MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5cd3fd6f464b533a09a410d4f5d1118595d6b192a428d6736c5302de0b13dfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	f5cd3fd6f464b533a09a410d4f5d1118595d6b192a428d6736c5302de0b13dfe
SHA3-384 hash:	336b1a06d4ffe0431262763b2967c6f387bdc34b9eaa88fd873a9d08a69e2640ebae19ca700cfbf40c2adc0d1b0a6c4c
SHA1 hash:	412532e138510ffcda3ea6574ea794e7a084c282
MD5 hash:	f2472f3104cdb9d5c0f2e16b812768ed
humanhash:	sink-july-white-london
File name:	ORDER.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'295'872 bytes
First seen:	2021-06-29 12:55:13 UTC
Last seen:	2021-06-29 13:42:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	3072:F1kRg/I3vpwmL8fsLalCN+O962fAZyxAqe1WEH5w5K/MQhiIRR9uLSwQXwAxfCnF:F1k
Threatray	6'192 similar samples on MalwareBazaar
TLSH	D455583D59BE223B91BDC3899BC98D2BF840D67B30517E7898D743A5470AA4339D213E
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ORDER.exe

Verdict:

Suspicious activity

Analysis date:

2021-06-29 13:07:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/df3532cf-4dc6-44f8-aa73-75c5b0e3046f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/168752/

Detection(s):

SecuriteInfo.com.Trojan.Hosts.48622.7952.23333.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b2994d25-a5d0-4bd9-b236-6de408a474e2

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/809344

Signature

.NET source code contains very large array initializations

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/f5cd3fd6f464b533a09a410d4f5d1118595d6b192a428d6736c5302de0b13dfe/

Threat name:

ByteCode-MSIL.Infostealer.DarkStealer

Status:

Malicious

First seen:

2021-06-29 10:13:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6xgt7vxums2thie2iegu6xirdbmv22yzfjbi2zzwyuyc3yfrhx7a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4059c5c31844e43226ec7b22e9f971aec27765e3822685e3a6b4af541fa6ced3

AgentTesla

45729be7af7c3a3c18d7b032a1797d63655fccd33c6e494a478356b55b29ce38

AgentTesla

4c122805ffa252199f267845085ea5304553a541c8814a4b907e8dfefc25eae1

AgentTesla

6adc726b1fed131552f57794978c3a0ea49e8f816092e106454e73539511e9e7

AgentTesla

6bc23ccd8612b26fde69c3c640beaf2b1997b5081ba210eb7b26f903c80b55da

AgentTesla

6f592576db55fc5899d4d7fa36301d0873bbe4740928d262c44c652ceca29953

AgentTesla

a02fab001fe08ddb9a1ff1113714164bfb779c3c1829e0db5de65a9174f3af7c

AgentTesla

e6287280721108b9532830ae26f789f9469efc3fcc953686d52d16da66824858

AgentTesla

ee126cf35bbdcf2b2e8bbff8f27371910f9037799d4a3f5dbba16e5dc39797e7

AgentTesla

+ 6'182 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210629-hee3ln7wza/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf

MD5 hash:

8cd28be4bd9a1404c6d3600db32b3ed1

SHA1 hash:

fb90b0ca51118e771390d58b19d0a404ee14cfbc

Link:

https://www.unpac.me/results/5cf2ee0b-f3ce-4c34-b1de-fcf6e8f4b677/

SH256 hash:

d069cf56ffb827d4e7ac2e71eb043605374b8f68b33b01279ab96eda2bd99284

MD5 hash:

ba5191d1158984044f73523fcc3a6752

SHA1 hash:

4f9aa6634a6cd1e3b0c00c34f803ca94e5f30a59

Link:

https://www.unpac.me/results/5cf2ee0b-f3ce-4c34-b1de-fcf6e8f4b677/

SH256 hash:

e9e94119c21e6602dad6b952f0ae55554a64618bd3a68d380d950c18dbca1068

MD5 hash:

a780d87076b5ab7436d1db750c081d6b

SHA1 hash:

4a58e79bed1eb2ed590649236c981ce8bd59b669

Link:

https://www.unpac.me/results/5cf2ee0b-f3ce-4c34-b1de-fcf6e8f4b677/

SH256 hash:

f5cd3fd6f464b533a09a410d4f5d1118595d6b192a428d6736c5302de0b13dfe

MD5 hash:

f2472f3104cdb9d5c0f2e16b812768ed

SHA1 hash:

412532e138510ffcda3ea6574ea794e7a084c282

Link:

https://www.unpac.me/results/5cf2ee0b-f3ce-4c34-b1de-fcf6e8f4b677/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f5cd3fd6f464b533a09a410d4f5d1118595d6b192a428d6736c5302de0b13dfe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/168752/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample