MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 089cbfd2a01760e698b58167dcac93abc79565d5c45a2bbe1b695e10e6ce52f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	089cbfd2a01760e698b58167dcac93abc79565d5c45a2bbe1b695e10e6ce52f3
SHA3-384 hash:	649bb89783978ecc4eb49692f8ed6437cec5905a209284620d5743aaaf9a2a7cccbb39cfbea419f192010b9fc51920fe
SHA1 hash:	afc309d91f394502103a07ea3a2ba7a19631f932
MD5 hash:	0f759ff344516baf9953b60f8b636475
humanhash:	six-march-utah-quebec
File name:	shipment.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	684'032 bytes
First seen:	2023-05-26 08:42:14 UTC
Last seen:	2023-06-15 21:23:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:GnTmzZBEP85XvydJ7po+/Pa56rVVMODXKEbrgZrWHuOQv:T9BEP8ot//P/VVMcUz
Threatray	4'283 similar samples on MalwareBazaar
TLSH	T17FE4129136793F9AD43AC7F9842139B853FBE16A3072E30A0EE770C76675F424601A97
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	Anonymous
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

shipment.exe

Verdict:

Malicious activity

Analysis date:

2023-05-26 08:43:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8090402a-eb3b-498f-a0d6-a190d2fc9172

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/392022/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.49419350.31035.15592.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a file

Forced shutdown of a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/6470711701be4e3f3391ba4c/reports/d3594e4a-a7ae-4678-b6f9-41699b8effdb/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/089cbfd2a01760e698b58167dcac93abc79565d5c45a2bbe1b695e10e6ce52f3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e38d0f6f-8ebb-49d6-aa54-2791dba8557e

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1243106

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/089cbfd2a01760e698b58167dcac93abc79565d5c45a2bbe1b695e10e6ce52f3/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-05-25 09:22:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 37 (64.86%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bcol7uvac5qongfvqft5zletvpdzkzovyrncxpq3nfpbbzwoklzq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

53b48f956a35a099893d037f8a7f48e4d6c647b12fc333888101152dde8c2c20

AgentTesla

5d7aac97e8f4977da9f4f6d19e72e706a80ac6073041d27164e18218e97db4f3

AgentTesla

b0f2f1f1ca40e62865e6e6024ccb5ef8691431c037289e5544ac69230d9b943d

AgentTesla

b9129e7533b6b2e4db2b5a65399e6761987c2d3d260ac6be681b02948544b565

AgentTesla

bc92e8f1b1033b1a264b513f2b7118404014823e73ae7237f9b75557118beecf

AgentTesla

c7057a9a9f625dc07c2d893859df339831330e74a0cfb6b7677bf973f0af279f

AgentTesla

ccb7f3c0b4ca7addbcb2025f46fb9ea42c1eca54bd19a728ca81046cacf3fe0d

AgentTesla

ceb7b47ef34ec414f47c34a97dc66525d71f06924e90aa558c0d47f99542815f

AgentTesla

eafd24a879b0e1458630666c4dbcc4f20c14a00b48525d05ef6055312085c10d

AgentTesla

+ 4'273 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230526-kmklwsef63/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Uses the VBS compiler for execution

AgentTesla

Unpacked files

SH256 hash:

b1ddebc750822b926dfc6a2194c57f41af6a635d4e9e7856ec14da32c6586faf

MD5 hash:

b45afe82655083a1448b5502c0b5ee68

SHA1 hash:

fa786dd62d4f66acb894b7a09c060793c09a28ed

Link:

https://www.unpac.me/results/75878f73-6eec-4b17-a064-8b482fa6ca6e/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/75878f73-6eec-4b17-a064-8b482fa6ca6e/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

b2876080a8892ec02a11cc322cc18952d45f9e419c1cb6d4d070860c59fe87eb

MD5 hash:

803e0c67b76960ff5d9ccb360ba9636b

SHA1 hash:

836d339682618638c6b2e3d156ad66a56e4f9ba5

Link:

https://www.unpac.me/results/75878f73-6eec-4b17-a064-8b482fa6ca6e/

SH256 hash:

dc73f980262258793fc300f1b25af64cec1991d1211ec994980012115e5647e0

MD5 hash:

275c43d69e5f82fbbc21b998df2b0db1

SHA1 hash:

62cf6d5d4a4776472bd5e4b79a6044cde8c3e97f

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/75878f73-6eec-4b17-a064-8b482fa6ca6e/

Parent samples :

ccb7f3c0b4ca7addbcb2025f46fb9ea42c1eca54bd19a728ca81046cacf3fe0d
ceb7b47ef34ec414f47c34a97dc66525d71f06924e90aa558c0d47f99542815f
089cbfd2a01760e698b58167dcac93abc79565d5c45a2bbe1b695e10e6ce52f3
60d8340c169f13419df7488fa10c3085b0e6b6bc24c1dc9cc31019158b7ab4f4
169c4a3f668ce8d737dd54f1ab2a920badc42832968e7987eb660319eb938259
f5604807d0660b38402f649021b5e46a842653d7fc825bb0343483c60bc6170a

SH256 hash:

f96cf95887c70eaf0bac1de48efd420f1efb6a11041ea09fb3f0990e2c14961a

MD5 hash:

f25e2ac16a4b9cf8d3af87b8afc6496e

SHA1 hash:

3363c1695e7778271c29e3f9d78148a84668e1f9

Link:

https://www.unpac.me/results/75878f73-6eec-4b17-a064-8b482fa6ca6e/

SH256 hash:

089cbfd2a01760e698b58167dcac93abc79565d5c45a2bbe1b695e10e6ce52f3

MD5 hash:

0f759ff344516baf9953b60f8b636475

SHA1 hash:

afc309d91f394502103a07ea3a2ba7a19631f932

Link:

https://www.unpac.me/results/75878f73-6eec-4b17-a064-8b482fa6ca6e/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/089cbfd2a017/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/089cbfd2a01760e698b58167dcac93abc79565d5c45a2bbe1b695e10e6ce52f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/392022/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample