MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44d90ce8f8ae66d981fc6d7cbf4afcbe25233dfb820f0b61664868d0617c4f8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	44d90ce8f8ae66d981fc6d7cbf4afcbe25233dfb820f0b61664868d0617c4f8f
SHA3-384 hash:	94831d3b47b0f5ecdbb0246759e0a647ba5259860703060b6a951e0c69879c51307f7ec161a2ddfbf10d8188df930050
SHA1 hash:	12eb68fd3021756481f5d7cdf6f366c0289f4cca
MD5 hash:	ea440053d1b6cf1eba1b34631e3d73f9
humanhash:	mockingbird-tennessee-coffee-football
File name:	Purchase Order.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	657'408 bytes
First seen:	2023-06-29 18:47:15 UTC
Last seen:	2023-07-03 05:26:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:9FCGzOjuVAjWvsPPAtNvkRTadRblGSk/W0/6S:/CQOuVwyqRTi2SU9/6S
Threatray	4'312 similar samples on MalwareBazaar
TLSH	T139E4383D29BC6323C034D3E5CFE18723B225982B71629A765DC39B954796F4229C363E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

337

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order.exe

Verdict:

Malicious activity

Analysis date:

2023-06-29 18:49:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3ce0df7f-157a-4cfc-848d-67efee1f9289

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/403876/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.20538.25894.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Restart of the analyzed sample

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/649dd1e32ae0353f0fa34a5d/reports/c6ef7f0d-bdd5-493f-95df-423dfe83ce87/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/44d90ce8f8ae66d981fc6d7cbf4afcbe25233dfb820f0b61664868d0617c4f8f

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/794929d5-1b82-41ee-bc1e-83a886c12ca2

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1263453

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/44d90ce8f8ae66d981fc6d7cbf4afcbe25233dfb820f0b61664868d0617c4f8f/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2023-06-29 18:46:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=itmqz2hyvztntap4nv6l6sx4xyssgpp3qihqwylgjbunayl4j6hq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

52a1809773419caafe264fc932eb4dc72f45e59401ea3c3e73072665ae1ada6f

AgentTesla

5d9023550ab2c666d9361bb72940be22b4304febbb93f21e4a93ea93748f33c8

AgentTesla

7fee535a13ea80e7870cf52e06ff6b5f38f9074a2672f8cd7bc8e222174c109a

AgentTesla

8150ceb72ebe958ee0424f42b26eb134281f42e7188a9f08ccc5025ac70bae24

AgentTesla

9d704258d1eb77247613ac40d7846e47862178d827a6759d58a06a687e9f99a8

AgentTesla

e6e3d8d599a4dfa1b02a095eb6e5f4bc30ae29562a96f9f801a70a9bbc774e84

AgentTesla

f7dd22fb970ce053fe95c76ee3a57c846c14bd08187b1f8f2d1d56e19294df35

AgentTesla

+ 4'302 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230629-xfrg3see86/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot6048733251:AAHRY3bwFxY_dCpUKVaxkoIu25MIjLFtqRA/

Unpacked files

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

SH256 hash:

0f5732b1320632b53b8adc5cabf2eacac25363602b45711f2c07b5fed0c4b4e1

MD5 hash:

7f960a25874860e3cb2f6d1065380dbe

SHA1 hash:

88ba2696cea24a9181d603aa0fcdb624fc56500a

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

Parent samples :

44d90ce8f8ae66d981fc6d7cbf4afcbe25233dfb820f0b61664868d0617c4f8f
cef9ee760a9e4e3d132a05164243a878622db8cb86d26753e10a4430312d3486

SH256 hash:

adb9fe071d607978716be480b49039675c37862a0ce9ad7727c935ad4f7b77c2

MD5 hash:

8c22cf910bfc86ff5c10a6655bdead11

SHA1 hash:

3d9db7ba40017a2a65ba16279fe377ffbb331e2d

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

SH256 hash:

973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130

MD5 hash:

3794c5f7b240e4184d6ea90c5bdd9ec6

SHA1 hash:

26b9c4a753779b4994fe38c16dfe70b07efd3e0d

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

SH256 hash:

0f5732b1320632b53b8adc5cabf2eacac25363602b45711f2c07b5fed0c4b4e1

MD5 hash:

7f960a25874860e3cb2f6d1065380dbe

SHA1 hash:

88ba2696cea24a9181d603aa0fcdb624fc56500a

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

Parent samples :

44d90ce8f8ae66d981fc6d7cbf4afcbe25233dfb820f0b61664868d0617c4f8f
cef9ee760a9e4e3d132a05164243a878622db8cb86d26753e10a4430312d3486

SH256 hash:

adb9fe071d607978716be480b49039675c37862a0ce9ad7727c935ad4f7b77c2

MD5 hash:

8c22cf910bfc86ff5c10a6655bdead11

SHA1 hash:

3d9db7ba40017a2a65ba16279fe377ffbb331e2d

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

SH256 hash:

973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130

MD5 hash:

3794c5f7b240e4184d6ea90c5bdd9ec6

SHA1 hash:

26b9c4a753779b4994fe38c16dfe70b07efd3e0d

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

SH256 hash:

0f5732b1320632b53b8adc5cabf2eacac25363602b45711f2c07b5fed0c4b4e1

MD5 hash:

7f960a25874860e3cb2f6d1065380dbe

SHA1 hash:

88ba2696cea24a9181d603aa0fcdb624fc56500a

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

Parent samples :

44d90ce8f8ae66d981fc6d7cbf4afcbe25233dfb820f0b61664868d0617c4f8f
cef9ee760a9e4e3d132a05164243a878622db8cb86d26753e10a4430312d3486

SH256 hash:

0f5732b1320632b53b8adc5cabf2eacac25363602b45711f2c07b5fed0c4b4e1

MD5 hash:

7f960a25874860e3cb2f6d1065380dbe

SHA1 hash:

88ba2696cea24a9181d603aa0fcdb624fc56500a

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

Parent samples :

44d90ce8f8ae66d981fc6d7cbf4afcbe25233dfb820f0b61664868d0617c4f8f
cef9ee760a9e4e3d132a05164243a878622db8cb86d26753e10a4430312d3486

SH256 hash:

adb9fe071d607978716be480b49039675c37862a0ce9ad7727c935ad4f7b77c2

MD5 hash:

8c22cf910bfc86ff5c10a6655bdead11

SHA1 hash:

3d9db7ba40017a2a65ba16279fe377ffbb331e2d

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

SH256 hash:

adb9fe071d607978716be480b49039675c37862a0ce9ad7727c935ad4f7b77c2

MD5 hash:

8c22cf910bfc86ff5c10a6655bdead11

SHA1 hash:

3d9db7ba40017a2a65ba16279fe377ffbb331e2d

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

SH256 hash:

973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130

MD5 hash:

3794c5f7b240e4184d6ea90c5bdd9ec6

SHA1 hash:

26b9c4a753779b4994fe38c16dfe70b07efd3e0d

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

SH256 hash:

973512f00ba81a790d2351f286c79dfea92692c9f7cd724e22ab11ff282f8130

MD5 hash:

3794c5f7b240e4184d6ea90c5bdd9ec6

SHA1 hash:

26b9c4a753779b4994fe38c16dfe70b07efd3e0d

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

SH256 hash:

44d90ce8f8ae66d981fc6d7cbf4afcbe25233dfb820f0b61664868d0617c4f8f

MD5 hash:

ea440053d1b6cf1eba1b34631e3d73f9

SHA1 hash:

12eb68fd3021756481f5d7cdf6f366c0289f4cca

Link:

https://www.unpac.me/results/5045ff52-2054-42a2-8b3e-64c8ba426985/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/44d90ce8f8ae/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/44d90ce8f8ae66d981fc6d7cbf4afcbe25233dfb820f0b61664868d0617c4f8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/403876/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample