MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 913f5087a80d070cbfe31df2c4fa50236b663b13d29c33d3b4f59073da4aa80d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	913f5087a80d070cbfe31df2c4fa50236b663b13d29c33d3b4f59073da4aa80d
SHA3-384 hash:	92e8151b21e5bd6a50e68379d1e0f04ad3adf3c6b8691c8a9fa43d87a3bb4a860b7f6be1cd85f8ded2f61dee97fd65ee
SHA1 hash:	9254c500a0be23c876ab8ca9f1c644600df0bb47
MD5 hash:	c1a1c5d3e6d5814a30314822c7ccda0d
humanhash:	sweet-zebra-minnesota-nebraska
File name:	NEW ORDER 87012_PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	823'296 bytes
First seen:	2022-11-21 14:22:13 UTC
Last seen:	2022-11-21 14:22:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	24576:P7gm+L74mBfNUstzorFy4OaqtHKAyYFkVRFwHvQ5ywqp:PsWFBgIyH45yT
Threatray	23'881 similar samples on MalwareBazaar
TLSH	T107054A4F2B7FDDF0EA245CFB221457039C3659DABA8BCA7843982BC660F261C5B74464
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	dc7f498989cb07e4 (3 x AgentTesla)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

197

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

NEW ORDER 87012_PDF.exe

Verdict:

Malicious activity

Analysis date:

2022-11-21 14:24:58 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/ea466c57-ccc0-4604-9b5b-387749541eda

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/336792/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.389-2.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/637b89c7903ba0eaf36cd8d9/reports/88ceacb4-37f5-4ef6-9e57-e903db82968a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dc16646d-1749-4630-a6cd-fbc9d4c79a63

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1118165

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/913f5087a80d070cbfe31df2c4fa50236b663b13d29c33d3b4f59073da4aa80d/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-21 13:38:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=se7vbb5ibudqzp7ddxzmj6sqenvwmoyt2kodhu5u6wihhwskvagq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

512ca7cbadc87f5a9471355df03cec6666274c23ca7fbcb1480a1372b59c0401

AgentTesla

9daac9cdc51b89ca55b5da379dcd2b612bd362742d09c8487ed2ad7c9c5da921

AgentTesla

9ed43bff16f943c9f0dd2ad4c1b42ea8b5e1b1bdc1fd43c088be44f15376c7e1

AgentTesla

be82b725c643ac9d30a503f2fd615d9bcd38ed9f0edbe53082d5743ded65e327

AgentTesla

cd53ca02d3f26bf3e6431e6d86c9379f9f77f7e67cddba40ae9a16f85569334b

AgentTesla

dfa4832c3467048b97700da91fd18657092839808e79a9c0c33d13b2e8618292

AgentTesla

ef3dc91cbf24d7ab359adabcac5f486c56fbc631ac0fa57823070f3b527661ae

AgentTesla

+ 23'871 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221121-rp5heagh6s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/acc69a26-f17d-4f40-bc1e-a34f2d38e468

Unpacked files

SH256 hash:

050e0eb01b9e1cbf96f12415d018d954d3329218b50431c13c7904a35977e8af

MD5 hash:

8d44eca6b553a3efe9d0d954a2dc13d6

SHA1 hash:

ea64b29eec0601e1838fdb4e920bbe13764f8383

Link:

https://www.unpac.me/results/c57b87ca-a3c1-435c-9bd3-365a49092e9a/

SH256 hash:

f865977abbf166a0fbbc2f810261424ec4ad6e3c23ddbbdcf8c9d492f9faa987

MD5 hash:

7e2350720cc144365d31d295ce2e5654

SHA1 hash:

7a68b8d787a0e30b2b66b1729306bbcfebf2cbeb

Link:

https://www.unpac.me/results/c57b87ca-a3c1-435c-9bd3-365a49092e9a/

SH256 hash:

ff8cd272316c260f630f8afb5af10f8f374f17036d7b13d3f207fa5b8e298765

MD5 hash:

bded46f604a46b214894fc46edc483b8

SHA1 hash:

6b9eeeaf058d3e8e4f046275dbcba7d1faf58548

Detections:

AgentTesla

Link:

https://www.unpac.me/results/c57b87ca-a3c1-435c-9bd3-365a49092e9a/

Parent samples :

dfa4832c3467048b97700da91fd18657092839808e79a9c0c33d13b2e8618292
913f5087a80d070cbfe31df2c4fa50236b663b13d29c33d3b4f59073da4aa80d
cb746f7276346db2c6079f11b365ffbd1aa9bf056268fb7cc1a1aab1d4def287

SH256 hash:

5ed6d35fa4e9f501d96e1962ace998543565dd66c283f6ae410a055062ebb841

MD5 hash:

449ea2cafc11d7968a6dd160c9f8fdf5

SHA1 hash:

668b142d08a903266a1ae850c1227a3b4c93bb32

Link:

https://www.unpac.me/results/c57b87ca-a3c1-435c-9bd3-365a49092e9a/

SH256 hash:

31b663b91f11b8f7da1d8bd87f8532e563f301754b1ca2c0a97c2f358ad116dd

MD5 hash:

ba1868faf5de09265b89c44732c1ab3d

SHA1 hash:

38997e35e0c68866a2a6e4a7356252e1f252e2e5

Link:

https://www.unpac.me/results/c57b87ca-a3c1-435c-9bd3-365a49092e9a/

SH256 hash:

913f5087a80d070cbfe31df2c4fa50236b663b13d29c33d3b4f59073da4aa80d

MD5 hash:

c1a1c5d3e6d5814a30314822c7ccda0d

SHA1 hash:

9254c500a0be23c876ab8ca9f1c644600df0bb47

Link:

https://www.unpac.me/results/c57b87ca-a3c1-435c-9bd3-365a49092e9a/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/913f5087a80d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/913f5087a80d070cbfe31df2c4fa50236b663b13d29c33d3b4f59073da4aa80d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/336792/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample