MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a38cb877dc57efa24fe27df01e1a11c4006ff7f9faa20a68aebbf6f3984ffcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a38cb877dc57efa24fe27df01e1a11c4006ff7f9faa20a68aebbf6f3984ffcd
SHA3-384 hash: a9c161fac92420d9718777c7080a624e63cbbf3954de8a1a0387b6402076434178acae874f405bf0004f51df34322086
SHA1 hash: bd11cced5ce55e399d849e7169be497d239a9f39
MD5 hash: a15d62e5cbcc04eb260aeeecbfb07cc4
humanhash: carpet-magazine-lake-emma
File name:ORDINE DI ACQUISTO N. BCM190282.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:717'824 bytes
First seen:2023-01-24 09:29:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:eKkMtEwcU3gZ+GQzjkATGdslyugqzDeihQHTwyE5OmAPHPbs1bIxbAB5d/Iu5Yix:eV6AAgZbQzlGwycPNQzDVtg1bqU5hIWf
Threatray 24'202 similar samples on MalwareBazaar
TLSH T1FAE42310B27D5764C2E887F5A663410557F17E26E232E23D0DE1E3EF1E3AB904A50BA7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDINE DI ACQUISTO N. BCM190282.exe
Verdict:
Malicious activity
Analysis date:
2023-01-24 09:32:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7617b8b9-b3ae-48f7-87f9-f52127195768

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356333/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63cfa51d2b351a3d0ea82cce/reports/792b7ab9-0783-4e28-a9c5-f1939eb73e57/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c138d15-c9a0-42e5-b045-ceb2c78b0308
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157776
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790514 Sample: ORDINE DI ACQUISTO N. BCM19... Startdate: 24/01/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 16 other signatures 2->57 7 tOSZaKdlRuV.exe 5 2->7         started        10 ORDINE DI ACQUISTO N. BCM190282.exe 7 2->10         started        process3 file4 59 Antivirus detection for dropped file 7->59 61 Multi AV Scanner detection for dropped file 7->61 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->63 67 4 other signatures 7->67 13 tOSZaKdlRuV.exe 7->13         started        17 schtasks.exe 7->17         started        35 C:\Users\user\AppData\...\tOSZaKdlRuV.exe, PE32 10->35 dropped 37 C:\Users\...\tOSZaKdlRuV.exe:Zone.Identifier, ASCII 10->37 dropped 39 C:\Users\user\AppData\Local\...\tmp7076.tmp, XML 10->39 dropped 41 ORDINE DI ACQUISTO N. BCM190282.exe.log, ASCII 10->41 dropped 65 Adds a directory exclusion to Windows Defender 10->65 19 ORDINE DI ACQUISTO N. BCM190282.exe 15 2 10->19         started        21 powershell.exe 20 10->21         started        23 powershell.exe 21 10->23         started        25 schtasks.exe 1 10->25         started        signatures5 process6 dnsIp7 43 api.ipify.org 13->43 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->69 71 Tries to steal Mail credentials (via file / registry access) 13->71 73 Tries to harvest and steal browser information (history, passwords, etc) 13->73 27 conhost.exe 17->27         started        45 api4.ipify.org 64.185.227.155, 443, 49715, 49719 WEBNXUS United States 19->45 47 api.telegram.org 149.154.167.220, 443, 49716, 49721 TELEGRAMRU United Kingdom 19->47 49 api.ipify.org 19->49 75 Installs a global keyboard hook 19->75 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a38cb877dc57efa24fe27df01e1a11c4006ff7f9faa20a68aebbf6f3984ffcd/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ni4mxb35yv7pujh6e7pqdynbdraan737t6vcbjuk5o7w6ome77gq._file
Verdict:
malicious
Similar samples:
01b0e10d7351007133aa2a5f1cef379b855706256fb70f327990ea142df772ad
AgentTesla
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
AgentTesla
24902a43196fd02d2939443510181c165980bd71e889dcff559ca25153c76d81
AgentTesla
2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478
AgentTesla
54c9982441a435a8b22d24586a27be74cf0613498ccbc7f27440a12881e843cc
AgentTesla
8ee64c1e736af072147a203e1db12d28b06cbc25e022092291dbcc47d65da67f
AgentTesla
a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8
AgentTesla
c5a38850fd0174c6c0464695cb4a01e8b75b1d3010df4c05a6b70c595ff3cb5e
AgentTesla
d48dfdeae66e3e9775045a7e88381be5cca89840df1e05062bdc3f86bfcebb85
AgentTesla
d548bfcde55e09b8314b273b6fc1eff79563961b965cb83a763f4bb1b6c424ac
AgentTesla
+ 24'192 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230124-lgh2jsad67/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
803b73e276ea80fe54e719847c625c1a59982a9a4d51a7d742f71fbd0a819815
MD5 hash:
9dbbd03ddec49d2b8a8bc310078377ff
SHA1 hash:
d971e4c2b6191104e66934a9e36cd4a8edc78e8c
Link:
https://www.unpac.me/results/042374c1-9b65-44aa-b1b5-1accbb0463cb/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/042374c1-9b65-44aa-b1b5-1accbb0463cb/
SH256 hash:
d20ec673e68fe14f3f694c8e7d8d8b169d744425a1564189da5d581906b24edf
MD5 hash:
d41317d9f661363b33fd2b38a7f4a526
SHA1 hash:
86ef2c3ebb9b4e015734eb28df45588cff88fa66
Link:
https://www.unpac.me/results/042374c1-9b65-44aa-b1b5-1accbb0463cb/
SH256 hash:
3134cd8f95b4235a09aa84c37bfb8651ce2c1ea4ad376dc7b46a0d6af37886f3
MD5 hash:
164f656db0ac97f9a3083439c962bad5
SHA1 hash:
8424c2c514bc02b3ac9017d2b43ae9833e2de05f
Link:
https://www.unpac.me/results/042374c1-9b65-44aa-b1b5-1accbb0463cb/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/042374c1-9b65-44aa-b1b5-1accbb0463cb/
SH256 hash:
6a38cb877dc57efa24fe27df01e1a11c4006ff7f9faa20a68aebbf6f3984ffcd
MD5 hash:
a15d62e5cbcc04eb260aeeecbfb07cc4
SHA1 hash:
bd11cced5ce55e399d849e7169be497d239a9f39
Link:
https://www.unpac.me/results/042374c1-9b65-44aa-b1b5-1accbb0463cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a38cb877dc57efa24fe27df01e1a11c4006ff7f9faa20a68aebbf6f3984ffcd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356333/

Comments