MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a5d5978dc6634945f2e6e6b3a42fc7ff9c0edf290cdb3f738c243c22a12599e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	6a5d5978dc6634945f2e6e6b3a42fc7ff9c0edf290cdb3f738c243c22a12599e
SHA3-384 hash:	c49a1834d4158a593e31a95029782f68c09921c89a048624e8b34623693484b6f4b667ff8c57690113322e942109a228
SHA1 hash:	e90351dfa222c715581a138a84b745ab6287b18e
MD5 hash:	b709053377925814610002d3cd301cab
humanhash:	aspen-mobile-enemy-mars
File name:	NEW ORDER.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'740'800 bytes
First seen:	2022-04-19 12:26:24 UTC
Last seen:	2022-04-20 10:21:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	49152:tqNSH/jyHN4vtadexpnIFvx6DiLDWpe8e:tqHNOMCFIZx6GLDWpe8e
Threatray	16'380 similar samples on MalwareBazaar
TLSH	T1178523527A43E8F2E138163BFD87544D22651FA2D913C64E66E3F20A0A733E64F449B7
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	d3d3dbe3dfdb9fe7 (13 x AgentTesla, 3 x Formbook, 1 x Loki)
Reporter	GovCERT_CH
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/264616/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.28175.12860.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Launching a process

Сreating synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed

Link:

https://www.filescan.io/uploads/625eaa97ffe27d51190b8fc8/reports/4cfd6086-f5dd-43b4-b30e-4254b8ed05ad/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/56b39c20-e280-4305-b3e6-f0a8f7c4d9e3

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/978833

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/6a5d5978dc6634945f2e6e6b3a42fc7ff9c0edf290cdb3f738c243c22a12599e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-19 11:00:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 41 (56.10%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=njovs6g4my2jixzonzvtuqx4p744b3pssdg3h5zyyjb4ekqslgpa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2d85d471ad1d32fccd8a586d9c7a960d0a77812b5e551fcdd16fc8bf1f15924a

AgentTesla

3d9b6f001249131fa6bee7bf7f051ef784ef5ec22bcd8cc4c5b45f6de2c67ec9

AgentTesla

bc297a5178f17d2b1f7c69649155df74086c99486c2caa5a1117fd45f52f41fa

AgentTesla

c3624982c4e27761f6d132bb33b9fd3618642fdc0cc5949a6207ceef392b3d8a

AgentTesla

ddd2c3304f4423f4348cf0d858ecba70eaaba5b652969d5f582a534ccfb55093

AgentTesla

e4179e2d5b9c04e7a59bf9b063c006f5695b5ec90600833006d38129ad0a48a6

AgentTesla

e57cd18f57da68b90790071673ac21fa6bfbb9b2b54451fbe4276fc506536719

AgentTesla

ee11b9c1d7556b48a0097f2a0698680a6a2ed5c0ca87d2756afded5827b228a8

AgentTesla

+ 16'370 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220419-pmqv5abfh5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

50b5d945d89ab1e8df4e6ddfdaeec370f85b98330ca6a8095d93b565aeee13a5

MD5 hash:

7a4f8c30a32ff511d48f97ffbb80faaf

SHA1 hash:

bcdef0b814868a0b5f59461e02a68746f40edc0d

Link:

https://www.unpac.me/results/792fc8dc-9ca3-4c58-aee8-e7d43f3d4888/

SH256 hash:

f5167b8b4f8d166bdd04e7d573d5f83dd870c2ff77bf07f279ea8e6434fb3ef2

MD5 hash:

43a867b49bbffb94612e4d100b9a3644

SHA1 hash:

ab97e50ce0cc7e34ff9c82d1d4aeca5494456fa6

Link:

https://www.unpac.me/results/792fc8dc-9ca3-4c58-aee8-e7d43f3d4888/

SH256 hash:

c966b8a8f79af732f194e8878097b06e99780d31f57091e9b57b39f6975f9da8

MD5 hash:

432402157ba9c867e4417ffcb96121e5

SHA1 hash:

3b98982fff14efcc72e3153ec1fd9789fa320c0c

Link:

https://www.unpac.me/results/792fc8dc-9ca3-4c58-aee8-e7d43f3d4888/

SH256 hash:

7172472f86ff1ff133d5c8ba5bad21ecad8457bf416a5f54e95bee9606639e7d

MD5 hash:

e70ed9e06e6161eebd8c96f36e7b50fa

SHA1 hash:

1789866b0f4ba135471a28d8eaea75151b1bb2c8

Link:

https://www.unpac.me/results/792fc8dc-9ca3-4c58-aee8-e7d43f3d4888/

SH256 hash:

6a5d5978dc6634945f2e6e6b3a42fc7ff9c0edf290cdb3f738c243c22a12599e

MD5 hash:

b709053377925814610002d3cd301cab

SHA1 hash:

e90351dfa222c715581a138a84b745ab6287b18e

Link:

https://www.unpac.me/results/792fc8dc-9ca3-4c58-aee8-e7d43f3d4888/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6a5d5978dc6634945f2e6e6b3a42fc7ff9c0edf290cdb3f738c243c22a12599e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 6a5d5978dc6634945f2e6e6b3a42fc7ff9c0edf290cdb3f738c243c22a12599e

(this sample)

Dropped by

agenttesla

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/264616/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample