MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ae4be0b156132af2c8150ca4e286a95053ac17792d295cfd21a03aa4938bf52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ae4be0b156132af2c8150ca4e286a95053ac17792d295cfd21a03aa4938bf52
SHA3-384 hash: a7627cd068d25232724b47a76b2816bb10e02e4e2b2938bbbab8e9de0b683c3a9b6e08a0386aadca981137933cff609d
SHA1 hash: 4d7b7c5308fb21c58d50d0b8fff92cf2a572579c
MD5 hash: 1e487bd04d2589c6f209c3a13e9d3b56
humanhash: spring-pennsylvania-moon-yellow
File name:New Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:785'920 bytes
First seen:2023-09-10 18:00:41 UTC
Last seen:2023-09-11 07:04:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:1CsuWpPwONpOvxsa8fSuvG/wWAMNHLhpotGhuW/yGOoWQUzD5aBl+2sT/sgRu9Ql:1n5hNYvetFWAMNrhpzhNrv
Threatray 1'265 similar samples on MalwareBazaar
TLSH T1A5F4ADDC3650B5EFC867C976DA982C64E66064BB530BD207A06315ADEE0DA9BCF101F3
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 70686830e0c4c4c4 (4 x AgentTesla, 2 x Formbook, 1 x NanoCore)
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
3
# of downloads :
348
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
New Order.exe
Verdict:
Malicious activity
Analysis date:
2023-09-10 18:02:31 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/71130db4-7f48-4ae1-ad3f-e91fb3fc03e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447750/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.738.11048.17617.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6ae4be0b156132af2c8150ca4e286a95053ac17792d295cfd21a03aa4938bf52
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f2d9ee8a-d6b7-4644-aed2-7ab846da41d6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306900
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1306900 Sample: New_Order.exe Startdate: 10/09/2023 Architecture: WINDOWS Score: 100 29 mail.suncil-intenational.com 2->29 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected AgentTesla 2->53 55 6 other signatures 2->55 7 New_Order.exe 3 2->7         started        10 yPPclX.exe 2 2->10         started        12 yPPclX.exe 1 2->12         started        signatures3 process4 signatures5 57 Detected unpacking (changes PE section rights) 7->57 59 Detected unpacking (overwrites its own PE header) 7->59 61 Writes to foreign memory regions 7->61 63 Injects a PE file into a foreign processes 7->63 14 RegSvcs.exe 17 4 7->14         started        19 RegSvcs.exe 7->19         started        21 RegSvcs.exe 7->21         started        23 conhost.exe 10->23         started        25 conhost.exe 12->25         started        process6 dnsIp7 31 mail.suncil-intenational.com 14->31 33 api4.ipify.org 64.185.227.156, 443, 49692 WEBNXUS United States 14->33 35 api.ipify.org 14->35 27 C:\Users\user\AppData\Roaming\...\yPPclX.exe, PE32 14->27 dropped 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->37 39 Tries to steal Mail credentials (via file / registry access) 14->39 41 Tries to harvest and steal browser information (history, passwords, etc) 14->41 47 2 other signatures 14->47 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->43 45 May check the online IP address of the machine 19->45 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6ae4be0b156132af2c8150ca4e286a95053ac17792d295cfd21a03aa4938bf52/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-06 03:56:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nlsl4cyvmezk6lebkdfe4kdksuctvqlxsljjlt6sdib2usjyx5ja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a12b16244b51a948f26fb8440822161106b0d84464eeba899ffcc68c55d57a7
AgentTesla
4f9ab5722f95d20fc30c81bf817157c48c6e3f6e53a5a2881ff846be338eb360
AgentTesla
78f25ecc4d28fec2c11b821ec4a8b4a6f5cfb7ab7dde361c0a9d632b40c65a4a
AgentTesla
8b155c46b58fb8623f25c5f8ba523225c80b7aa33a2dd648970c307efae5dbcc
AgentTesla
94226a0ad856af28b1f244eb04e363f95d9f0a7777e242606c61e8928529a6fd
AgentTesla
b356dd47eba95c4343a483091a1c27261a12fb0819c4899ffbe8f7b138e52329
AgentTesla
d2475c14cd534bca8b3a7a584900668545ed04d7f04c55c0958e05deaec4a7fc
AgentTesla
d9819797562fc37901466523b731e2114efd43d2395887cf44116e7b208e7d71
AgentTesla
d98ed54790efc6d718d719228e2bdbf4295cc23c94c22c6d77b55217337f860c
AgentTesla
+ 1'255 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230910-wlvw1sah9y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
32c8589b272f5e76459442108d1f8aba881414fbe91f638723345556757608f1
MD5 hash:
b2e93d4a9e64d1d8e2a032c914c1bdac
SHA1 hash:
e40c5316797d0487aeda3aa33bdd516758f8c7f3
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/059ab4ff-6911-4990-bb83-eaf8f81a2bb3/
Parent samples :
601ca85fa385ee74827fc023fc91c88964e8bc7dd8724305cddf1e089c7d372a
6ae4be0b156132af2c8150ca4e286a95053ac17792d295cfd21a03aa4938bf52
118ff430ed49bfce3309f6cd178c9b588929459f66614b4ce4f9b63d33b5a49e
8418ebee87a14a2ecbf14dcab28b5b311efee6d4a66cf95ff6c748e35320485a
dfa4ed974c1b0752099c6d765b388b6ec2847c383fa115d000791f34c175aa55
SH256 hash:
fadd4eae5355b5b0b2581bce9108046da289c7044a97d03c044d8694a698edf7
MD5 hash:
1da7d711a1888c6030ea11e71d82b546
SHA1 hash:
d37d2b57e70309a2fd7671eb075ee2fcaed57f54
Link:
https://www.unpac.me/results/059ab4ff-6911-4990-bb83-eaf8f81a2bb3/
SH256 hash:
df18941b34ecd6ded1f9a826b90cb0fd05622feded4325f941263c904d02eccc
MD5 hash:
d171ff9b2e2b6031d1cf191d80bf5908
SHA1 hash:
56f47706ea39291abc237c66fdd2342a8e4e1fff
Link:
https://www.unpac.me/results/059ab4ff-6911-4990-bb83-eaf8f81a2bb3/
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/059ab4ff-6911-4990-bb83-eaf8f81a2bb3/
SH256 hash:
6ae4be0b156132af2c8150ca4e286a95053ac17792d295cfd21a03aa4938bf52
MD5 hash:
1e487bd04d2589c6f209c3a13e9d3b56
SHA1 hash:
4d7b7c5308fb21c58d50d0b8fff92cf2a572579c
Link:
https://www.unpac.me/results/059ab4ff-6911-4990-bb83-eaf8f81a2bb3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/6ae4be0b156132af2c8150ca4e286a95053ac17792d295cfd21a03aa4938bf52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 49975212d43717604ea95a681b05ac2f07c2f338450e7330cce736db945d5e1a

AgentTesla

Executable exe 6ae4be0b156132af2c8150ca4e286a95053ac17792d295cfd21a03aa4938bf52

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 49975212d43717604ea95a681b05ac2f07c2f338450e7330cce736db945d5e1a
  
Dropped by
SHA256 d4aa45c833cc82d4cca13194e5527652a176e1f3e10264af2b99c1d80781fb96
Cape
Cape
https://www.capesandbox.com/analysis/447750/
  
Dropped by
MD5 ffcbfed66fe31c57f3dd73d202c96404
  
Dropped by
MD5 e81881e91f2c61cf71aef1267ee75cef

Comments