MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 f4992ccd1efb1526569676630c916c68f1bc0ea3ca0061286d22950244666f64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 17
| SHA256 hash: | f4992ccd1efb1526569676630c916c68f1bc0ea3ca0061286d22950244666f64 |
|---|---|
| SHA3-384 hash: | f0b8b56ec9833aca27d9ce39fd23ddc936207056b5af58c2a4764d3888cf8681b2165b0c26356a80437becaac33f58b9 |
| SHA1 hash: | b23efed3e7ab540379fb9863e6d7bf445c456199 |
| MD5 hash: | 7e1c03bada58a8b918b675894c5b0492 |
| humanhash: | harry-four-india-washington |
| File name: | NEW ORDER.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 771'584 bytes |
| First seen: | 2023-06-16 06:19:56 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 12288:beAlrBf7dil/ws3LRP9jhzA6wnsfB3QPy6EJ2SAsAr3AGBIxcsuNsJjoRh1UF:qAPEIkR9N1BQy6EJ2KArwGC6s |
| Threatray | 5'464 similar samples on MalwareBazaar |
| TLSH | T1DBF4E098325075DFC817CC7B8A986C64BA2070BB930BD24791531AE9DA4DADBCF146F3 |
| TrID | 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1) |
| Reporter |  cocaman |
| Tags: | AgentTesla exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
410
Origin country :
CHVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW ORDER.exe
Verdict:
Malicious activity
Analysis date:
2023-06-16 06:20:38 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Launching a process
Creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
formbook packed
Verdict:
Malicious
Labled as:
Trojan.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Verdict:
Malicious
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Detection:
agenttesla
Threat name:
Win32.Trojan.AgentTesla
Status:
Malicious
First seen:
2023-06-15 07:36:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 24 (75.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 5'454 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Unpacked files
SH256 hash:
643b1cfe7e52bd9d511db8a28b3fc1f6fc13d9579b744842fef7f324d6716334
MD5 hash:
cd5cc699133ae4249b671a9fc2fd0830
SHA1 hash:
7d19129d838aedf697c52cfc9b66f886da55b1f1
SH256 hash:
f8dbc6077f6b01c6eec334061d687ff1b291a2aa5513cf1e0b5bde4a8dbc5588
MD5 hash:
15aab611795bcbf2758052944013be1a
SHA1 hash:
772a1002b111e117cf3b1e9f0cabda4894777399
SH256 hash:
b854efd70f87b6cf0217c4ff3f38604c34a257694cf1d4219976159e1e814720
MD5 hash:
2350c08e423fbfb08ac0af73a0f73caf
SHA1 hash:
4e0a0397bdc2fcd46fd8eb1964426029a7f9d940
Detections:
AgentTeslaXorStringsNet
SH256 hash:
d896e9cbed9020c3d6d6378cdf66468fdfcb44e4bdf8539ede8b5c7d2441347a
MD5 hash:
396e182948a7b12e9205e2f713fc57ed
SHA1 hash:
42b4686fb78443cb09b5779c0113486504ad62d7
SH256 hash:
f54921444e99ecef8744110cc6361bcc4809a4d57e8e14c3b965a95192eda696
MD5 hash:
8a0fb58954fb58b7fdc32348b5d5cd57
SHA1 hash:
275a02ce1216d9772fe67d3e2099d80f05d30370
SH256 hash:
f4992ccd1efb1526569676630c916c68f1bc0ea3ca0061286d22950244666f64
MD5 hash:
7e1c03bada58a8b918b675894c5b0492
SHA1 hash:
b23efed3e7ab540379fb9863e6d7bf445c456199
Malware family:
AgentTesla
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.