MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a21042691ca3daa975ce1a24fba6115f2d762eef39cbaffd4245d582d286ea84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a21042691ca3daa975ce1a24fba6115f2d762eef39cbaffd4245d582d286ea84
SHA3-384 hash: 5121a7c8088d2917d019c345871b2e2f25e65f79cb5c490707d05f154dc9a40836d9d1a607156ded7e69875e46ac9a8d
SHA1 hash: ad40813cf7a976cd19222336b935911fc60d1903
MD5 hash: cbbd8d003272a352078e9b9f1be979a3
humanhash: golf-music-edward-jig
File name:Order_confirmation#982783.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'097'152 bytes
First seen:2023-04-17 13:47:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:7FyYJSUY/0/Asn7vF3hQhB6SmKJxd8z/goffQZzKUPHJHYA:hyMSUY/GRrQuLKyzFIdxHYA
Threatray 19 similar samples on MalwareBazaar
TLSH T10CA50264B3568B67DC6D4B7A905155164B74F013F11BC34E2A8F2CFB3A873BB024A4AB
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 4a696ddce4f4f261 (26 x Gozi, 9 x AgentTesla, 3 x FFDroider)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order_confirmation#982783.exe
Verdict:
Malicious activity
Analysis date:
2023-04-17 13:50:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5a7e6512-7741-4886-8264-e6d88f334149

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382819/
Detection(s):
SecuriteInfo.com.Variant.Zusy.457498.12484.22491.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Launching a process
Creating a window
DNS request
Sending a custom TCP request
Reading critical registry keys
Setting a keyboard event handler
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed packed zusy
Link:
https://www.filescan.io/uploads/643d4e138c1908d5b414bf45/reports/25d91df0-eea4-4fa6-a4c3-cc71269b7d8f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a21042691ca3daa975ce1a24fba6115f2d762eef39cbaffd4245d582d286ea84
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b4573be-9ae2-4826-907f-acd66320bd8c
Result
Threat name:
AgentTesla, Redline Clipper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215225
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Drops PE files with benign system names
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Schedule system process
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Redline Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 848159 Sample: Order_confirmation#982783.exe Startdate: 17/04/2023 Architecture: WINDOWS Score: 100 74 mail45.lwspanel.com 2->74 76 api4.ipify.org 2->76 78 api.ipify.org 2->78 92 Snort IDS alert for network traffic 2->92 94 Found malware configuration 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 8 other signatures 2->98 9 Order_confirmation#982783.exe 4 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 file5 70 C:\Users\user\AppData\Local\...\svchost.exe, PE32 9->70 dropped 72 C:\...\Order_confirmation#982783.exe.log, ASCII 9->72 dropped 122 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->122 124 May check the online IP address of the machine 9->124 126 Contains functionality to register a low level keyboard hook 9->126 128 Drops PE files with benign system names 9->128 19 svchost.exe 1 9->19         started        22 Order_confirmation#982783.exe 15 7 9->22         started        25 cmd.exe 2 9->25         started        33 2 other processes 9->33 130 System process connects to network (likely due to code injection or exploit) 13->130 132 Multi AV Scanner detection for dropped file 13->132 134 Machine Learning detection for dropped file 13->134 27 svchost.exe 7 13->27         started        29 cmd.exe 13->29         started        36 2 other processes 13->36 136 Injects a PE file into a foreign processes 15->136 31 svchost.exe 15->31         started        38 3 other processes 15->38 signatures6 process7 dnsIp8 100 Antivirus detection for dropped file 19->100 102 Multi AV Scanner detection for dropped file 19->102 104 Machine Learning detection for dropped file 19->104 106 Injects a PE file into a foreign processes 19->106 40 cmd.exe 1 19->40         started        42 cmd.exe 1 19->42         started        44 cmd.exe 2 19->44         started        46 svchost.exe 2 19->46         started        80 api4.ipify.org 104.237.62.211, 443, 49679 WEBNXUS United States 22->80 82 mail45.lwspanel.com 193.203.239.21, 25, 49680, 49681 RMI-FITECHFR France 22->82 90 2 other IPs or domains 22->90 108 Installs a global keyboard hook 22->108 110 Uses schtasks.exe or at.exe to add and modify task schedules 25->110 112 Drops PE files with benign system names 25->112 48 conhost.exe 25->48         started        84 64.185.227.155, 443, 49682, 49686 WEBNXUS United States 27->84 86 api.ipify.org 27->86 50 2 other processes 29->50 88 api.ipify.org 31->88 114 System process connects to network (likely due to code injection or exploit) 31->114 116 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->116 118 Tries to steal Mail credentials (via file / registry access) 31->118 120 Tries to harvest and steal browser information (history, passwords, etc) 31->120 66 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 33->66 dropped 68 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 33->68 dropped 52 3 other processes 33->52 54 2 other processes 36->54 56 4 other processes 38->56 file9 signatures10 process11 process12 58 conhost.exe 40->58         started        60 schtasks.exe 1 40->60         started        62 conhost.exe 42->62         started        64 conhost.exe 44->64         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a21042691ca3daa975ce1a24fba6115f2d762eef39cbaffd4245d582d286ea84/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uiiee2i4upnks5oodispxjqrl4wxmlxphhf277kcixkyfuug5kca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
41857a1bfb1cda7337d39a4c6bcec253fb44532179f9cb12e919608f227e3dcb
AgentTesla
5f96b8f9f8017b0e1061bca5915de149e5e715bd5213d787b1660ddcd6bd8bcf
AgentTesla
71bb21d0c0cd50a53a292e523455a0b270fa255f63cd132395fded0d91c447d4
AgentTesla
a6ffd66b9b3aa45638bee7e9a43b1110d2ae5b42fd10d0ff316a454ed3ef1d49
AgentTesla
aadd267ebc7dde803f8d0486df95ad9eb6db7f1600fb7fcc0bbba70cd26bfcd2
AgentTesla
d3cbeafcefe0aa050926d93155a7b57664103941038a9bbeecd67d9668083a12
AgentTesla
d538a85c02623761ca0db6c48607202b30dfb20389182704900c778f6dc32b35
AgentTesla
+ 9 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230417-q34btsed76/
Behaviour
Creates scheduled task(s)
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
dc2661471d38ec60248f5e901b2360ddbb92e8d6e855c1a994f4266b365e4740
MD5 hash:
9a6fce967fa9afde42a289aeb92abeac
SHA1 hash:
c5933e2cc13c71863ea7161a3f74caaa3a216699
Link:
https://www.unpac.me/results/1c5794e2-649c-4a07-9011-6ccda702b1a1/
SH256 hash:
8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a
MD5 hash:
6741d00c206f685140fd9cd0957aaaa8
SHA1 hash:
8e2da1453a6001aef807661db6940b1703846890
Link:
https://www.unpac.me/results/1c5794e2-649c-4a07-9011-6ccda702b1a1/
SH256 hash:
0cdf26e9f9fc87d5f60302ca34a59f63f548c82dc6114c251d4eaffbf81cfdaa
MD5 hash:
b3cf221ee071d461101a3ffd6b2fe6ba
SHA1 hash:
ece5659e9b7eed5e55d6a1c3b322f4290d06b549
Link:
https://www.unpac.me/results/1c5794e2-649c-4a07-9011-6ccda702b1a1/
SH256 hash:
63a75ce2cbcd2fbcdc19a6cd646d0e1fa5b915c38e3109ef0d86b24a162d56d9
MD5 hash:
28b806a42ab31a98a9280cebfba528aa
SHA1 hash:
b62c3ae164bf624330c4377ab38da075cd377a6a
Link:
https://www.unpac.me/results/1c5794e2-649c-4a07-9011-6ccda702b1a1/
SH256 hash:
548de18b106c6a216a220bb8d441e1915e2f93051826ecc53fd103ad1a1bddce
MD5 hash:
fcda34f3927684bebcde40c8952f8f73
SHA1 hash:
1c04068aa01d42bc4ab12b848a73c0be0f5ddee9
Link:
https://www.unpac.me/results/1c5794e2-649c-4a07-9011-6ccda702b1a1/
SH256 hash:
a21042691ca3daa975ce1a24fba6115f2d762eef39cbaffd4245d582d286ea84
MD5 hash:
cbbd8d003272a352078e9b9f1be979a3
SHA1 hash:
ad40813cf7a976cd19222336b935911fc60d1903
Link:
https://www.unpac.me/results/1c5794e2-649c-4a07-9011-6ccda702b1a1/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a21042691ca3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a21042691ca3daa975ce1a24fba6115f2d762eef39cbaffd4245d582d286ea84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/382819/

Comments