MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e468acc90f94c8bfef0fead01dee8c27bbc304da34a736d6de8c5bcdd858f536. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e468acc90f94c8bfef0fead01dee8c27bbc304da34a736d6de8c5bcdd858f536
SHA3-384 hash: 94c9ec6aca6c224efc3039aa18d1019cf51cf118da892898387a09546bdfe8cd165294c93c335fd318c2564e2cb1c9f4
SHA1 hash: fd30be9152408b91c508c28efa5cdb2b9f10ead8
MD5 hash: 0f68ea6d9ea70deb9d66c49babfe3d7f
humanhash: angel-mango-stream-may
File name:product order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'177'600 bytes
First seen:2020-12-23 09:34:40 UTC
Last seen:2020-12-24 06:12:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:t8OkIUEmeLw/2ccNN3137pw9ph5QD1KpvSTy1SBAy:t8OJr2/cNN3137WpDQDo8O1SBAy
Threatray 1'973 similar samples on MalwareBazaar
TLSH 85456BDD762072EFC857D462DEA82D64EB5074BB931F8203902745ADDA4C89BDF284F2
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
634
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
product order.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-23 10:24:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/69761815-d286-4468-a468-9bb8eb3e193d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.474.9923.507.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/569050
Signature
.NET source code contains very large array initializations
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e468acc90f94c8bfef0fead01dee8c27bbc304da34a736d6de8c5bcdd858f536/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-12-23 09:35:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 48 (45.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rukzsipstel73yp5lib33ume654gbg2gsttnvw6rrn43wcy6u3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
27645f1d148b659a43b23aff406fd0a354c0f4c5ad89eadc475cc5b58244c83b
AgentTesla
499fbb163155c9ddf1ea79a16f5bb1a752af4e25bfc4ad7e482ffde471b6cde3
AgentTesla
53844995638262e794ee25db674e959f123975f40db830a57c7715231eeb7ce5
AgentTesla
879fabd244225331efd47ce153381e8c2bcf02a9b81b430e346f6395ecc9c666
AgentTesla
87ef5ba8bdcbfaee9829e5fd425c328e63edcb4e35481126a6c11b2498f72ddd
AgentTesla
ae1bb9370bff1b5634fcc9aebf4f0fd874f66e75ceba1153449fbf8459272db8
AgentTesla
ce2c29bbd18352557dd6fb16e294265d66d8d13e6d0586ef8030bbeb28e0cc97
AgentTesla
d5fa02045d60d623dacb74b1a719e571982f6a68ea7781c06f8d0ce104b98bd6
AgentTesla
f550b174528b14a38ed8725fc03cf092de3e976a4287874c4fd5eb7fad33312f
AgentTesla
f620c94acf7ee91164eb9c8e6c75602f18a8c2f2bf846c7ebb1e838fedf6867c
AgentTesla
+ 1'963 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201223-3ekxxyqxbs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
e468acc90f94c8bfef0fead01dee8c27bbc304da34a736d6de8c5bcdd858f536
MD5 hash:
0f68ea6d9ea70deb9d66c49babfe3d7f
SHA1 hash:
fd30be9152408b91c508c28efa5cdb2b9f10ead8
Link:
https://www.unpac.me/results/572ee523-34a9-44e5-bc4f-d20428fa994c/
SH256 hash:
60b562840256e05f86419f89fed7671e94f17fab19972d497f9178942cbaba2a
MD5 hash:
62a9ffa7c6019ac4b147effaef99013e
SHA1 hash:
04391c55ce9c8bc9e4b96032a1b9a71c23e7c121
Link:
https://www.unpac.me/results/572ee523-34a9-44e5-bc4f-d20428fa994c/
SH256 hash:
01025bce19b2a7c4e9360f7b5a204cd7fd7fba511c8c31f8190b20bc6e6fb723
MD5 hash:
6766d1a44f4fb0f752cb9fc57e9694cc
SHA1 hash:
515d9fc0438d1d8f505f130a158ec2468ca43f65
Link:
https://www.unpac.me/results/572ee523-34a9-44e5-bc4f-d20428fa994c/
SH256 hash:
424191992d6b6920c55729bf4a5395c2ca7394a8528e75e3abc9dfa0270230d8
MD5 hash:
917dfcfc6b455e46f5f2574f114d8688
SHA1 hash:
8e0bb314fbc23a5eaedcee61d6d35d51fb1ff852
Link:
https://www.unpac.me/results/572ee523-34a9-44e5-bc4f-d20428fa994c/
SH256 hash:
bd675d6cd272ca0cfa01a98561b2121e5c61487d9bf08577ba3147cbd785e2b4
MD5 hash:
ccbd314565d462b8f76596275738076b
SHA1 hash:
bb8f01acca0a653d9c9ae87fae81f8b0307c4788
Link:
https://www.unpac.me/results/572ee523-34a9-44e5-bc4f-d20428fa994c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e468acc90f94c8bfef0fead01dee8c27bbc304da34a736d6de8c5bcdd858f536

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z e3b424d12e4fbada800dfdef8b7e7ee7759bddde6a066434db4d8067fee28172

AgentTesla

Executable exe e468acc90f94c8bfef0fead01dee8c27bbc304da34a736d6de8c5bcdd858f536

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e3b424d12e4fbada800dfdef8b7e7ee7759bddde6a066434db4d8067fee28172

Comments