MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dc9cbf0d5c02ac2e00ca8b14cf3a1965372ffad4618c806cf31fb7887aa08d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	5dc9cbf0d5c02ac2e00ca8b14cf3a1965372ffad4618c806cf31fb7887aa08d2
SHA3-384 hash:	dd3a3be45f8cbbbc89b56c42ea93b35c81860e03a6743822c59350da75137775240d50f2b8053618e490ade512010163
SHA1 hash:	7ffd3f3aa7aed7d0ba8c9ec2a6a79b08c9db33f0
MD5 hash:	cbc29fa8f68311bc63fc62d7cb53db86
humanhash:	gee-louisiana-twenty-mike
File name:	Purchase Orders.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	743'936 bytes
First seen:	2023-04-30 16:02:59 UTC
Last seen:	2023-05-01 13:19:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:uL1+cpMLL4hqgBxyrN4JxATOQuOC1gtmzC5JdvkQ5IQOBHfEolVlcVOh:QRVBkrNKxYOQygtmzWkQ2QMHsolVlcy
Threatray	2'509 similar samples on MalwareBazaar
TLSH	T1F2F48D3915B86727D17AD37996E19413F3E0A85FB211EA987CC603EA0742E8176D323F
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe QUOTATION

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Orders.exe

Verdict:

Malicious activity

Analysis date:

2023-04-30 16:06:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8707ada7-1053-43b7-8037-b872f2b6741f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/385725/

Detection(s):

Sanesecurity.Rogue.0hr.20230430-0135.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Sending a custom TCP request

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo jigsaw packed

Link:

https://www.filescan.io/uploads/644e9138a020199dc647a808/reports/6e552f21-f6a2-4bab-8aa4-e02e5fe97790/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/5dc9cbf0d5c02ac2e00ca8b14cf3a1965372ffad4618c806cf31fb7887aa08d2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3fc10173-ad96-4801-8706-afa461fcf39a

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1223744

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5dc9cbf0d5c02ac2e00ca8b14cf3a1965372ffad4618c806cf31fb7887aa08d2/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-04-29 23:46:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lxe4x4gvyavmfyamvcyuz45bszjxf75niymmqbwpgh5xrb5kbdja._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0aba674b0db534de4f52e8250710b173b697397cbbf0011a4a6a3e9127e77781

AgentTesla

10378a656282ac8e5d676229bc2151b553e50906495bf0bfe6ec4c93373dc2a8

AgentTesla

1845d25cc1f21285f80768fb78778ea9cf0bc9656b1ebca9c1c48e3077ff88a5

AgentTesla

57d148e97edd36a56b6cb5fdfae00c5224b198f9660426e68f4a0555844d803b

AgentTesla

5dc9cbf0d5c02ac2e00ca8b14cf3a1965372ffad4618c806cf31fb7887aa08d2

AgentTesla

a00b290cc12ad7042a413db8e0d0a54d13e307793aa9e0f60797de992c91dc7a

AgentTesla

dfa9c347f104abbdb4bfdcfd98c45370d9df69b9cdf8cd573c5c00a2970523aa

AgentTesla

ffdb9d1f978a1e37f7542e8442660ae01e7918d3500ea62676604d4b596c2d96

AgentTesla

+ 2'499 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230430-thb9dsab99/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d

MD5 hash:

27f5124bf8f451bca8d8a15c73c4f521

SHA1 hash:

5fd557e109b8fd1c3b362b64f0ba9f1600c07211

Link:

https://www.unpac.me/results/bcd09f1b-6e72-4c23-b1a9-4d9851abd84c/

SH256 hash:

c9813792847ecc8f9d93dbf0daf72f948d440cf5bc1f709160760f66d8b4db75

MD5 hash:

2a2103352556f66434753dba599123c3

SHA1 hash:

4cb64bdc581f9f8de834b2ff10717ee6f281a7b3

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/bcd09f1b-6e72-4c23-b1a9-4d9851abd84c/

SH256 hash:

e9e6c568b3eb398fd225ebb7ec7951b67658a6838674d91efa3e28819e326b0c

MD5 hash:

4e7a1310049049fe1fbd263e20fd455d

SHA1 hash:

1415832ce2ae3d0835ad3ca40d8dab3978f4a702

Link:

https://www.unpac.me/results/bcd09f1b-6e72-4c23-b1a9-4d9851abd84c/

SH256 hash:

5dc9cbf0d5c02ac2e00ca8b14cf3a1965372ffad4618c806cf31fb7887aa08d2

MD5 hash:

cbc29fa8f68311bc63fc62d7cb53db86

SHA1 hash:

7ffd3f3aa7aed7d0ba8c9ec2a6a79b08c9db33f0

Link:

https://www.unpac.me/results/bcd09f1b-6e72-4c23-b1a9-4d9851abd84c/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5dc9cbf0d5c0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5dc9cbf0d5c02ac2e00ca8b14cf3a1965372ffad4618c806cf31fb7887aa08d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.