MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a6edbaf562665871428580c21db293fadb243554b5c160519fe456543360fcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a6edbaf562665871428580c21db293fadb243554b5c160519fe456543360fcb
SHA3-384 hash: cc8358d020c9e0704a7242ac9dea9e332f752551355fa8c878799795b3de5f7aa8573e85e43c6df44ec7e7e75e15d888
SHA1 hash: 6a3a4f917992355d00b1c39359a2d32fa0cc1aba
MD5 hash: 3a8d2d60fc4327afde4102331506f918
humanhash: west-mars-august-lamp
File name:ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:944'128 bytes
First seen:2023-01-26 10:39:00 UTC
Last seen:2023-01-26 13:37:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:mtG7vV5zxPCRgc7WUXDoFqIGCqhn3YUWLz7OZOwfwcmnQYFHc5FGDl2bsq9s/4nl:KiGCqNWLXOZzmQYmfGDJlwqVWkpQf
Threatray 24'365 similar samples on MalwareBazaar
TLSH T17E15AE1423E9DF82F9BE4779C275524057B37866B432D3895EE1A0FE2DB3B008A41B67
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 71e8e8cccce8e071 (8 x AgentTesla, 5 x SnakeKeylogger, 2 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
ORDER.exe
Verdict:
Malicious activity
Analysis date:
2023-01-26 10:41:42 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/64a432ed-2e7a-4777-a0d6-3983e9524521

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357065/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d25847528134caf043431e/reports/71e341f7-d9eb-42a0-8b72-bc04307f3513/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f857aa6-324f-4db3-83db-a1b953f6c6f5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1159461
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 792195 Sample: ORDER.exe Startdate: 26/01/2023 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected AgentTesla 2->50 52 3 other signatures 2->52 7 ORDER.exe 3 2->7         started        11 svchost.exe 3 2->11         started        13 svchost.exe 2 2->13         started        15 8 other processes 2->15 process3 file4 34 C:\Users\user\AppData\Local\...\ORDER.exe.log, ASCII 7->34 dropped 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->66 68 May check the online IP address of the machine 7->68 70 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->70 72 Drops PE files with benign system names 7->72 17 ORDER.exe 17 10 7->17         started        74 System process connects to network (likely due to code injection or exploit) 11->74 76 Multi AV Scanner detection for dropped file 11->76 22 svchost.exe 14 7 11->22         started        24 svchost.exe 13->24         started        78 Query firmware table information (likely to detect VMs) 15->78 80 Changes security center settings (notifications, updates, antivirus, firewall) 15->80 26 MpCmdRun.exe 15->26         started        signatures5 process6 dnsIp7 36 ftp.cnnzalane.co.za 102.130.125.58, 21, 49704, 49705 xneeloZA South Africa 17->36 38 api4.ipify.org 64.185.227.155, 443, 49703, 49706 WEBNXUS United States 17->38 44 2 other IPs or domains 17->44 30 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 17->30 dropped 32 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 17->32 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->54 56 Tries to steal Mail credentials (via file / registry access) 17->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->58 40 api.ipify.org 22->40 42 api.ipify.org 24->42 60 System process connects to network (likely due to code injection or exploit) 24->60 62 Tries to harvest and steal browser information (history, passwords, etc) 24->62 64 Installs a global keyboard hook 24->64 28 conhost.exe 26->28         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a6edbaf562665871428580c21db293fadb243554b5c160519fe456543360fcb/
Threat name:
ByteCode-MSIL.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2023-01-26 10:40:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjxnxl2wezsyofbilagcdwzjh6w3eq2vjnobmbiz7zcwkqzwb7fq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b6fe08b7961d9d73a00310338fcf785c2568d1a843b58aa468ca94cfb7154f1
AgentTesla
19f5de1fab76d8bdac9d3bab7ec590152f1b9b4f154d1c429a1fd1acb65ba628
AgentTesla
1f5d9074ca3f0cb21ca2e31560ff93491a57ea74466b5ff5a6ac0d63774029c6
AgentTesla
5a64665bdc77f9386891c1a251064decfdce7e9782bb4b47d95e2c14238d46f2
AgentTesla
5f1d6d9c49024913322423dbd249144d93feab55663e1cc26fb0cdf9eb16c610
AgentTesla
62a868ec8c1727bcddd3954bd37e482a5584bd40b7163132738885b7deffaa4f
AgentTesla
6b985b8239b575b46b57f36daaa55e30efabf08e39f2a421e12f0e6b82cb5cc4
AgentTesla
a84aad3732ea9ed162f345bddceeb44da8b25e0ab4fd4e55848c1804d00d652d
AgentTesla
e6c4f27c74ef1e7af054304d895c1923ef54eb3530980b1e0d0b19d49c95faee
AgentTesla
+ 24'355 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230126-mpymmsdd39/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8
MD5 hash:
4f6caebd865502f7c8046fbae3284c61
SHA1 hash:
be357e832bf6f61454875b37a1759cf1c5fa5ca4
Link:
https://www.unpac.me/results/c2723e0e-2245-43cd-8743-e1c05be0ff1d/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/c2723e0e-2245-43cd-8743-e1c05be0ff1d/
SH256 hash:
df37ed2e441aa11c5649323dc9b8c5d7f7aef3724af78c984365dcb993a1c200
MD5 hash:
b9e8e1ab31a31502026cc012fa1884b1
SHA1 hash:
94b75954339280e0851db78376a83ea7830aa4e5
Link:
https://www.unpac.me/results/c2723e0e-2245-43cd-8743-e1c05be0ff1d/
SH256 hash:
54ae14b2d9e64bfe9d1ace27ed6978ace8fb1a42d349c281bc7b0519ac45afae
MD5 hash:
c838b7555e5fc7392785e4053abe7a13
SHA1 hash:
5a65091eeee9cc7d38673278d20bfc0c761b432e
Link:
https://www.unpac.me/results/c2723e0e-2245-43cd-8743-e1c05be0ff1d/
SH256 hash:
aa9e4d52d1075d5446d90f83e9cd0e833ebab4ebe5d87048f40ee0b3e4f2956f
MD5 hash:
052a2b47eeead875383b9f7c29461534
SHA1 hash:
51807e693fb4b0605cd3be2c32e0bf95a2ade01c
Link:
https://www.unpac.me/results/c2723e0e-2245-43cd-8743-e1c05be0ff1d/
SH256 hash:
7a6edbaf562665871428580c21db293fadb243554b5c160519fe456543360fcb
MD5 hash:
3a8d2d60fc4327afde4102331506f918
SHA1 hash:
6a3a4f917992355d00b1c39359a2d32fa0cc1aba
Link:
https://www.unpac.me/results/c2723e0e-2245-43cd-8743-e1c05be0ff1d/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a6edbaf5626/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/7a6edbaf562665871428580c21db293fadb243554b5c160519fe456543360fcb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 7a6edbaf562665871428580c21db293fadb243554b5c160519fe456543360fcb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/357065/

Comments