MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9549182c055153e44fdaaacdddd4a58d343600de6b93df05e7800f715d496f2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9549182c055153e44fdaaacdddd4a58d343600de6b93df05e7800f715d496f2d
SHA3-384 hash: 09db4eeca85b33043fb722070d20ef1edfc363a4a17d12eff1a842ce27277520ccb4e74cca6b77dbaa51756012bce783
SHA1 hash: a96908f58cf00f6520f2fb38f4b0eb040e668029
MD5 hash: 1077d89b715948d0566c74185792cc74
humanhash: asparagus-stairway-zebra-freddie
File name:New Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:753'664 bytes
First seen:2022-05-25 15:26:44 UTC
Last seen:2022-05-25 16:48:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:rGZFF9Yy9CdT6+WNpqlLg69KnCXa0G1vn/K5w3YFmh9UcxaSsrmBOKEABQNpCKFt:C7CiAlLmGG1v/K5w3YF6OTrmAUKFq
Threatray 17'476 similar samples on MalwareBazaar
TLSH T13DF4F1AD329072DFC867C8769EA82C64AA71B567930BD307D41311AD9A4EAD7CF101F3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
370
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
New Order.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 15:30:54 UTC
Tags:
agenttesla trojan rat
Link:
https://app.any.run/tasks/116f4815-604d-43e1-a435-0b36b005394d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274579/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628e4b093223462f89e16f3d/reports/2a3d812f-59bb-4cb2-a3b6-a381686055e6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e54b2ea-12b7-42ef-b705-bb285ca8ed92
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001690
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 634188 Sample: New Order.exe Startdate: 25/05/2022 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 11 other signatures 2->68 7 prAyoao.exe 4 2->7         started        10 New Order.exe 7 2->10         started        13 prAyoao.exe 2->13         started        process3 file4 70 Multi AV Scanner detection for dropped file 7->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->72 74 Machine Learning detection for dropped file 7->74 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->76 15 prAyoao.exe 7->15         started        19 powershell.exe 7->19         started        21 schtasks.exe 7->21         started        42 C:\Users\user\AppData\...behaviorgraphXRCXbbdtEH.exe, PE32 10->42 dropped 44 C:\Users\...behaviorgraphXRCXbbdtEH.exe:Zone.Identifier, ASCII 10->44 dropped 46 C:\Users\user\AppData\Local\...\tmp1668.tmp, XML 10->46 dropped 48 C:\Users\user\AppData\...48ew Order.exe.log, ASCII 10->48 dropped 78 Adds a directory exclusion to Windows Defender 10->78 23 New Order.exe 2 9 10->23         started        26 powershell.exe 25 10->26         started        28 schtasks.exe 1 10->28         started        signatures5 process6 dnsIp7 52 Tries to harvest and steal ftp login credentials 15->52 54 Tries to harvest and steal browser information (history, passwords, etc) 15->54 30 conhost.exe 19->30         started        32 conhost.exe 21->32         started        50 webmail.wrcs.in 103.138.189.137, 587 GBLINK-AS-APGBLINKNETWORKSOLUTIONSPRIVATELIMITEDIN India 23->50 38 C:\Users\user\AppData\Roaming\...\prAyoao.exe, PE32 23->38 dropped 40 C:\Users\user\...\prAyoao.exe:Zone.Identifier, ASCII 23->40 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->56 58 Tries to steal Mail credentials (via file / registry access) 23->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->60 34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9549182c055153e44fdaaacdddd4a58d343600de6b93df05e7800f715d496f2d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 13:13:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sverqlafkfj6it62vlg53vffru2dmag6noj56bphqahxcxkjn4wq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3cff2b73d77305ffe8c02b009feca9ad0fbdbbbfeec0a1db831caa127f58ef73
AgentTesla
4b3b8f1f6ab69340cea4c78f21cb691e6efdb3ede2973a6315e947b281ea25c8
AgentTesla
4b3efdba2a0251d16190ac0faabe18091b391b70e55ac58d17f8ad2ac0baab68
AgentTesla
781a63f173507bbaf99c4937f324e8b1e746f807583f48328e6005ce6aae003b
AgentTesla
ebdbd8487dfdaebc34214de4e2f6fdfc5b5cfb30b9fa98ca9269a4cfae16cb93
AgentTesla
f1a566ebee3c225b2683813ce31c30f6e7648c1dcdd03c991a2d2e99c11bc6d7
AgentTesla
f8f3a24e97b0c9e4941baab62a4eeb64b9cc7e82ad97398b95b58fbf1289fb24
AgentTesla
+ 17'466 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220525-svqrwabfb2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
75552b5a5ee3c974041d14faa590ae2c2ed0418f893646f2c8d656d7cfbe46e2
MD5 hash:
ff0ae86eaab019d5abd0ed69442af13e
SHA1 hash:
f6b5bb43c8e3f709cd8b4d74147d38c6758a9fdc
Link:
https://www.unpac.me/results/118c7d12-bde3-494d-b8e8-cdf32b1984db/
SH256 hash:
919e0e414b5c587c9a350d453ac590a84f2de8cd01a9dd2c3ded92c0944da7f1
MD5 hash:
7e3fe434006e6b6236dd3b054a1cb12b
SHA1 hash:
d06e231d5b71fe0b9766ca01baa2c4691e4c4e5a
Link:
https://www.unpac.me/results/118c7d12-bde3-494d-b8e8-cdf32b1984db/
SH256 hash:
c720d8d87e5744ef459c160ae3ae85984519c5cee89d4acd3d4156f929ebcca2
MD5 hash:
86f922d84e1b89f646bc23cb3d878a9c
SHA1 hash:
b61f4401c1a144d704988cf4e55dd9a71f8d8263
Link:
https://www.unpac.me/results/118c7d12-bde3-494d-b8e8-cdf32b1984db/
SH256 hash:
0283941f1f7ae72f88bb3044addc3f4274549c3fd771612ec3df95c80b708c9e
MD5 hash:
abcf7824b477074db7ac154a80d1e329
SHA1 hash:
9c6982829bff318776560846de7bcc39d3c16f7f
Link:
https://www.unpac.me/results/118c7d12-bde3-494d-b8e8-cdf32b1984db/
SH256 hash:
71d4c75e5baa3bdd9195aa65790806a45b3170a2368f90ad5aa7cb74a609376d
MD5 hash:
e657ae3f8b6069b458fa1dde56e7253a
SHA1 hash:
117c2b9f29934468af52d7e7142ec156edf7b29b
Link:
https://www.unpac.me/results/118c7d12-bde3-494d-b8e8-cdf32b1984db/
SH256 hash:
9549182c055153e44fdaaacdddd4a58d343600de6b93df05e7800f715d496f2d
MD5 hash:
1077d89b715948d0566c74185792cc74
SHA1 hash:
a96908f58cf00f6520f2fb38f4b0eb040e668029
Link:
https://www.unpac.me/results/118c7d12-bde3-494d-b8e8-cdf32b1984db/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9549182c0551/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9549182c055153e44fdaaacdddd4a58d343600de6b93df05e7800f715d496f2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9549182c055153e44fdaaacdddd4a58d343600de6b93df05e7800f715d496f2d

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274579/

Comments