MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb81339d0f0f69f966566b9253f11d6b2d3ba3929f4c7407a6e046362334b1ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb81339d0f0f69f966566b9253f11d6b2d3ba3929f4c7407a6e046362334b1ee
SHA3-384 hash: 4820ca52c697ae06483fc9ce6a7eb356730482c07b098cf8921f95ea5818b979ffee275f6e19c02e39cb7ec09d715682
SHA1 hash: fd54460ed6b682d6041f7d73029b3803e82b46e9
MD5 hash: 4528ea1b5d39770bbccdcf904c37194d
humanhash: fillet-butter-may-low
File name:order list.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:512'512 bytes
First seen:2021-09-19 16:19:11 UTC
Last seen:2021-09-19 16:57:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:vgzCjz4/eTnYoBZbqUzW2FxDWqrxjup3u3m8hx:vrjyeTnxBcUyIRup3u3pT
Threatray 9'983 similar samples on MalwareBazaar
TLSH T178B4E03A32599372EB2907F02840645163B93C262E60DBDD6E887FDB35F672D0611B9F
File icon (PE):PE icon
dhash icon 644edee4f4f0ccd4 (3 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.medicare-equipment.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order list.exe
Verdict:
Malicious activity
Analysis date:
2021-09-19 16:21:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f133c5e-fb5e-412c-b335-28db795e9f43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189093/
Detection(s):
SecuriteInfo.com.Trojan.Win32.starter.ali1000139.29206.9480.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f7ed77f-61a1-4a18-bbdb-5677f96062b0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853548
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fb81339d0f0f69f966566b9253f11d6b2d3ba3929f4c7407a6e046362334b1ee/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 16:20:14 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7oathhipb5u7szswnojfh4i5nmwtxi4st5ghib5g4bddmizuwhxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0212a6f3797ab76db1daed6548c89db8174f07ab3376bf70a760361970506a88
AgentTesla
14db3f82df6b962247e632da97767bb052805916a4936000ee500ae87479c7d8
AgentTesla
5dd92be22d005624d865ddf07402eb852426fc97baa52bbc58316690d41adb74
AgentTesla
81a5ce1c2439d2dca4eabecfc150f3fa1003f570913157a74cf1c5c1737f006d
AgentTesla
92d4922b8c19be945de3640add234d12c124bed9faf7f5a0840b9571bec5abe9
AgentTesla
bda8b57cfb54635dddd83ed0fb37e2c37450494b1692c0a4e5985024c009e814
AgentTesla
e94b8626361ef2ef783dbb4c5662c62a2f27f79e7453b0831805a04541e0ac12
AgentTesla
f5f12d936f0e29a6e3ed94dfb1341fbb92f84ae8849c2c764f9210c76d9ffb14
AgentTesla
fc40429e1461e2cc002fdb2b131ca7eadd4f3a688a24130197667c3493213986
AgentTesla
fe0f394e06eecf0854560d2cfc1a07bce9f56851e95e9fcb33ebdc7ed7c89b0d
AgentTesla
+ 9'973 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210919-ts6kzsehak/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/2fc5b47a-8ea3-4a07-acc6-37f536221b9c/
SH256 hash:
38da3eabc2edec0c742eae22269f6f3aa84e6569b073e7a014b87213e129c423
MD5 hash:
f1b1f77a65cce66417be71012ee8d6f2
SHA1 hash:
4e46798c658c7ac70609e916e538b60598e66e25
Link:
https://www.unpac.me/results/2fc5b47a-8ea3-4a07-acc6-37f536221b9c/
SH256 hash:
34c4015f72292ed28c5cc706bae11c24f67ad7ca218cd2f117b443f0036156a8
MD5 hash:
b700f40c0aead174f68609159e7798c1
SHA1 hash:
3a2d68f8a04716b59a0ed9ecad251debe37f68d7
Link:
https://www.unpac.me/results/2fc5b47a-8ea3-4a07-acc6-37f536221b9c/
SH256 hash:
fb81339d0f0f69f966566b9253f11d6b2d3ba3929f4c7407a6e046362334b1ee
MD5 hash:
4528ea1b5d39770bbccdcf904c37194d
SHA1 hash:
fd54460ed6b682d6041f7d73029b3803e82b46e9
Link:
https://www.unpac.me/results/2fc5b47a-8ea3-4a07-acc6-37f536221b9c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb81339d0f0f69f966566b9253f11d6b2d3ba3929f4c7407a6e046362334b1ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189093/

Comments