MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b337aa4c1b6e496feccad1915924918663620a60962e4200e8704377ae726a21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b337aa4c1b6e496feccad1915924918663620a60962e4200e8704377ae726a21
SHA3-384 hash: 0aeb9dc94bc006a7107dae5c7b5972e85429ee00b61b62f247fd659c9220bd6577e771cbcd72f94ecdf6fe6075aa291a
SHA1 hash: a91970dd408d95ed439bed31d9bddf9357199716
MD5 hash: 2400fe7dc0c57c484ee2f27c3ecfa448
humanhash: delaware-aspen-monkey-eight
File name:Order List.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:42'184 bytes
First seen:2021-04-21 06:03:55 UTC
Last seen:2021-04-23 15:58:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 384:joapKy7Ge/7Epf3YO/054DpZ2iNaNkynfQnCU1Fr5yL+nLSsg4clgduSlR0npZl0:UaKyalfoO/xtZ2iLn7K++f4cuH0Bfnha
Threatray 8 similar samples on MalwareBazaar
TLSH 4B13A65A14517115E9E309B47D5AED783F28EB765880E00EF422914CCF827FA78EC9EE
Reporter cocaman
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:WoKaSuFvHwRLbxUls
Issuer:WoKaSuFvHwRLbxUls
Algorithm:sha256WithRSAEncryption
Valid from:2021-04-20T23:03:09Z
Valid to:2022-04-20T23:03:09Z
Serial number: 258db8227601733d042522f396a0c1cf
Thumbprint Algorithm:SHA256
Thumbprint: 92070d963d7c76472e57d171a7158a3657c4bac662c3be9b161d7590db35f2c1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/141785/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Sending a UDP request
Sending an HTTP GET request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b337aa4c1b6e496feccad1915924918663620a60962e4200e8704377ae726a21/
Threat name:
ByteCode-MSIL.Spyware.PowerShell
Create hunting rule
Status:
Malicious
First seen:
2021-04-21 01:23:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 29 (58.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wm32uta3nzew73gk2givsjerqzrwectasyxeeahiobbxpltsniqq._file
Verdict:
suspicious
Similar samples:
0e8dcf86827981e1a10f081aed896cb9b70083b800e8ada54159afbfa9fd2814
AgentTesla
1b2155f2df693ef4f05ea92b20c266af854259620755205ee965fcb1382eb1dc
AgentTesla
4ee91a96f4f8219145c883b6e785869dcec4a22bc98e9c95a8472fbfa2c63148
AgentTesla
562d9a4326e09ecb7f988355d1d56c39d025f292c3d3e8a5e319a3ff2c44866d
AgentTesla
8a5feb638a86eef3e912827fab799130ab284c72275c74bfd8449c10ab41ff2f
AgentTesla
8a9a6384ca9858fd73b17063871825e60a989f230bf46bbe478c723e13f7cfad
AgentTesla
a31924a3f39126f3f253c75ea5b787a4756b885828916ff5bd5b1c9ca9b95c59
AgentTesla
e7f63ff5c5b933e940b344dd41e44224df5a554ad03dad40b54136eddfdeac9d
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210421-p24k5ac9jj/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b337aa4c1b6e496feccad1915924918663620a60962e4200e8704377ae726a21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 823f97c8ef07b2edfa84d898cf7987a0c18bc742fb458aeb99c97f49ad3fe64b

AgentTesla

Executable exe b337aa4c1b6e496feccad1915924918663620a60962e4200e8704377ae726a21

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 823f97c8ef07b2edfa84d898cf7987a0c18bc742fb458aeb99c97f49ad3fe64b
Cape
Cape
https://www.capesandbox.com/analysis/141785/

Comments