MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70356e0ef7569fb8a94a30a3fe49c81046c9e86078de02e4bfcc6bcf55671430. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70356e0ef7569fb8a94a30a3fe49c81046c9e86078de02e4bfcc6bcf55671430
SHA3-384 hash: c3a48ba23a16acdafac2a58d55575534f0c936b0b63ce926ab83f8825671d121eff78cbe843668257da5188193098707
SHA1 hash: e69c919394cb98929719b7a072ffa6ba85e3568c
MD5 hash: ba38ca3585213688a31395534d25c15e
humanhash: oklahoma-carbon-five-september
File name:OrderlistPDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:379'392 bytes
First seen:2021-07-15 20:42:24 UTC
Last seen:2021-07-15 21:40:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:7l30NB0uxIygxuwj27fggjZIJddg9CU+x19d6ZMKNwML2wxcB6BOpyOrSD5hWxYR:7l30kqISJrIJddg9J+H9dA5wMSwxI6Bz
Threatray 6'901 similar samples on MalwareBazaar
TLSH T1F684120AACED43E6F058957E7C623A1036307D3BE4E3AE865DD431588A36D821573F9E
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OrderlistPDF.exe
Verdict:
Malicious activity
Analysis date:
2021-07-15 20:46:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3e6399de-6b0f-429b-9bda-a20a0ecacaaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172082/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.14347.28966.3306.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f1f1907-37ae-40e6-9f79-70ef8c330fdf
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817207
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powershell Test-Connection to delay payload execution;
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 449618 Sample: OrderlistPDF.exe Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 63 www.yahoo.com 2->63 65 new-fp-shed.wg1.b.yahoo.com 2->65 89 Found malware configuration 2->89 91 Multi AV Scanner detection for dropped file 2->91 93 Multi AV Scanner detection for submitted file 2->93 95 9 other signatures 2->95 9 OrderlistPDF.exe 4 9 2->9         started        13 orderlist .exe 2->13         started        15 orderlist .exe 2->15         started        signatures3 process4 file5 55 C:\Users\user\AppData\...\orderlist .exe, PE32 9->55 dropped 57 C:\Users\user\AppData\...\OrderlistPDF.exe, PE32 9->57 dropped 59 C:\Users\...\orderlist .exe:Zone.Identifier, ASCII 9->59 dropped 61 3 other malicious files 9->61 dropped 97 Writes to foreign memory regions 9->97 99 Uses powershell Test-Connection to delay payload execution; 9->99 101 Injects a PE file into a foreign processes 9->101 17 OrderlistPDF.exe 2 9->17         started        20 wscript.exe 1 9->20         started        22 powershell.exe 17 9->22         started        35 2 other processes 9->35 25 powershell.exe 13->25         started        27 powershell.exe 13->27         started        29 powershell.exe 13->29         started        31 powershell.exe 15->31         started        33 powershell.exe 15->33         started        signatures6 process7 dnsIp8 81 Multi AV Scanner detection for dropped file 17->81 83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->85 87 Wscript starts Powershell (via cmd or directly) 20->87 37 powershell.exe 20->37         started        67 2 other IPs or domains 22->67 39 conhost.exe 22->39         started        69 2 other IPs or domains 25->69 41 conhost.exe 25->41         started        71 2 other IPs or domains 27->71 43 conhost.exe 27->43         started        73 2 other IPs or domains 29->73 45 conhost.exe 29->45         started        75 2 other IPs or domains 31->75 47 conhost.exe 31->47         started        77 2 other IPs or domains 33->77 79 4 other IPs or domains 35->79 49 conhost.exe 35->49         started        51 conhost.exe 35->51         started        signatures9 process10 process11 53 conhost.exe 37->53         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/70356e0ef7569fb8a94a30a3fe49c81046c9e86078de02e4bfcc6bcf55671430/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 20:42:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oa2w4dxxk2p3rkkkgcr74soicbdmt2dapdpafzf7zrv46vlhcqya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04429647bba9090cd3500f585a8a5ec39891f8b8a88f4f647a67a9d35e3ed217
AgentTesla
16687d1c2945be78cbcabfb542520fc4f0a153b820aed024d8dd0032be6a7b0f
AgentTesla
3f2cba483eead01ce5217afd98d8308007cf4b4b5e81bd658d27b9f31abc4b77
AgentTesla
73db8576ad079efbe1376a00f6d027d0e9aeb173f594ee7161dbd5c62f9f215d
AgentTesla
764bbdd65e3d06d3a808d3abeb6b6dd3b5467fba53deb1b16c3b01e5e847f1c9
AgentTesla
791232ba8efdbe3778e195b4a96173183e44d101af42f0b308cca758ccd4d17c
AgentTesla
86e7e9abc8ae431280935625545da1a813509462ec27d6d7ded6ef0a6b8eb43a
AgentTesla
9ca380b9e68f8aab9d08c3357ce286ce087c81c96b64923f6401dc31679b5453
AgentTesla
bbde4210ae31bc0d1a2b038dba97b9aea0a3d9ac9e0dc5a11475208b61506d9b
AgentTesla
cd009c92cf5d14c3650fbcf7c41338de86b4f4d7403f6fe0640a3044c1c1312a
AgentTesla
+ 6'891 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210715-1k9ecssd4e/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
ff4b010ee4bf84c090a433efa36edb220b66d2e67b31f5988f7134c17983c62e
MD5 hash:
4caf14f6995c03f9a935c563325bd1a9
SHA1 hash:
f2d130692257b6101556474779009b179c2834b2
Link:
https://www.unpac.me/results/8fd94458-f357-4a6a-9483-3e81fe7f9591/
SH256 hash:
2aa339e00017fe9f15946d72bace9b91fae9161bedbc25d82a03e7a5f1c77229
MD5 hash:
3c3b5c422d985ab6b585d1cc235ab6ca
SHA1 hash:
1fa2188daf5465862e4e3d675e6252bbb25d825f
Link:
https://www.unpac.me/results/8fd94458-f357-4a6a-9483-3e81fe7f9591/
SH256 hash:
70356e0ef7569fb8a94a30a3fe49c81046c9e86078de02e4bfcc6bcf55671430
MD5 hash:
ba38ca3585213688a31395534d25c15e
SHA1 hash:
e69c919394cb98929719b7a072ffa6ba85e3568c
Link:
https://www.unpac.me/results/8fd94458-f357-4a6a-9483-3e81fe7f9591/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70356e0ef7569fb8a94a30a3fe49c81046c9e86078de02e4bfcc6bcf55671430

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/172082/

Comments