MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 900a063103812fe372312c706c1faa00a8275efae23ffc62aff7810f3af29f68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	900a063103812fe372312c706c1faa00a8275efae23ffc62aff7810f3af29f68
SHA3-384 hash:	552df8678326ca2c60874c076ea93df12fa2375cba36a1ae3dbd49495ff7cb73391b4261448bc43507e4a1f6c26a60bb
SHA1 hash:	9e1f9c6f73663744eedf1c18cf29ab9df133ba91
MD5 hash:	73e2ca422b5283684e4cecda46f6edee
humanhash:	twenty-single-item-utah
File name:	New Order.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	630'272 bytes
First seen:	2022-05-16 08:19:41 UTC
Last seen:	2022-05-16 11:00:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:bk3y1Wo034yaTdjkFgs6d/fWYZ+85deWggH+7E1eLl9VAOWorJq3G86Q:bJo4yCYCDZfWYZldesd0
Threatray	17'893 similar samples on MalwareBazaar
TLSH	T18BD4F0AC711472EFC89BD8769DAC1C24AA6074BB531B5217A81745EDDE1DA8BCF100F3
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c0b0c6c8a896a0c0 (20 x AgentTesla, 19 x Formbook, 12 x Loki)
Reporter	GovCERT_CH
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

New Order.exe

Verdict:

Malicious activity

Analysis date:

2022-05-16 09:10:09 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/38dda56d-0655-4b9a-a33a-fcde53ef184e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/270943/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6282093770e563c383694caf/reports/75a94e49-19ad-48a6-ab80-b0f01eb892dc/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7e43334b-9670-468b-ba4d-296cf48154bb

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/994687

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/900a063103812fe372312c706c1faa00a8275efae23ffc62aff7810f3af29f68/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-16 07:38:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=safammidqex6g4rrfrygyh5kacucoxx24i77yyvp66aq6oxst5ua._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

7fa76d57fff1250ed4ea7a02f76e716f1465b63ab601967b723f36d4acab5f28

AgentTesla

a69f86945f7f8ef58c13736fe00c632a0bbb38807b9e3f5722e3de01b7ab0464

AgentTesla

a6d4ebd78476f6437984f5d5f836ffe77ac6e1bf5b0cee0e9d2e89f79a0fedff

AgentTesla

aaecd614bb1827800c51b202b4fba750e4f93cb36d34ac6cfe0aee8d0ee1cec2

AgentTesla

cabfc28d0118a2709bf1c7a44b082964d9d209b692d029bb475dc1d629908376

AgentTesla

ce011b65266fac1225e2ad4be1550c4b8dbe8362d166e7415408f593aec1b7f5

AgentTesla

+ 17'883 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220516-j8fdmafgh7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

e01971bce0d814ad968717ad2f439141fc8a9c7950709509d1e390644d04ca0b

MD5 hash:

92258d2948dbdc50d32093a128e6fd1e

SHA1 hash:

b7da20d0957acc7b7514510784b02346cf92336d

Link:

https://www.unpac.me/results/90ca4a9a-b44c-42ea-95e9-f1c071a44f10/

SH256 hash:

709fdbef8932044e42231f14888aa12b12ddc571e6daba8af86d624a39fa63bf

MD5 hash:

a7a6647650fe0204d1ab042824d638be

SHA1 hash:

a1194aba19ab6190a412073fe1918cd1b559aacf

Link:

https://www.unpac.me/results/90ca4a9a-b44c-42ea-95e9-f1c071a44f10/

SH256 hash:

28ae42bddd97e86d000639640656052f35e010b43b70d2c78a01e6beb324d13e

MD5 hash:

ff029f98cba863571f7862c5328ab046

SHA1 hash:

8b0de5c763fed688dc6ef914725775a669f0f2ea

Link:

https://www.unpac.me/results/90ca4a9a-b44c-42ea-95e9-f1c071a44f10/

SH256 hash:

025fd34b016ccc03c7b25390c3c0478943d182fed1198311d62383475d055753

MD5 hash:

b654b004329901c99c2541222c7a49e8

SHA1 hash:

582abc36d21bdce1b63f82131ff22a7c405d983b

Link:

https://www.unpac.me/results/90ca4a9a-b44c-42ea-95e9-f1c071a44f10/

SH256 hash:

900a063103812fe372312c706c1faa00a8275efae23ffc62aff7810f3af29f68

MD5 hash:

73e2ca422b5283684e4cecda46f6edee

SHA1 hash:

9e1f9c6f73663744eedf1c18cf29ab9df133ba91

Link:

https://www.unpac.me/results/90ca4a9a-b44c-42ea-95e9-f1c071a44f10/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/900a06310381/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/900a063103812fe372312c706c1faa00a8275efae23ffc62aff7810f3af29f68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.