MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da62030389950c96e25e406e2c698b25cfacd49ecbdaa986421fb7995d2ee314. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da62030389950c96e25e406e2c698b25cfacd49ecbdaa986421fb7995d2ee314
SHA3-384 hash: a2dc0ef4592a216c619cc0828efbe18e3120386623b51429091be819dd543c5ad8cdffcb56a8973acfa6db57f0aeaee7
SHA1 hash: c6a2394c14529f9569a8cb4fa97f6d561d848118
MD5 hash: 1da2611d005b3e9772473c6c6a30a4bb
humanhash: emma-lima-blossom-winter
File name:order-2020-PO#0834.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:787'456 bytes
First seen:2021-01-25 10:12:38 UTC
Last seen:2021-01-26 09:38:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:p6fGyYD00feTB2nv25KgvA4wYTqJnnaavKf:p6byfed2nv25Kg4DnaoK
Threatray 2'275 similar samples on MalwareBazaar
TLSH D9F45B30369473A2C8759B740C24E1B413B3BD45AA19DA5E7CD91E4F7D22E2B8732B63
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
15
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order-2020-PO#0834.exe
Verdict:
Malicious activity
Analysis date:
2021-01-25 10:16:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/715c646c-b03c-4da3-8c4c-83bd2b782110

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114601/
Detection(s):
SecuriteInfo.com.generic.ml.23836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/589301
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343667 Sample: order-2020-PO#0834.exe Startdate: 25/01/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Sigma detected: Scheduled temp file as task from temp location 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 9 other signatures 2->35 7 order-2020-PO#0834.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\VkdmIUfSlA.exe, PE32 7->19 dropped 21 C:\Users\...\VkdmIUfSlA.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmpFADD.tmp, XML 7->23 dropped 25 C:\Users\user\...\order-2020-PO#0834.exe.log, ASCII 7->25 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 11 order-2020-PO#0834.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 mail.grandtours.gr 95.216.7.161, 49761, 587 HETZNER-ASDE Germany 11->27 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->41 43 Tries to steal Mail credentials (via file access) 11->43 45 Tries to harvest and steal ftp login credentials 11->45 47 Tries to harvest and steal browser information (history, passwords, etc) 11->47 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/da62030389950c96e25e406e2c698b25cfacd49ecbdaa986421fb7995d2ee314/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-25 10:13:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3jraga4jsugjnys6ibxcy2mlexh2zve6zpnktbscd63zsxjo4mka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02dd2922b3d663ac779b0a5a5f579ac6c097a3847aadf5118aac23dc0a639a87
AgentTesla
34fef61460f3196f9c4f0f267443302cc5573d935ad73f18eb33aea41d8be5d3
AgentTesla
6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8
AgentTesla
69049cb94657b71040281c6906d20d60a4fe48b5c5ecdf2032980e1e898e550c
AgentTesla
8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f
AgentTesla
abe6a77fefdede7de287d151689f87a3f59eb496d94351f4085b3bc1a6b755c2
AgentTesla
ba3548566c5eda9447bd910346549f92ecc5cd51f959f51cc7bc836a2ce49501
AgentTesla
c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96
AgentTesla
fad59266b34827f994eba36a030a5abd4c552c3132801afec5fe74c787e10044
AgentTesla
fb12f7fd941118a189b835a29b6e49bd10da3e89ba8c1953cc96e5d1a2624cde
AgentTesla
+ 2'265 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
ransomware spyware
Link:
https://tria.ge/reports/210125-ebazw413je/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
afd9c0ddbf1c8620c2b0b2b3d96340e9ad77b159be71586d177443b85fcf0c2e
MD5 hash:
f0fdf026a7c94589ec854dad4220cad9
SHA1 hash:
51974f280e55bd57143c469558f097fa7c82857b
Link:
https://www.unpac.me/results/e9fe6abe-f303-4030-8d4a-db6f72c621e0/
SH256 hash:
28af97b7ba9da3bb6ec96619fcac1c48bea0ca732819f5eb9751caa6fbf6b9b0
MD5 hash:
8071e5cdf461f5a7ea9a65c4934d83b6
SHA1 hash:
1c0f39cdf037b4f953b6477cdd1a76d10da4b31f
Link:
https://www.unpac.me/results/e9fe6abe-f303-4030-8d4a-db6f72c621e0/
SH256 hash:
44edfb223a58f5835537ff189730738726141b48234c857d8465af283ae13783
MD5 hash:
e0f173d1d56176c5f3c0e233f6e0ffe2
SHA1 hash:
0cb3bca5054dffda187ba7185295da146651b19a
Link:
https://www.unpac.me/results/e9fe6abe-f303-4030-8d4a-db6f72c621e0/
SH256 hash:
da62030389950c96e25e406e2c698b25cfacd49ecbdaa986421fb7995d2ee314
MD5 hash:
1da2611d005b3e9772473c6c6a30a4bb
SHA1 hash:
c6a2394c14529f9569a8cb4fa97f6d561d848118
Link:
https://www.unpac.me/results/e9fe6abe-f303-4030-8d4a-db6f72c621e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da62030389950c96e25e406e2c698b25cfacd49ecbdaa986421fb7995d2ee314

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 0de89eab1bd6eb9849695e45e4ca3cd0e837ae5d10f8f19576e66e0373dfe8b8

AgentTesla

Executable exe da62030389950c96e25e406e2c698b25cfacd49ecbdaa986421fb7995d2ee314

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 0de89eab1bd6eb9849695e45e4ca3cd0e837ae5d10f8f19576e66e0373dfe8b8
  
Dropped by
SHA256 f0e20d20dcab9b538ca6536633f36783008f307b3c40ac90c9de1446c1043fdd
Cape
Cape
https://www.capesandbox.com/analysis/114601/

Comments