MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d23fae385c1d1c2e8a92e1b47c13f113c57030d87ded1e63769cf25702f945b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d23fae385c1d1c2e8a92e1b47c13f113c57030d87ded1e63769cf25702f945b9
SHA3-384 hash: b3833745ae151cf457e85f1f907061652f59ee3d0d4f42a563db179227e5f31e0756d095481fcebb065c65e4ab42973e
SHA1 hash: c87328b2625f802223ecc3e2ab9586fc6ec22116
MD5 hash: 136df65aa756b07aea3f00bf0349b743
humanhash: arizona-saturn-pizza-fix
File name:New Purchase Order-030220- SMART SOURCING INC.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'054'720 bytes
First seen:2020-12-01 21:46:13 UTC
Last seen:2020-12-01 23:48:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:N0vS24FOUao6tJfVPqs+BSC2KVyveMVST0sDdZ:+bkFao6tVk4IyveMgT0Ad
Threatray 1'707 similar samples on MalwareBazaar
TLSH 7825AF36AF49192AF5765B3CC4E02551A66D6FD3B303CC6D24F635CE8B33A8699C103A
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106302/
Detection(s):
SecuriteInfo.com.Variant.Strictor.94570.32601.17291.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/553041
Signature
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 325614 Sample: New Purchase Order-030220- ... Startdate: 01/12/2020 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for dropped file 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 9 other signatures 2->62 7 New Purchase Order-030220- SMART SOURCING INC.exe 7 2->7         started        11 Mymp4.exe 5 2->11         started        13 Mymp4.exe 2 2->13         started        process3 file4 36 C:\Users\user\AppData\...\XZSDXtJsvVT.exe, PE32 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmp677C.tmp, XML 7->38 dropped 40 New Purchase Order...OURCING INC.exe.log, ASCII 7->40 dropped 64 Injects a PE file into a foreign processes 7->64 15 New Purchase Order-030220- SMART SOURCING INC.exe 17 5 7->15         started        20 schtasks.exe 1 7->20         started        66 Multi AV Scanner detection for dropped file 11->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->68 70 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->70 22 schtasks.exe 1 11->22         started        24 Mymp4.exe 2 11->24         started        26 Mymp4.exe 11->26         started        signatures5 process6 dnsIp7 42 elb097307-934924932.us-east-1.elb.amazonaws.com 50.19.252.36, 443, 49764 AMAZON-AESUS United States 15->42 44 nagano-19599.herokussl.com 15->44 46 api.ipify.org 15->46 32 C:\Users\user\AppData\Roaming\...\Mymp4.exe, PE32 15->32 dropped 34 C:\Users\user\...\Mymp4.exe:Zone.Identifier, ASCII 15->34 dropped 48 Tries to steal Mail credentials (via file access) 15->48 50 Tries to harvest and steal ftp login credentials 15->50 52 Tries to harvest and steal browser information (history, passwords, etc) 15->52 54 2 other signatures 15->54 28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d23fae385c1d1c2e8a92e1b47c13f113c57030d87ded1e63769cf25702f945b9/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-12-01 21:45:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2i724oc4duoc5cus4g2hye7rcpcxamgypxwr4y3wttzfoaxziw4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
026b38e8eb0e4f505dc5601246143e7e77bbd2630b91df50622e7a14e0728675
AgentTesla
0522494bc4a2bf38c14fc1bbbad35678d647c774c35c1597e294c815e773955c
AgentTesla
113a77824329e62d8a2268075f4e8afa9756a9e134d46e87a61618d7b426b9af
AgentTesla
186519bfd9147fc835be7aef50ff15456e53210bbbeec69d0a0d6412999121a3
AgentTesla
5a3d7c1f20cc8960e4066054686bd39621451dec8daa2edc19f9525f79d1c9a9
AgentTesla
5e7ab36ec389a4294220c2b5535e8389fcb1acbd09b7a87dbc2e924ee54544b6
AgentTesla
67377c6c2259974077c2b7476f77823862ed6d5c6ce95c579e101b3d0a81b71e
AgentTesla
6c172122db5af54bec6f1a6255169ff95ddebce78bc550814c701ef7e2664f58
AgentTesla
8f41da0e0362bc2485f17cff5b8b5e40a3790dbf4f53015d1d02f37906e4be42
AgentTesla
dbf5359a401271af5d65d5fde897690d76ef406be4bb72c468f4e3d1c422a345
AgentTesla
+ 1'697 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201201-egyydwynds/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
d23fae385c1d1c2e8a92e1b47c13f113c57030d87ded1e63769cf25702f945b9
MD5 hash:
136df65aa756b07aea3f00bf0349b743
SHA1 hash:
c87328b2625f802223ecc3e2ab9586fc6ec22116
Link:
https://www.unpac.me/results/b5c900e2-23a1-4b2c-83f4-c2809766cefc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Strictor
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/d23fae385c1d1c2e8a92e1b47c13f113c57030d87ded1e63769cf25702f945b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/106302/

Comments