MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59af75ad132550cfcce6cdb085078ee057c966dff05a6624dc1f81252eab4e85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59af75ad132550cfcce6cdb085078ee057c966dff05a6624dc1f81252eab4e85
SHA3-384 hash: 33d62eb817b62db7696eb0c9ce51664d64d5757747229d811a23abbb94c87428517fe78784e064ab623019e48d591d6c
SHA1 hash: 30b710714a57e1e385444cd93174e941673997bc
MD5 hash: 49669a2b32fccd49e05af82e6846184c
humanhash: may-robin-south-cold
File name:Purchase Order.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'772'270 bytes
First seen:2023-04-05 18:39:27 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:PZeuEWkhNoiSTx/ZUrfC8kiQoOq+dLnG0IgicVqte6za8:37wP
Threatray 4 similar samples on MalwareBazaar
TLSH T1450633E0AE31297805FC867AB45F6E0C1B8ECFC54B04F4EF456910D2D65E7B38D928A9
Reporter abuse_ch
Tags:AgentTesla bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order.bat
Verdict:
Malicious activity
Analysis date:
2023-04-05 18:42:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/60f24cf7-c0b9-4a9f-bf68-16a76c53bc90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380439/
Detection(s):
Sanesecurity.Malware.28379.BadBat.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.16050.23288.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd powershell stealer
Link:
https://www.filescan.io/uploads/642dc0847dc0445b23891f1f/reports/5b7cefe5-2cf7-45f8-838a-1485ec2e45e1/overview
Verdict:
Suspicious
Labled as:
Trojan/BAT.KillFiles
Link:
https://www.hybrid-analysis.com/sample/59af75ad132550cfcce6cdb085078ee057c966dff05a6624dc1f81252eab4e85
Result
Verdict:
UNKNOWN
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1209079
Signature
Encrypted powershell cmdline option found
Uses cmd line tools excessively to alter registry or file data
Very long command line found
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 841994 Sample: Purchase Order.bat Startdate: 05/04/2023 Architecture: WINDOWS Score: 60 43 www.google.com 2->43 57 Yara detected AgentTesla 2->57 59 Encrypted powershell cmdline option found 2->59 10 cmd.exe 4 2->10         started        signatures3 process4 file5 41 C:\Users\user\...\Purchase Order.bat.exe, PE32 10->41 dropped 61 Very long command line found 10->61 63 Uses cmd line tools excessively to alter registry or file data 10->63 14 Purchase Order.bat.exe 16 10->14         started        17 conhost.exe 10->17         started        19 reg.exe 1 10->19         started        21 2 other processes 10->21 signatures6 process7 signatures8 65 Encrypted powershell cmdline option found 14->65 23 Purchase Order.bat.exe 12 14->23         started        25 powershell.exe 13 14->25         started        27 Purchase Order.bat.exe 14->27         started        process9 process10 29 chrome.exe 16 1 23->29         started        32 chrome.exe 23->32         started        34 conhost.exe 25->34         started        dnsIp11 51 192.168.2.1 unknown unknown 29->51 53 192.168.2.5 unknown unknown 29->53 55 239.255.255.250 unknown Reserved 29->55 36 chrome.exe 29->36         started        39 chrome.exe 32->39         started        process12 dnsIp13 45 part-0032.t-0009.fdv2-t-msedge.net 13.107.237.60, 443, 49712, 49713 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->45 47 www.google.com 142.251.36.164, 443, 49717, 49860 GOOGLEUS United States 36->47 49 14 other IPs or domains 36->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59af75ad132550cfcce6cdb085078ee057c966dff05a6624dc1f81252eab4e85/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgxxllitevim7thgzwyikb4o4bl4szw76bngmjg4d6asklvlj2cq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06bf26eb518e2e57165e4ea925f370cf42cd7da2ef29bf080c9142a69c947bec
AgentTesla
6a45cadd3d4871e0f23d38167ec06b785a7ae769baeca36d04c65c9ccb74b78a
AgentTesla
7e03f848906030aeb482b45a795ec5f4034956c4faca88a99fb57be5ba0399eb
AgentTesla
ee6d60c7d9010957f87576189e151b1901c09b14c9ad466dbe3d5fa45374c326
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla brand:microsoft evasion keylogger phishing spyware stealer trojan
Link:
https://tria.ge/reports/230405-xa7l4sah5s/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Sets file to hidden
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59af75ad132550cfcce6cdb085078ee057c966dff05a6624dc1f81252eab4e85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BlackGuard_Rule
Create hunting rule
Author:Jiho Kim
Description:Yara rule for BlackGuarad Stealer v1.0 - v3.0
Reference:https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380439/

Comments