MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b768daa3ba6b39b302f9d4cf34dcb7f8d6a452c70c6bdcf1a96b11b32f05c818. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b768daa3ba6b39b302f9d4cf34dcb7f8d6a452c70c6bdcf1a96b11b32f05c818
SHA3-384 hash: 43ef747f44962a059c962c28453ca04ef43af306d22b869ade26352880ee1a6ca562997593c5c05d24daa56b1580cbfb
SHA1 hash: 02aba40a51320228b8952dec6ad963089505f6ac
MD5 hash: 6f2c7145046af933b893c2ab398cb407
humanhash: yellow-five-pasta-nevada
File name:ORDER9547408.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'256'960 bytes
First seen:2023-08-15 12:40:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:PMiQ7cdrCXcBvfa+krODKRDEeCnplB4QGZ1Zb+PxtY3v2z1f07rV2W:wrOEDYpA8JtY3v2z1f07x2
Threatray 5'463 similar samples on MalwareBazaar
TLSH T16145D071D3C96DE2D82A137C54736C3223B39DA95472CA1E28CD3CA57FBB3920196A47
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 71f0ac8e8ec8f434 (2 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla bat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER9547408.bat
Verdict:
Malicious activity
Analysis date:
2023-08-15 12:45:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f5b26f4a-7526-429c-ad59-b85c0fabc4d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442795/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2275.30328.10653.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Running batch commands
Launching a process
Creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b768daa3ba6b39b302f9d4cf34dcb7f8d6a452c70c6bdcf1a96b11b32f05c818
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
OutSteel
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/addfd853-f699-4f25-a5a0-3bf33c0d5f13
Result
Threat name:
AgentTesla, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1291422
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1291422 Sample: ORDER9547408.bat.exe Startdate: 15/08/2023 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected DarkTortilla Crypter 2->60 62 4 other signatures 2->62 8 ORDER9547408.bat.exe 3 2->8         started        process3 signatures4 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->64 11 cmd.exe 3 8->11         started        15 cmd.exe 1 8->15         started        process5 file6 36 C:\Users\user\AppData\Roaming\PHLyM.exe, PE32 11->36 dropped 66 Uses ping.exe to sleep 11->66 17 PHLyM.exe 3 11->17         started        20 conhost.exe 11->20         started        22 PING.EXE 1 11->22         started        24 PING.EXE 1 11->24         started        68 Uses ping.exe to check the status of other devices and networks 15->68 26 PING.EXE 1 15->26         started        29 conhost.exe 15->29         started        31 reg.exe 1 1 15->31         started        signatures7 process8 dnsIp9 40 Multi AV Scanner detection for dropped file 17->40 42 Machine Learning detection for dropped file 17->42 44 Writes to foreign memory regions 17->44 46 2 other signatures 17->46 33 InstallUtil.exe 2 17->33         started        38 127.0.0.1 unknown unknown 26->38 signatures10 process11 signatures12 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 33->48 50 Tries to steal Mail credentials (via file / registry access) 33->50 52 Tries to harvest and steal browser information (history, passwords, etc) 33->52 54 Installs a global keyboard hook 33->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b768daa3ba6b39b302f9d4cf34dcb7f8d6a452c70c6bdcf1a96b11b32f05c818/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-14 13:03:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w5unvi52nm43gaxz2thtjxfx7dlkiuwhbrv5z4njnmi3glyfzama._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1dd3caa0895d9aa12c35344464fc9a229b1d55e8d134e83362fe75753f36ae74
AgentTesla
268cdd7d5a374b6f95c28d1411476cc86a92c10c0dd8d8eeeb973bd794aeee73
AgentTesla
3625699aceef8218cece58914659f6ba003e6f26ad033645ed738b4972050aa5
AgentTesla
415dba49ad160b272fc159f4a7eacba2990c09f0941127acb8c3366fe7866c12
AgentTesla
579decb14fc21f6ab8e520a2eacb56ffc1bc573df67356fc6cedc108bd8cea8e
AgentTesla
5de39368fe80ef49986db86c1fd8719ea2db295d4e036cebea57f1592eefe74f
AgentTesla
8d47a0875bae9f6a20e36525e6be0c0450e7492fb540a1f65802601bf8e558bb
AgentTesla
c13d10d9eb5505c91c1982dd55019f8d5e5121952be774dc80eff344453c50ea
AgentTesla
de69511f960e783c013dcd20621c0d78379876b985a0e56e77e85110909b57b7
AgentTesla
+ 5'453 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230815-pwr5jscf5s/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
b768daa3ba6b39b302f9d4cf34dcb7f8d6a452c70c6bdcf1a96b11b32f05c818
MD5 hash:
6f2c7145046af933b893c2ab398cb407
SHA1 hash:
02aba40a51320228b8952dec6ad963089505f6ac
Link:
https://www.unpac.me/results/4f744e24-e37b-4f02-9179-a13861b04934/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b768daa3ba6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b768daa3ba6b39b302f9d4cf34dcb7f8d6a452c70c6bdcf1a96b11b32f05c818

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/442795/

Comments