MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05b9b2ba7cef56b08f7d979f09119528e4de33b6165599c5f550b8c3c7a3f9d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	05b9b2ba7cef56b08f7d979f09119528e4de33b6165599c5f550b8c3c7a3f9d2
SHA3-384 hash:	3910fbcfc7eb1947f36cd02e69cb55e40f111f9e5669538a031c1b82d99ccd3c205a8801a0f54794b2783eb5540c7508
SHA1 hash:	b33ac69d327091b970ba05b3b24451d32607ac24
MD5 hash:	bfe2de8eba236fb0eb346c2f86c3bf26
humanhash:	september-hotel-nuts-monkey
File name:	Purchase Order.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'095'168 bytes
First seen:	2023-06-14 08:39:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:qqr+rZVvLJPXmkZ3qlFFr0lJYJwOXGkhzPeXpRP+sv:qrrtX58FF5wOXGkFCpb
Threatray	5'382 similar samples on MalwareBazaar
TLSH	T17735913E1CBE523B95B4C6AACFD58827F440E5B731226D39A4D353864356E8239C723E
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

269

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order.exe

Verdict:

Malicious activity

Analysis date:

2023-06-14 08:58:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cccc4adb-19ad-40d2-ba17-11e556385693

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XorStringsNET

Link:

https://www.capesandbox.com/analysis/398655/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67510308.31874.23030.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

quasar

Link:

https://www.filescan.io/uploads/64897ce4afa30f336ef0e655/reports/6de1f25b-6a36-4bd2-9758-da8aed41796e/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/05b9b2ba7cef56b08f7d979f09119528e4de33b6165599c5f550b8c3c7a3f9d2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b7ecebba-2df0-4bc6-a089-57ce531a7d57

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1254283

Signature

.NET source code contains very large strings

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/05b9b2ba7cef56b08f7d979f09119528e4de33b6165599c5f550b8c3c7a3f9d2/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-06-13 22:10:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aw43fot455llbd35s6pqsemvfdsn4m5wczkztrpvkc4mhr5d7hja._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

58036d338d5e813b0143524d21a140f38d8b58f1a531b72f7ce4a82091380185

AgentTesla

5d9023550ab2c666d9361bb72940be22b4304febbb93f21e4a93ea93748f33c8

AgentTesla

60e1ed8c3c6bc9d9ef48d6e2129a75c8d39deb97844ab5b17944539e4400f24a

AgentTesla

813ee787efe7691b84a7286dfb567f0f6f377f3ac0f0d2dc200e106df9f8f222

AgentTesla

852e0d9a8f474077261d053d587868b211e70eff320a7e7067c3fc1cb3253ea5

AgentTesla

8617b9831e3ac243a932ac26cb32dcf1b3554300389c2d6d88b920b5d97be0dd

AgentTesla

9267fc3af8040cbf3f53d4501c063d70e54574c98d7133a5c18c8d5b9686d901

AgentTesla

d1152b70f5918e5fcb1e0648d485d7ed5b06a2394bf182ff0a1049cabb04d065

AgentTesla

eeb2bc1861ce16da1ce6bf7a28f19b6096454dd3f1133d3cc4f89e6eadf67dfa

AgentTesla

+ 5'372 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230614-kkvzvafa55/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d

MD5 hash:

9390df6c9a6111978dee5414bc42eda6

SHA1 hash:

d3cb1c366b9e466afa93eb369838a04d30777795

Link:

https://www.unpac.me/results/36be5f43-080f-4042-bc43-7b2ad7a4de01/

SH256 hash:

9f8e41845c036987e077fad933f55cb08580b9aea10f14c2025a1c955c88b705

MD5 hash:

6c2f276d56a0cd6a84a43d5e44310a19

SHA1 hash:

a57cce17fddca2f0d5c2a0c4f68519303373a5c3

Link:

https://www.unpac.me/results/36be5f43-080f-4042-bc43-7b2ad7a4de01/

SH256 hash:

f8dbc6077f6b01c6eec334061d687ff1b291a2aa5513cf1e0b5bde4a8dbc5588

MD5 hash:

15aab611795bcbf2758052944013be1a

SHA1 hash:

772a1002b111e117cf3b1e9f0cabda4894777399

Link:

https://www.unpac.me/results/36be5f43-080f-4042-bc43-7b2ad7a4de01/

SH256 hash:

af5628432c6d8e7c7de62add7ed15d79e04a8320a2917c87577f117510753bef

MD5 hash:

8276c1e9a22142555e24725ca2304a0b

SHA1 hash:

5e945688b82f0281849fb89eaa5e5daae9559244

Link:

https://www.unpac.me/results/36be5f43-080f-4042-bc43-7b2ad7a4de01/

SH256 hash:

dc75b431b7d923f594786d7f2e820af9ecedb8fba91c210fd3782386003e6dc6

MD5 hash:

b8366ce3c58e423959ecd7753b36bdd4

SHA1 hash:

583c0ea85f998b43477af2e03fbab5cec79aed2c

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/36be5f43-080f-4042-bc43-7b2ad7a4de01/

Parent samples :

05b9b2ba7cef56b08f7d979f09119528e4de33b6165599c5f550b8c3c7a3f9d2
e2a4e3661a1ba5c88dbfcb792f0d489b37f14f74f2d1b2111a278bc81fb930c7
3520f6322123eacd232b1dd107d892e852aa8cfa79eaf4fc3fb9c5b23893c948
0e2e9a7a5d6597e2d6e890b3dabd32d067c4e63cbaaf0428cefca2ca8822aa94
cf1eb9b3d862c9f561c215d3c9c49795fd822b4022e325368963376014fce4e3

SH256 hash:

05b9b2ba7cef56b08f7d979f09119528e4de33b6165599c5f550b8c3c7a3f9d2

MD5 hash:

bfe2de8eba236fb0eb346c2f86c3bf26

SHA1 hash:

b33ac69d327091b970ba05b3b24451d32607ac24

Link:

https://www.unpac.me/results/36be5f43-080f-4042-bc43-7b2ad7a4de01/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/05b9b2ba7cef/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/05b9b2ba7cef56b08f7d979f09119528e4de33b6165599c5f550b8c3c7a3f9d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.