MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 754415201ac666285c12b35d0fc3ab30f7fb48d7a9c9c54c8cee746be8ed4e7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	754415201ac666285c12b35d0fc3ab30f7fb48d7a9c9c54c8cee746be8ed4e7a
SHA3-384 hash:	250ba66239baee0e989909ab07a9220154a895eab6c7bf8cf1a0bb12f9c71ee36f3e46062fa29eccac58e4f576af880e
SHA1 hash:	393fe1c194a492f8fb033f890f8423b1efad100a
MD5 hash:	d4d9d4dfd23487fb2ffb8fb9b0b7458c
humanhash:	music-winter-lion-four
File name:	New order.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	916'144 bytes
First seen:	2020-11-09 18:27:05 UTC
Last seen:	2020-11-15 23:20:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:Y3C29PBPlJ7w/zC3DtsctPyDcBDTyWt/WxSf/rxetd7WRJANgaaaU0E3B08/b7:oC+K/zsBNtyim7WRhwE3n7
Threatray	44 similar samples on MalwareBazaar
TLSH	9115945894D9638BC83737BD9B392585C3B0CA2722B9C6D7409CBAF6EE4DC359B71804
Reporter	James_inthe_box
Tags:	AgentTesla exe

Code Signing Certificate

Organisation:	DigiCert Assured ID Root CA
Issuer:	DigiCert Assured ID Root CA
Algorithm:	sha1WithRSAEncryption
Valid from:	Nov 10 00:00:00 2006 GMT
Valid to:	Nov 10 00:00:00 2031 GMT
Serial number:	0CE7E0E517D846FE8FE560FC1BF03039
Intelligence:	22 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

7

# of downloads :

78

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Moving of the original file

Enabling autorun by creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/526918

Signature

Creates an undocumented autostart registry key

Initial sample is a PE file and has a suspicious name

Moves itself to temp directory

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/754415201ac666285c12b35d0fc3ab30f7fb48d7a9c9c54c8cee746be8ed4e7a/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-11-09 16:20:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

15

AV detection:

24 of 28 (85.71%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ovcbkia2yztcqxaswnoq7q5lgd37wsgxvhe4ktem5z2gx2hnjz5a._file

Verdict:

suspicious

Similar samples:

0d6f912181bf01b2197d8501f5b38f6c009c6c4a4e76fa6e0b3d2d4efe05bfbb

2e4775c5d181f37f4a0802a9982601352f0a7de1ffd74909024150572ed6522b

3884416ed543cf9e49847f996a2fc56276ba8e95fdd753946fecb09268b834cc

40773de06176ad60a969f29e1034064ea20c67192922285319045afc91b6c3e0

4585051dc6b7393255db1838a6ced5e5005da977ea7be332cc6540bcfe0379fc

5b832740ae1f2a5c2c10e37aadd6d0b74d647a9ff853f091a2262ef0ae2c672c

b3c6ea8a1d611c88699d927c3f6c84d213b596d8d4220618b3ed4dc1bc5f5fe4

b4267cab9e3e8255b44e1947b4c6bb40901d9f0654c2d0ab40690851fcacf16c

d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72

ed184e1c76f982d9537a281ac7cc805179e72d9ca538e7ff202e7be38bfee6ae

+ 34 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-rgqjxgrnms/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Looks up external IP address via web service

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Eldorado

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/754415201ac666285c12b35d0fc3ab30f7fb48d7a9c9c54c8cee746be8ed4e7a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample