MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0451b9c358b1404717f5060aea5711327cf169cd4c5648f5ac23f1a1fb740716. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0451b9c358b1404717f5060aea5711327cf169cd4c5648f5ac23f1a1fb740716
SHA3-384 hash: 11ebccc6bae6ad2108c37f49a3f7c3344275d5c0be5d749f68eaa269d8cc301dbcd777ab8245edd0b9673361ea0f388d
SHA1 hash: f4db6264e2f9aa0aa1f889dd8cfaa886857c3bd0
MD5 hash: ab03a48a29967e738583140e6eb84f0b
humanhash: september-kentucky-missouri-failed
File name:Purchase order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:652'288 bytes
First seen:2023-04-19 08:25:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:YHB90kVJbrCp1FGuXXEhCTRn/V66l6un/J2rT3HCUZkLUQiJZeQU7:xkfOpmuHcCdV6i/JnykjOZeZ
Threatray 248 similar samples on MalwareBazaar
TLSH T12DD4F154D125ADF2EA8E0B3504053AE9DB74AEE37477C53C0B9A7996DBBF3142C8408B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e0e2aba3a5b8b8a8 (38 x AgentTesla, 18 x SnakeKeylogger, 14 x Formbook)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase order.exe
Verdict:
Malicious activity
Analysis date:
2023-04-19 08:28:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eded2a42-36ba-4db0-b2de-0acb1acf2ac2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383237/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.Spynoon-9939401-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643fa59b8da0bdd508330646/reports/66b42ed7-396b-4af4-85d3-435c47171995/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0451b9c358b1404717f5060aea5711327cf169cd4c5648f5ac23f1a1fb740716
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c643cfbd-9251-4881-90b5-bca9fc610de5
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1216656
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 849579 Sample: Purchase_order.exe Startdate: 19/04/2023 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->62 64 7 other signatures 2->64 7 Purchase_order.exe 28 2->7         started        11 bUhSoz.exe 26 2->11         started        13 bUhSoz.exe 2->13         started        15 hBzJVE.exe 2 2->15         started        process3 file4 48 C:\Users\user\AppData\Roaming\hBzJVE.exe, PE32 7->48 dropped 50 C:\Users\user\...\hBzJVE.exe:Zone.Identifier, ASCII 7->50 dropped 52 C:\Users\user\AppData\Local\...\tmp6A35.tmp, XML 7->52 dropped 54 C:\Users\user\...\Purchase_order.exe.log, ASCII 7->54 dropped 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->74 76 Uses schtasks.exe or at.exe to add and modify task schedules 7->76 78 Adds a directory exclusion to Windows Defender 7->78 17 Purchase_order.exe 2 10 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        80 Multi AV Scanner detection for dropped file 11->80 82 Machine Learning detection for dropped file 11->82 26 bUhSoz.exe 11->26         started        28 schtasks.exe 11->28         started        30 bUhSoz.exe 13->30         started        32 schtasks.exe 13->32         started        34 WerFault.exe 4 10 15->34         started        signatures5 process6 dnsIp7 56 host43.registrar-servers.com 198.54.116.10, 49702, 49704, 49711 NAMECHEAP-NETUS United States 17->56 44 C:\Users\user\AppData\Roaming\...\bUhSoz.exe, PE32 17->44 dropped 46 C:\Users\user\...\bUhSoz.exe:Zone.Identifier, ASCII 17->46 dropped 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->66 68 Tries to steal Mail credentials (via file / registry access) 17->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->70 36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 28->40         started        72 Tries to harvest and steal browser information (history, passwords, etc) 30->72 42 conhost.exe 32->42         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0451b9c358b1404717f5060aea5711327cf169cd4c5648f5ac23f1a1fb740716/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-17 09:44:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ari3tq2ywfaeof7vayfouvyrgj6pc2onjrler5nmepy2d63ua4la._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
13681068261071d375bc58275501f72bbe2693f4df6ec40364b2f62c0eb1b106
AgentTesla
69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930
AgentTesla
7b0134022faef8ea8b527241b3dc2e74457b4b05fbe029eb9b0e9bc4d1206453
AgentTesla
80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d
AgentTesla
a036acc68623b42509e807b81be7270e1fc0c626aa15d8164d2f52bd321be1fd
AgentTesla
a15153863ec4bed33ce7f014da9861ef349b152b46a5978d5c03b5fe75544aea
AgentTesla
c046fa2c19c9ff918bc1918ec579fc4e01166553c97753ce85fe744561f0973d
AgentTesla
c70ed8b0ed3a434cadb2b4fcb796b3f6fb7266a3661c0a60ebe87a1e39613e21
AgentTesla
d89323dd840c86ee64285f6353eee84089b4c242df329b9b5f0c42a6b8944eb5
AgentTesla
fbb8dd09df0e0c79dcf488c021765e4fa915ca3a490ea45a78b622565e920f1a
AgentTesla
+ 238 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230419-kbvbyshc95/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
ff25c5429851f3493d0bcf369f8b01a19efecf862e4b57b878117b3d4590ed1a
MD5 hash:
a13d72e655e7324c6841175f94adc538
SHA1 hash:
f2bc12213093449b73784d86a630ad468255fdb1
Link:
https://www.unpac.me/results/6a23a84d-5243-43af-a367-d078f6c65256/
SH256 hash:
5a4bedee3bac07b3509adcd46037a7bc4da726a02666e579afb42bf660583de1
MD5 hash:
8d344049316704ac4728881797624681
SHA1 hash:
bc7daefaacd97b7ae909ffbc6c3370c36d1b5aab
Link:
https://www.unpac.me/results/6a23a84d-5243-43af-a367-d078f6c65256/
SH256 hash:
39dd649c044feae9d43ddd49e64c4c2c7b434131d5951b58c6b70f4d1356035b
MD5 hash:
4bba97de1b97225183ffccb680f9bbd9
SHA1 hash:
9f194249d95f6abebfcf7ed1f0e03440b2487ee2
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/6a23a84d-5243-43af-a367-d078f6c65256/
Parent samples :
a494db0ac3044848e328e4df3cda6dfd698f5389376623cf9936cfc7ce5a31ad
13681068261071d375bc58275501f72bbe2693f4df6ec40364b2f62c0eb1b106
0451b9c358b1404717f5060aea5711327cf169cd4c5648f5ac23f1a1fb740716
6beb6c8530ae26563b435151158d82e6e097cf51a4e27693c694aa237207d57a
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/6a23a84d-5243-43af-a367-d078f6c65256/
SH256 hash:
d29f74a434af40e6302f7675c8623119e1d4f6481d47ffcc118d036044380f06
MD5 hash:
7a7d6d95d2c49bd692c8828629ea4859
SHA1 hash:
39c34e9474ac70ac5cd8a3b76082e39d0bd18191
Link:
https://www.unpac.me/results/6a23a84d-5243-43af-a367-d078f6c65256/
SH256 hash:
0451b9c358b1404717f5060aea5711327cf169cd4c5648f5ac23f1a1fb740716
MD5 hash:
ab03a48a29967e738583140e6eb84f0b
SHA1 hash:
f4db6264e2f9aa0aa1f889dd8cfaa886857c3bd0
Link:
https://www.unpac.me/results/6a23a84d-5243-43af-a367-d078f6c65256/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0451b9c358b1404717f5060aea5711327cf169cd4c5648f5ac23f1a1fb740716

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 0451b9c358b1404717f5060aea5711327cf169cd4c5648f5ac23f1a1fb740716

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383237/

Comments