MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe443666d12a1f8abc14589390805436e14c0131b9705c38dd425a1f687e8949. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe443666d12a1f8abc14589390805436e14c0131b9705c38dd425a1f687e8949
SHA3-384 hash: 0317ec175c17afb88776c1946460c36efabbf31636e895455590968395bb90a9a409734862aea79f514e3a9ece0e0556
SHA1 hash: 78ee4416a945b7e7d010a9531524054b3ff1d9fb
MD5 hash: a90804eba0d1708a45475afc19c1abb7
humanhash: mars-bakerloo-december-aspen
File name:NEW ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:19'312 bytes
First seen:2021-02-24 07:03:55 UTC
Last seen:2021-02-24 09:04:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:GYVn/VVpkOUmEACFvch8NosZiEmV+8jh:HNVyOUmEAGUKJiEPUh
Threatray 2'899 similar samples on MalwareBazaar
TLSH 11823A26DE171C24E8777B352EE72218DBB0B781963B853B558890821E43B807B6CF79
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: box.parmtex.xyz
Sending IP: 139.59.236.19
From: GAN Phei Yun <phei-yun.gan@arkemas.com>
Subject: URGENTLY NEEDED QUOTATION.24.02.2021
Attachment: NEW ORDER.iso (contains "NEW ORDER.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW ORDER.exe
Verdict:
Malicious activity
Analysis date:
2021-02-24 07:39:58 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/ed1a6c31-3472-4ad5-b491-759b68cb3fe3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118860/
Detection(s):
SecuriteInfo.com..5858.32406.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Creating a file in the Windows subdirectories
Creating a window
Unauthorized injection to a recently created process
Setting a single autorun event
Blocking the User Account Control
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616362
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 357187 Sample: NEW ORDER.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 53 canonicalizer.ucsuri.tcs 2->53 55 prda.aadg.msidentity.com 2->55 67 Multi AV Scanner detection for domain / URL 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected AgentTesla 2->71 73 8 other signatures 2->73 8 NEW ORDER.exe 23 10 2->8         started        13 explorer.exe 2->13         started        15 explorer.exe 2->15         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 57 coroloboxorozor.com 172.67.172.17, 49720, 49745, 80 CLOUDFLARENETUS United States 8->57 45 C:\Windows\Resources\Themes\...\svchost.exe, PE32 8->45 dropped 47 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->47 dropped 49 C:\Users\user\AppData\...49EW ORDER.exe.log, ASCII 8->49 dropped 51 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->51 dropped 75 Creates an autostart registry key pointing to binary in C:\Windows 8->75 77 Adds a directory exclusion to Windows Defender 8->77 19 powershell.exe 8 8->19         started        21 powershell.exe 8 8->21         started        23 powershell.exe 9 8->23         started        33 2 other processes 8->33 25 svchost.exe 13->25         started        79 Drops executables to the windows directory (C:\Windows) and starts them 15->79 29 svchost.exe 15->29         started        59 127.0.0.1 unknown unknown 17->59 81 Changes security center settings (notifications, updates, antivirus, firewall) 17->81 31 MpCmdRun.exe 17->31         started        file6 signatures7 process8 dnsIp9 35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        61 104.21.71.230, 49744, 80 CLOUDFLARENETUS United States 25->61 63 coroloboxorozor.com 25->63 83 System process connects to network (likely due to code injection or exploit) 25->83 85 Multi AV Scanner detection for dropped file 25->85 65 coroloboxorozor.com 29->65 41 conhost.exe 31->41         started        43 AdvancedRun.exe 33->43         started        signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fe443666d12a1f8abc14589390805436e14c0131b9705c38dd425a1f687e8949/
Threat name:
ByteCode-MSIL.Downloader.BaseLoader
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 07:04:25 UTC
AV detection:
7 of 47 (14.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zcdmzwrfipyvpaulcjzbacug3quyajrxfyfyog5ijnb62d6rfeq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07971958696b43eead2da2114b7a3965b492cdae39843078f16d56ad331427fe
AgentTesla
0db50b639d859d3ddf9aa74f96d12f7ecb189a0b3006a7ed1cfd73edbc34d220
AgentTesla
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
AgentTesla
1817a8f184410911c6b9066527e88931d69296564be916ed0b2029c20c684bbb
AgentTesla
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
AgentTesla
49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219
AgentTesla
99d1e6642a3f135215927e2166213409c4390a70332a77ea5fb342beaf629d65
AgentTesla
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
AgentTesla
c725eea92437455b05cf0c4007e63abff342befc67e4b8ad0e60eaa96074955e
AgentTesla
d524cd860456f8ba974792e116c29500bd251b580d42df1d115ffe96b5f79d43
AgentTesla
+ 2'889 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210224-q3cdglh1qj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
fe443666d12a1f8abc14589390805436e14c0131b9705c38dd425a1f687e8949
MD5 hash:
a90804eba0d1708a45475afc19c1abb7
SHA1 hash:
78ee4416a945b7e7d010a9531524054b3ff1d9fb
Link:
https://www.unpac.me/results/1178b732-ef4c-486f-a54d-32681e766d44/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso e9c9466e20d0c0f09f58ce67a840ca46d49b5075583269a49a76899623a25055

AgentTesla

Executable exe fe443666d12a1f8abc14589390805436e14c0131b9705c38dd425a1f687e8949

(this sample)

  
Dropped by
MD5 003e61f4f88ee383df9b9d7871b63e2e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e9c9466e20d0c0f09f58ce67a840ca46d49b5075583269a49a76899623a25055
Cape
Cape
https://www.capesandbox.com/analysis/118860/

Comments