MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abdb34312701463e902507617f548215e411d061830f6b0748edafc5fa651873. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abdb34312701463e902507617f548215e411d061830f6b0748edafc5fa651873
SHA3-384 hash: e9aaf048a5777c4aedcf3f0c198c39614bf442637d34a5d40cb95ecc35041bb165b60b5fae816f434dc813e45840cf6b
SHA1 hash: 7fe16f0737c1d5e9133d08ce17604666a807932e
MD5 hash: 03fb5d06df361dfb517871db75a8955f
humanhash: comet-kansas-one-eight
File name:new order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:861'696 bytes
First seen:2023-04-28 23:27:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:G3b/9WflU/9Zrq0igyJtc9PdL3qFxW9CjrBeHSeRdQEo6FQl:+bylULiTJkc6yeRdSfl
Threatray 2'729 similar samples on MalwareBazaar
TLSH T18705493C19BD263BC07AD7A68FE0C467B554A9AF3121ED64A8C747A64346F5234C323E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
new order.exe
Verdict:
Malicious activity
Analysis date:
2023-04-28 23:30:09 UTC
Tags:
rat agenttesla trojan
Link:
https://app.any.run/tasks/7c32c8b5-14e2-47f8-bc99-cfe6e891c793

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/385622/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/644c5683edfde86c79814b35/reports/c90d0f10-41ea-4444-8ec5-101703efc2a1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/abdb34312701463e902507617f548215e411d061830f6b0748edafc5fa651873
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/866ee4a4-3bc8-4f33-b3e4-4f43e1846a1e
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1223295
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 856245 Sample: new_order.exe Startdate: 29/04/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 6 other signatures 2->49 6 new_order.exe 3 2->6         started        10 bUhSoz.exe 3 2->10         started        12 bUhSoz.exe 2 2->12         started        process3 file4 23 C:\Users\user\AppData\...\new_order.exe.log, ASCII 6->23 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->51 53 Injects a PE file into a foreign processes 6->53 14 new_order.exe 2 10 6->14         started        55 Multi AV Scanner detection for dropped file 10->55 57 Machine Learning detection for dropped file 10->57 19 bUhSoz.exe 7 10->19         started        21 bUhSoz.exe 7 12->21         started        signatures5 process6 dnsIp7 29 host43.registrar-servers.com 198.54.116.10, 49679, 49680, 49681 NAMECHEAP-NETUS United States 14->29 31 192.168.2.1 unknown unknown 14->31 25 C:\Users\user\AppData\Roaming\...\bUhSoz.exe, PE32 14->25 dropped 27 C:\Users\user\...\bUhSoz.exe:Zone.Identifier, ASCII 14->27 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file / registry access) 14->35 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->37 39 Tries to harvest and steal browser information (history, passwords, etc) 21->39 41 Installs a global keyboard hook 21->41 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abdb34312701463e902507617f548215e411d061830f6b0748edafc5fa651873/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-26 10:18:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpntimjhafdd5ebfa5qx6veccxsbdudbqmhwwb2i5wx4l6tfdbzq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
061be461e36480dff405e58d338c66f86d2e6c0cd95d7e13cf8b42ee7425375d
AgentTesla
2736bb21fab5703708ab49c3f24660ff1e8f2fc8745ae19bc422f5e6aff5f5d8
AgentTesla
333bc1da1ebac150e52df580ad487c35d31caa25bcdd8e06dd1579cd6dd86019
AgentTesla
487684e01b232a60cff5d2eb9c1a438e3b6545a6e2610771084079bdf42764fd
AgentTesla
54334ab99887bb68c804cbea4d9a976c5a0e9625bfb7d0a2d451e90dcd1f3e10
AgentTesla
54dce15454bf709418714b819629a2ce6986debe406b9ac5b3aac6c86e3b9fe6
AgentTesla
60e955512319217b4acadcb5fe46bd70a1bcd078f2d556483f1f6be819cf182a
AgentTesla
d46b8526a8a8b3ad723d25036a6d692009245eb965d64576e90915ae877f9eb5
AgentTesla
d90c61a0a10d5e62fbf8223c15fd9b2e05a25426294b67113286e39848b5423e
AgentTesla
+ 2'719 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230428-3fzfksgh56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
58d2780bac07a53fa9ef0099c386ad23c2c5b83df99e18bbcca9895f829ef5d8
MD5 hash:
3a6ac846fbf56df68c3cb61cd18c7623
SHA1 hash:
e5b7f4e47b357f330b33330663ff5739a02d442f
Link:
https://www.unpac.me/results/a8393726-c253-49c6-8180-a713081724e7/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/a8393726-c253-49c6-8180-a713081724e7/
SH256 hash:
f78fc8ff153acae0eb39dde683a5a6ade8a355a5277d8fd4ce2828ca3215c513
MD5 hash:
ee0355415c0195142396f6468ad7aa8d
SHA1 hash:
88429b82eed057d74963ff6122a8cbd4994adeb5
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/a8393726-c253-49c6-8180-a713081724e7/
Parent samples :
54334ab99887bb68c804cbea4d9a976c5a0e9625bfb7d0a2d451e90dcd1f3e10
54dce15454bf709418714b819629a2ce6986debe406b9ac5b3aac6c86e3b9fe6
abdb34312701463e902507617f548215e411d061830f6b0748edafc5fa651873
SH256 hash:
4e204901669c35cacb77d7d95979af28953b0564a9e1df4d99864b9a408f439d
MD5 hash:
7e34059011cf1c7aede786b810791a90
SHA1 hash:
6acac83f6b5652f792488efd5787c9dc3aa582b2
Link:
https://www.unpac.me/results/a8393726-c253-49c6-8180-a713081724e7/
SH256 hash:
a1579f03a1ce6101d63dd819ba11f0ce2d2fa72280e75850cf0cf7290b5efec2
MD5 hash:
2faa14561c475a2dcc519921b0c8c119
SHA1 hash:
2f4f812d4582d906f6cb27280095c094e3b8ed86
Link:
https://www.unpac.me/results/a8393726-c253-49c6-8180-a713081724e7/
SH256 hash:
abdb34312701463e902507617f548215e411d061830f6b0748edafc5fa651873
MD5 hash:
03fb5d06df361dfb517871db75a8955f
SHA1 hash:
7fe16f0737c1d5e9133d08ce17604666a807932e
Link:
https://www.unpac.me/results/a8393726-c253-49c6-8180-a713081724e7/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/abdb34312701/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abdb34312701463e902507617f548215e411d061830f6b0748edafc5fa651873

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe abdb34312701463e902507617f548215e411d061830f6b0748edafc5fa651873

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/385622/

Comments