MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fad8c5931f0dd3fbd63fe0a0e2d6799edf4004ed20a9afebbcd54cfabb5595fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fad8c5931f0dd3fbd63fe0a0e2d6799edf4004ed20a9afebbcd54cfabb5595fd
SHA3-384 hash: 9fe3419a2aaca1392c3b57e66263ff27637b47c37f94d3057b47670cdd6e239ca67ac1675b8e8e65038e4980e79c6061
SHA1 hash: 4f54310299013d1fd52c0f8e1640487393a5ee9d
MD5 hash: b8e5a84cef79a45bb1d32eae8cfefb0e
humanhash: foxtrot-lion-robin-happy
File name:New Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:879'616 bytes
First seen:2021-07-27 17:46:56 UTC
Last seen:2021-07-27 18:47:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:shB+wyTIuPgXcvNaOgKJfctA2/RQDiVISCmCBeJ5eQU7:DTI3cV2LfRyiaSC3Bi5eZ
Threatray 7'632 similar samples on MalwareBazaar
TLSH T158159D19B700BBAAD27D1E75C95B0D1893F0895B73B2FA9B28E139D00531B9D8A1F1D3
dhash icon e0e2aba3a5b8b8a8 (38 x AgentTesla, 18 x SnakeKeylogger, 14 x Formbook)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order.exe
Verdict:
Malicious activity
Analysis date:
2021-07-19 09:55:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/728c1f03-a9e9-4fa3-b76a-3cf3da31f96c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174482/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.28745.21182.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a5ffc43-fdc5-4c03-8aaa-8b329face742
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822611
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 455022 Sample: New Order.exe Startdate: 27/07/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 5 other signatures 2->43 6 New Order.exe 15 4 2->6         started        11 qXLPL.exe 4 2->11         started        13 qXLPL.exe 3 2->13         started        process3 dnsIp4 29 www.google.com 142.250.203.100, 443, 49714 GOOGLEUS United States 6->29 23 C:\Users\user\AppData\...\InstallUtil.exe, PE32 6->23 dropped 25 C:\Users\user\AppData\...25ew Order.exe.log, ASCII 6->25 dropped 45 Writes to foreign memory regions 6->45 47 Allocates memory in foreign processes 6->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 6->49 51 Injects a PE file into a foreign processes 6->51 15 InstallUtil.exe 2 4 6->15         started        19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        file5 signatures6 process7 file8 27 C:\Users\user\AppData\Roaming\...\qXLPL.exe, PE32 15->27 dropped 31 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->31 33 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->33 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->35 signatures9
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 01:07:58 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7lmmley7bxj7xvr74cqofvtzt3puabhnecu272542vgpvo2vsx6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1426445f6d5597d610f3480ce814969f67cf8557648cac0aea8627b4ee235a8c
AgentTesla
3097b8c703159cf613aba9c2f42b090a391c060402af0c322b29f26e4bf4c22e
AgentTesla
4afaa463a048f9c89866a9c7154bf4a9d20ed849cdf6a8c0cf4b0b8b105d8e3a
AgentTesla
7f100848ffb6fdc1e6747787b3fa3669a5fd4d7faa87d5b56c8d5470ab399d95
AgentTesla
8e8b3b7c12c9e7113b882eb559fe9fd5cac868f8e3238942bcc9fa893521c5a4
AgentTesla
90c16db8c607f8ea1d0ed85c003b30692128327b4593e2fb45121a564fac6c11
AgentTesla
cfe1f69c2984de3f5d476db3ce45aa4d95a8137f0ff1ba07c1b0cecf15075c93
AgentTesla
dc2768ccfc25f2dc8a57db7a9c9ddd4532fc6044ffd9419c96cdf6e0251e7823
AgentTesla
+ 7'622 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210727-xryszle7g2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
fad8c5931f0dd3fbd63fe0a0e2d6799edf4004ed20a9afebbcd54cfabb5595fd
MD5 hash:
b8e5a84cef79a45bb1d32eae8cfefb0e
SHA1 hash:
4f54310299013d1fd52c0f8e1640487393a5ee9d
Link:
https://www.unpac.me/results/b8adfaaa-fc44-4e0b-9b83-2bf3c758939f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/fad8c5931f0dd3fbd63fe0a0e2d6799edf4004ed20a9afebbcd54cfabb5595fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe fad8c5931f0dd3fbd63fe0a0e2d6799edf4004ed20a9afebbcd54cfabb5595fd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/174482/

Comments