MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f332ebde8b3dc026728bf80e7edd9b0c0809e8df2e28f6baabaaa3327a295dca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f332ebde8b3dc026728bf80e7edd9b0c0809e8df2e28f6baabaaa3327a295dca
SHA3-384 hash: fdda892ff3dca4a9ef502ce2af161b60cfa4b2ad0e200ef1867e4a7fb06cc9986c8b16108e73ddfd3d53f8caa610bc17
SHA1 hash: ea8c11aff84790e64eb93981306bafa4400a846f
MD5 hash: ef6260889c044dc08a788a983efa52a3
humanhash: one-eight-london-glucose
File name:New Order-PI.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:512'512 bytes
First seen:2020-10-22 12:37:37 UTC
Last seen:2020-10-22 13:53:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:O5LGM4cDvQ/ts9gCGBo2XN1gXCZjtZSSJasjgaIgnJPM8//A9eOs8SDwRJj:OwM4WQ/c2VHaggmZM2oSDUR
Threatray 750 similar samples on MalwareBazaar
TLSH FBB4AFB2BD53946EC96A0BB9446986C0FABD1AC73FA48F0DB15F530C0F11A5BAB13147
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74647/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Creating a file
Running batch commands
Launching a process
Creating a file in the %AppData% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/507100
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Tries to detect virtualization through RDTSC time measurements
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 302671 Sample: New Order-PI.exe Startdate: 22/10/2020 Architecture: WINDOWS Score: 88 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AgentTesla 2->36 38 Sigma detected: Add file from suspicious location to autostart registry 2->38 40 4 other signatures 2->40 8 New Order-PI.exe 9 2->8         started        process3 file4 26 C:\Users\user\AppData\Roaming\winlogs.exe, PE32 8->26 dropped 28 C:\Users\user\...28ew Order-PI.exe.log, ASCII 8->28 dropped 30 C:\Users\user\AppData\...\InstallUtil.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 8->32 dropped 11 winlogs.exe 2 8->11         started        14 cmd.exe 1 8->14         started        process5 signatures6 42 Multi AV Scanner detection for dropped file 11->42 44 Tries to detect virtualization through RDTSC time measurements 11->44 16 cmd.exe 1 11->16         started        18 conhost.exe 14->18         started        20 reg.exe 1 14->20         started        process7 process8 22 conhost.exe 16->22         started        24 reg.exe 1 16->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f332ebde8b3dc026728bf80e7edd9b0c0809e8df2e28f6baabaaa3327a295dca/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 08:56:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mzoxxulhxacm4ul7ahh5xm3bqeat2g7fyupnovlvkrte6rjlxfa._file
Verdict:
malicious
Similar samples:
09f20acd87a94d2a22202840d712eb5658471c2c39168d6178890ddcc313e9f3
AgentTesla
140831c456eb79b85764ffe241d69f5c01b83af5ca6f124a8f9ef9399e0b648c
AgentTesla
1d5d33d83029cd0b64bd4171db3e6535c4f50d31cc585b6e2b10345121c346fc
AgentTesla
240159852a07d731922811db6650130ff93a374e2128e72bf2b7cf8b52fe551e
AgentTesla
28dac03786f358f9f18751a1e0809e61de6f29a999c45ebc42b778ecf924a880
AgentTesla
a837374ed66cc50cb5760f0f948db288657fd0891687f43df9b9260dfb71449c
AgentTesla
d5886c42f7b8f77d036091616f0314f37e2db5c117aaa769ede368027fe7d43a
AgentTesla
e423f6b4b543c1ed3a05bae9ae421e81c17eb3f02d7aea46ff2c9996d76b9858
AgentTesla
f06e899675196185bd5ced2ea49470470f7b466225b2aae345d0068c652263e6
AgentTesla
fd54073286010523ef59ce428c3ae8b92f87abce1027ed232befe46499bf5e53
AgentTesla
+ 740 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201022-tye24trfre/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
f332ebde8b3dc026728bf80e7edd9b0c0809e8df2e28f6baabaaa3327a295dca
MD5 hash:
ef6260889c044dc08a788a983efa52a3
SHA1 hash:
ea8c11aff84790e64eb93981306bafa4400a846f
Link:
https://www.unpac.me/results/bde534c0-5207-4c8f-8ce2-750bfda29224/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/bde534c0-5207-4c8f-8ce2-750bfda29224/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
d251f33c578b44146aee824a95ff1e1f9a725c8d3e5d03924ce4227338c0c6fb
MD5 hash:
b47e8eafd28086d8b02d9a37787139b6
SHA1 hash:
2b120487d7f2f693d542fbda126491c0a3092ebd
Link:
https://www.unpac.me/results/bde534c0-5207-4c8f-8ce2-750bfda29224/
SH256 hash:
0b41347a563942da42869df47c604577e2cae28c448dd6d12d3a150eb4dcb047
MD5 hash:
272860a772f36d598888abd033239144
SHA1 hash:
583575fb2d09f122187466eb3cdaee2044038530
Link:
https://www.unpac.me/results/bde534c0-5207-4c8f-8ce2-750bfda29224/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar c7e0312810ebe87a2b9a41898d049b6ff18e065278ec6dc9eef0d20eabeabec1

AgentTesla

Executable exe f332ebde8b3dc026728bf80e7edd9b0c0809e8df2e28f6baabaaa3327a295dca

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c7e0312810ebe87a2b9a41898d049b6ff18e065278ec6dc9eef0d20eabeabec1
Cape
Cape
https://www.capesandbox.com/analysis/74647/

Comments