MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebd3b02ed48faa6cc3be453b60cd4ae61a181cb6e06eb7c115b39b004e99aad7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebd3b02ed48faa6cc3be453b60cd4ae61a181cb6e06eb7c115b39b004e99aad7
SHA3-384 hash: 7433e56175e0b556b6d35900caa443f7f0247b236275012c7ed497cf125d244f903f8c77a7ce37c89f3283918bba5c93
SHA1 hash: 439cc932725e6f8f4c196df1a986b811d6001275
MD5 hash: 30012118756de7f7d9dc3abb787cf462
humanhash: eight-alanine-friend-nebraska
File name:Orden de compra no699340.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:75'408 bytes
First seen:2020-10-10 06:58:43 UTC
Last seen:2020-10-10 08:04:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:9K/G4psE/FvNsSyeqSNM9YCMPRg02DhRCUf2hC:+KE1NVyeHuWgxDhUUf
Threatray 430 similar samples on MalwareBazaar
TLSH 42730149E581B417DABF0BB494E7C8583BF8D6B2502082299DE42FCCEE455533DAE0DE
Reporter abuse_ch
Tags:AgentTesla exe Hostwinds


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hwsrv-785563.hostwindsdns.com
Sending IP: 192.255.235.153
From: Cuentas lopez <Cuentas@afglogistics.in>
Reply-To: george@chenklins.com
Subject: Re:PURCHASE ORDER
Attachment: Orden de compra no699340.img (contains "Orden de compra no699340.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69704/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487417
Signature
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296152 Sample: Orden de compra no699340.exe Startdate: 10/10/2020 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for dropped file 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected AgentTesla 2->60 62 8 other signatures 2->62 7 Orden de compra no699340.exe 24 6 2->7         started        12 Orden de compra no699340.exe 2->12         started        14 Orden de compra no699340.exe 2->14         started        16 2 other processes 2->16 process3 dnsIp4 54 pastebin.com 104.23.99.190, 443, 49709, 49714 CLOUDFLARENETUS United States 7->54 50 C:\Users\...\Orden de compra no699340.exe, PE32 7->50 dropped 52 Orden de compra no...exe:Zone.Identifier, ASCII 7->52 dropped 64 Creates an undocumented autostart registry key 7->64 66 Creates autostart registry keys with suspicious names 7->66 68 Creates multiple autostart registry keys 7->68 18 powershell.exe 24 7->18         started        20 powershell.exe 25 7->20         started        22 timeout.exe 1 7->22         started        32 4 other processes 7->32 70 Adds a directory exclusion to Windows Defender 12->70 72 Hides threads from debuggers 12->72 24 timeout.exe 12->24         started        26 timeout.exe 14->26         started        28 timeout.exe 16->28         started        30 timeout.exe 16->30         started        file5 signatures6 process7 process8 34 conhost.exe 18->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 32->46         started        48 conhost.exe 32->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebd3b02ed48faa6cc3be453b60cd4ae61a181cb6e06eb7c115b39b004e99aad7/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-10 00:46:41 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pj3alwur6vgzq56iu5wbtkk4ynbqhfw4bxlpqivwonqatuzvllq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1cee45036baef97e9be4d746253f962163c4addc173c3b1d401d54d16b66c36d
AgentTesla
2c0e567384a59c0f113b5016aae24db45e1a7e39a0c9feb157eb98864af4a51f
AgentTesla
40ad91b6933578e04f70c93df1390205dda69285cb0a08337296bccf03a01d40
AgentTesla
814f3b9dc8aea3d8a2c42d0eda2779733e7c0deaea265cc0b5be77cd1fa6b869
AgentTesla
8d706befed861457d7fcf22d6c23b5b66c0ad7fec59552410f07b34723924fed
AgentTesla
8defc26c3fad9953293008069e733fc37d2069edefb6ab84c0a6dea168e8c963
AgentTesla
8ee2c58f8a8fc555dc2be25df0f819e83f2c6c36a7513c18ddafe160ac94bf11
AgentTesla
bd5a89235b1e44222a7cda1b6349967af2152683661cef1d8c8ef515d1706828
AgentTesla
d533947ea02478e71f86ece97892e0f87c0bd966395047a6e770158642134f18
AgentTesla
e27846749619df94dd373cbbc3a27fe44a5790bac920ad7c2d8ed13296e71387
AgentTesla
+ 420 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
evasion trojan spyware keylogger stealer family:agenttesla persistence
Link:
https://tria.ge/reports/201010-5q6rb2gjh6/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
AgentTesla
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
ebd3b02ed48faa6cc3be453b60cd4ae61a181cb6e06eb7c115b39b004e99aad7
MD5 hash:
30012118756de7f7d9dc3abb787cf462
SHA1 hash:
439cc932725e6f8f4c196df1a986b811d6001275
Link:
https://www.unpac.me/results/2df16a0c-7ba8-4705-a5a8-426078a4a63c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebd3b02ed48faa6cc3be453b60cd4ae61a181cb6e06eb7c115b39b004e99aad7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 5477593613f0a66521a902329f246b75d472c75c8295df6f27f0154b31e80b7a

AgentTesla

Executable exe ebd3b02ed48faa6cc3be453b60cd4ae61a181cb6e06eb7c115b39b004e99aad7

(this sample)

  
Dropped by
MD5 4d962b26a871dc4a69bcd14648a4c18d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69704/
  
Dropped by
SHA256 5477593613f0a66521a902329f246b75d472c75c8295df6f27f0154b31e80b7a

Comments