MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 756abd1273244ba91c1b9bd7bb86182e9012e12f2599cb715f9757cc34e3a81e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 756abd1273244ba91c1b9bd7bb86182e9012e12f2599cb715f9757cc34e3a81e
SHA3-384 hash: cc8c3a818b4c5184d1998770bdecf500db74442c425ab3fbd186266f98f07288277c86a660bd8ca79c2cd857ac24ad68
SHA1 hash: b2aece2499d5d90eb59d7e0d8a908c162d7e70f1
MD5 hash: 3dfa099ee923a3f449f97ca8f522f703
humanhash: angel-equal-florida-delta
File name:ORDER-401.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:762'368 bytes
First seen:2024-12-12 20:28:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:/fsSMXtdwCUEou5+tJ5gL1OPUCaBqffDxQ4LFS7erQg3cRL7XlrGw6GABR5OiYWa:Xs+/Eovt0LYPvaBaBSCPElrGDFrMW/y
TLSH T12FF412187A47D806CA9257341EB1F2B56BAC7EEDA801D3074FE86DEFBC26F154C48291
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon b270e4f0f0f0d0e8 (12 x Formbook, 5 x AgentTesla, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
453
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER-401.exe
Verdict:
No threats detected
Analysis date:
2024-12-12 20:31:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fa5f003a-d597-4faa-bc94-120d31604133

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Generic-10038502-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675b486e89dbe216234c3f37
Tags:
virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed packed packer_detected
Link:
https://www.filescan.io/uploads/675b479063e8381108d3092d/reports/9180ca7f-3b76-4886-b559-61a5b5ee69bf/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/756abd1273244ba91c1b9bd7bb86182e9012e12f2599cb715f9757cc34e3a81e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7ddc0e9-38c9-4f05-ab78-515d930fff7f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1574061
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574061 Sample: ORDER-401.exe Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 30 www.070001325.xyz 2->30 32 www.397256.pink 2->32 34 9 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 52 6 other signatures 2->52 10 ORDER-401.exe 3 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 30->50 process4 file5 28 C:\Users\user\AppData\...\ORDER-401.exe.log, ASCII 10->28 dropped 13 ORDER-401.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 PcwrDoOfOMD.exe 13->16 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 tzutil.exe 13 16->19         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 19->54 56 Tries to harvest and steal browser information (history, passwords, etc) 19->56 58 Modifies the context of a thread in another process (thread injection) 19->58 60 3 other signatures 19->60 22 PcwrDoOfOMD.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 36 all.wjscdn.com 154.205.159.116, 49727, 49728, 49729 IKGUL-26484US Seychelles 22->36 38 likesharecomment.net 3.33.130.190, 49731, 49732, 49733 AMAZONEXPANSIONGB United States 22->38 40 4 other IPs or domains 22->40 62 Found direct / indirect Syscall (likely to bypass EDR) 22->62 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/756abd1273244ba91c1b9bd7bb86182e9012e12f2599cb715f9757cc34e3a81e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/756abd1273244ba91c1b9bd7bb86182e9012e12f2599cb715f9757cc34e3a81e/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-12-04 20:47:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovvl2etterf2sha3tpl3xbqyf2ibfyjpewm4w4k7s5l4ynhdvapa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
error
AgentTesla
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/241212-y9jvrsylgq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Malicious
Tags:
Win.Packed.Generic-10038502-0
YARA:
n/a
Link:
https://app.threat.zone/submission/82f2a2fc-75f3-4866-8e4d-be763c8947e5
Unpacked files
SH256 hash:
3499a67087e628cd9b1376938bf88d25a1cc506d9d982ff88ed24d29050f4405
MD5 hash:
97f69f2a6c18359e7fef22f6b9d0d52b
SHA1 hash:
0fcfee9e7b7ab02c3f745dea0fcc2bd0199d491b
Link:
https://www.unpac.me/results/55626c29-7a20-4f52-8bdd-8ac2d68cd30b/
SH256 hash:
b6ed6f6d010f4e45ba8e0a9c109ba5006e29a76d0a985088f9e784d2e027b0e9
MD5 hash:
c94e086a53f0c67323e9cd7b357ac5d8
SHA1 hash:
ea50f4fcb912eb97d42003aebb1662206bdc73b0
Link:
https://www.unpac.me/results/55626c29-7a20-4f52-8bdd-8ac2d68cd30b/
SH256 hash:
1ed78fe2567602c8703189d5beb2af7fb3dedf34eb9733fd8d1fd20eafbe1e90
MD5 hash:
efcb88f253982e6b4b7b22e090935117
SHA1 hash:
72244fadc30a17d427932073c696fae025d6adab
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/55626c29-7a20-4f52-8bdd-8ac2d68cd30b/
SH256 hash:
acf09c80699691d3a6a8d52577d06a7054c1bda1953a55527251e92e15ba037f
MD5 hash:
69473b5123488cff4aae599aa14eb3a4
SHA1 hash:
1d3562fd2fb55582cb97441b9f01065dd80373fc
Link:
https://www.unpac.me/results/55626c29-7a20-4f52-8bdd-8ac2d68cd30b/
SH256 hash:
756abd1273244ba91c1b9bd7bb86182e9012e12f2599cb715f9757cc34e3a81e
MD5 hash:
3dfa099ee923a3f449f97ca8f522f703
SHA1 hash:
b2aece2499d5d90eb59d7e0d8a908c162d7e70f1
Link:
https://www.unpac.me/results/55626c29-7a20-4f52-8bdd-8ac2d68cd30b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/756abd1273244ba91c1b9bd7bb86182e9012e12f2599cb715f9757cc34e3a81e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments