MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e73d5449c96c2b696fba508fc10aed6fb5c816cad4c6052dc8d3a972add1eeb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e73d5449c96c2b696fba508fc10aed6fb5c816cad4c6052dc8d3a972add1eeb1
SHA3-384 hash: 7fe57af7b0a85a2a4851f9ed9a78048a4988b6accb14a7111de755ea00d29eb97fa2743e62f6d0f43a3fe0cb7ff875bc
SHA1 hash: 38651d0e0ffcde063f09d9273a5101e61030a38b
MD5 hash: 7eba48890bd5e69d902b3a4b4c5da4fb
humanhash: cardinal-fifteen-nine-twenty
File name:ORDER_SV-033764.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:173'568 bytes
First seen:2022-05-10 12:20:27 UTC
Last seen:2022-05-10 12:52:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'880 x AgentTesla, 19'800 x Formbook, 12'305 x SnakeKeylogger)
ssdeep 768:PkjVOgVkmkR6ES0JXtZhVm13j2tSHPWcSaYR:PkjVxVkmk7SE
Threatray 1'338 similar samples on MalwareBazaar
TLSH T1A904FB52EBB6EF35CE34093F828573295F2E5ED181F27D8E304DB1652EB9D00C5846AA
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 31f098b29298f031 (53 x AgentTesla, 31 x Formbook, 12 x RedLineStealer)
Reporter JAMESWT_WT
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
ORDER_SV-033764.scr
Verdict:
Malicious activity
Analysis date:
2022-05-10 12:21:34 UTC
Tags:
agenttesla trojan rat
Link:
https://app.any.run/tasks/41288c9b-88b4-4bb3-968f-2e5d5ae795ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269419/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.378.9147.27755.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/627a58c54b517e213c28c726/reports/3673d496-2aeb-4015-bd01-9e09fdba731f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59a38e1e-f879-4fb8-99b0-f70c3b2ab5b8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/990923
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 623416 Sample: ORDER_SV-033764.scr Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 41 mail.atron.pt 2->41 43 atron.pt 2->43 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 6 other signatures 2->53 8 ORDER_SV-033764.exe 16 6 2->8         started        12 Doigim.exe 14 3 2->12         started        15 Doigim.exe 3 2->15         started        signatures3 process4 dnsIp5 45 185.222.57.155, 49742, 49795, 49797 ROOTLAYERNETNL Netherlands 8->45 39 C:\Users\user\AppData\Roaming\...\Doigim.exe, PE32 8->39 dropped 17 cmd.exe 1 8->17         started        19 RegAsm.exe 8->19         started        21 RegAsm.exe 8->21         started        55 Multi AV Scanner detection for dropped file 12->55 23 cmd.exe 1 12->23         started        25 cmd.exe 1 15->25         started        file6 signatures7 process8 process9 27 conhost.exe 17->27         started        29 timeout.exe 1 17->29         started        31 conhost.exe 23->31         started        33 timeout.exe 1 23->33         started        35 conhost.exe 25->35         started        37 timeout.exe 1 25->37         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e73d5449c96c2b696fba508fc10aed6fb5c816cad4c6052dc8d3a972add1eeb1/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-10 01:37:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=446visojnqvws352kch4ccxnn624qfwk2tdakloi2ouxflor52yq._file
Verdict:
malicious
Similar samples:
31d0c756511a92e103d90c39fe935fc3f05bcd877de79cdf3a65ca008d91dfdf
AgentTesla
394414a236f4da7d2d4ca7ddc7427d1da341789b18312b292d34dd683dc43007
AgentTesla
3b61599315b7b2f3c545912e143e618eba3cb8a494540d603f35df1253b1eaea
AgentTesla
4114fe792f648868955f39ae7ba221c830169f3a871a4ead39776a88732ef9cf
AgentTesla
4b08ecf8154c2aec9f610d64a7f86adcd35c42211c0b30e1ded43f05b64a5bd2
AgentTesla
605ade46e2008848c5d97ab59b76fa42ae845e3833545bf933b945ae6db9839f
AgentTesla
661db4c325029f3b5e236d2812ff575e87419791b74af69621ff777de17de348
AgentTesla
ee1c5cb3398bc74f8b8be8cc13916404e1258d2eb7c2336d3e65677eec4f1cb0
AgentTesla
+ 1'328 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220510-pja1habegl/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
e73d5449c96c2b696fba508fc10aed6fb5c816cad4c6052dc8d3a972add1eeb1
MD5 hash:
7eba48890bd5e69d902b3a4b4c5da4fb
SHA1 hash:
38651d0e0ffcde063f09d9273a5101e61030a38b
Link:
https://www.unpac.me/results/e3efff3e-bfda-483c-9a29-edd5f05ff9fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/e73d5449c96c2b696fba508fc10aed6fb5c816cad4c6052dc8d3a972add1eeb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269419/

Comments