MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90cdc830426f51ec64643463a69985fba7c9c9c7ff5727e8691c3a23c60c3c0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90cdc830426f51ec64643463a69985fba7c9c9c7ff5727e8691c3a23c60c3c0c
SHA3-384 hash: f95c557ccb9fed2b57a3fda040c5a806ae569bb5968edc08a424bd1051558c5e55aa8a7b7dc02591a3622cdd79180bd2
SHA1 hash: 84c7143e3ab53085393de1a02a271a7d1a23a4f0
MD5 hash: 1031d9a5ccbc6d4c390a83408aa561dc
humanhash: double-black-april-music
File name:New Order 1-4-2021_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:704'000 bytes
First seen:2021-04-01 07:21:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:3/3C8LKjzBG81pWjCEiTRVL8bABnyAiyvVWhE0Bs/e7Cxl:3/gzhpW+EinhyA5ohnBsGW
Threatray 43 similar samples on MalwareBazaar
TLSH DEE46A2333477BAFDD7953B61452541033B1AE36EAAAD50CAC54724C4F7B6C08BEE262
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: agarwalpipe.com
Sending IP: 45.144.225.211
From: Elie Abdel Ahad <ritesh@agarwalpipe.com>
Subject: Re: NEW ORDER
Attachment: New Order 1-4-2021_PDF.gz (contains "New Order 1-4-2021_PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order 1-4-2021_PDF.exe
Verdict:
No threats detected
Analysis date:
2021-04-01 08:16:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f3166855-2f4c-49ef-8533-37877f02250f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/130497/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.576-3.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/661970
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/90cdc830426f51ec64643463a69985fba7c9c9c7ff5727e8691c3a23c60c3c0c/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 23:45:07 UTC
AV detection:
8 of 29 (27.59%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdg4qmccn5i6yzdegrr2ngmf7ot4tsoh75lsp2djdq5chrqmhqga._file
Verdict:
unknown
Similar samples:
27bfd9afe378e51fd22cf91cb2fa77cef33bf303f35db5f41c35dd12e650b233
AgentTesla
3c80e1dcbdca8a93fbb85ff13b20dc0ef5d587c513150dc47d396c518e1694da
AgentTesla
5eda4d8e1c09d096abc2f2697045cd0f2e683041996b375f511701deba3e73a4
AgentTesla
7b329dc717b4955312cd3a4c48c18f940d7c6e43fd2afc86f9fb22a22b8caecb
AgentTesla
84228b439980a337d1ebc688d6b5838f74f9aec40fd46133591489aad3e2a40e
AgentTesla
a8c033991df229ed08f99e6a4a931ab0e53484b7ab817ce2edbe6473dcb7b160
AgentTesla
bf874cf3d80e5df1bacd87a8918a725af305e770bc01178ce4004bfa330662a3
AgentTesla
bfd74e1ea55e63ca7d7b298355a632f8df0f3fc558ae721ef21cc60ae08b82bb
AgentTesla
eb02dec52db3fd021ee253bda1c33d50f4b9c4fa61565665504f4a68a6d076bc
AgentTesla
fd5bc14dfef4ce87d17e11189789c91c56212b2a46532d42a77f5ceb79620b99
AgentTesla
+ 33 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210401-sxrn1q88es/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
d436034270fb2d5380e4fcecc1ee6c821a1701aed96045fa13f597da16be08fb
MD5 hash:
00cbf73d8b9f03417a3a32957ec64ed4
SHA1 hash:
b862eff1cf240a5ad5325fd258892e534484a6e8
Link:
https://www.unpac.me/results/8070484a-7d61-44d9-956c-beaabf9b2ab7/
SH256 hash:
90cdc830426f51ec64643463a69985fba7c9c9c7ff5727e8691c3a23c60c3c0c
MD5 hash:
1031d9a5ccbc6d4c390a83408aa561dc
SHA1 hash:
84c7143e3ab53085393de1a02a271a7d1a23a4f0
Link:
https://www.unpac.me/results/8070484a-7d61-44d9-956c-beaabf9b2ab7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/90cdc830426f51ec64643463a69985fba7c9c9c7ff5727e8691c3a23c60c3c0c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 3f7e202c5cff52997bed1b9e3261df0f38183ae1c78eacd7bd1d9cde81c90375

AgentTesla

Executable exe 90cdc830426f51ec64643463a69985fba7c9c9c7ff5727e8691c3a23c60c3c0c

(this sample)

  
Dropped by
MD5 58a6d9f7f659313a455a500f67e673cd
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/130497/
  
Dropped by
SHA256 3f7e202c5cff52997bed1b9e3261df0f38183ae1c78eacd7bd1d9cde81c90375

Comments