bbc58316690d41adb74
AgentTesla
6cda0c998a3484125f71a4c086e2652a72c977d90ff4e187a5dae1d62239f31e
AgentTesla
7b4c1bf9a15a419080fe02866aa26f162f79d5e01763c6af5915b07988556223
AgentTesla
7cd6d59439d525ccf002e777f2118121cd494a5a6d5de8710298344beaeb6c72
AgentTesla
81a5ce1c2439d2dca4eabecfc150f3fa1003f570913157a74cf1c5c1737f006d
AgentTesla
ae33000cbdc7cc10a8d86ce07727c8159d66a6707e2a453d996dc61c709de96f
AgentTesla
fb81339d0f0f69f966566b9253f11d6b2d3ba3929f4c7407a6e046362334b1ee
AgentTesla
fc40429e1461e2cc002fdb2b131ca7eadd4f3a688a24130197667c3493213986
AgentTesla
+ 10'015 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210920-gvwgksdah8/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
a20458d8fbc46be9492b17270f603bd0a015042a2e25d5e54c09558acfe7948f
MD5 hash:
c6c0d601cad49cbfcd076fda24c79947
SHA1 hash:
f14e2010d4e0ab9c388a8e87b8a115685a82889c
Link:
https://www.unpac.me/results/2616eca5-15f8-4586-ad29-f5aaa6457676/
SH256 hash:
3d9b1393c28e5dbffdfc864c5f274c9ff04ac7da4c260b1a546743d12880a1e2
MD5 hash:
b17f380d367579e9b1f8ec0ae24a0de4
SHA1 hash:
cbddfd39be821fedcf687345bda363ce1fd2871c
Link:
https://www.unpac.me/results/2616eca5-15f8-4586-ad29-f5aaa6457676/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/2616eca5-15f8-4586-ad29-f5aaa6457676/
SH256 hash:
34c4015f72292ed28c5cc706bae11c24f67ad7ca218cd2f117b443f0036156a8
MD5 hash:
b700f40c0aead174f68609159e7798c1
SHA1 hash:
3a2d68f8a04716b59a0ed9ecad251debe37f68d7
Link:
https://www.unpac.me/results/2616eca5-15f8-4586-ad29-f5aaa6457676/
SH256 hash:
64ad4ef2e4d2826235be5327f8066ac0446f5d53e21f9fed1e48ad03807d32c6
MD5 hash:
5d8e3878fd878c20cea3a1c9eca1b28a
SHA1 hash:
4534906160d30d952de9dc565d76afade51ed271
Link:
https://www.unpac.me/results/2616eca5-15f8-4586-ad29-f5aaa6457676/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64ad4ef2e4d2826235be5327f8066ac0446f5d53e21f9fed1e48ad03807d32c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 64ad4ef2e4d2826235be5327f8066ac0446f5d53e21f9fed1e48ad03807d32c6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/189202/

Comments