MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930
SHA3-384 hash: c7dfefe328d77a20c61cbf83780d143445ef2b59b79073faa3ba35d13289df18f1ad37a9d3b8b3c8f442709b2eaf7039
SHA1 hash: 0b48d324331294a61d284859361d0354301c444e
MD5 hash: 4277ee8006ca2d9bd5530ca11c51a8cb
humanhash: island-nevada-foxtrot-blue
File name:Purchase Order No. 9100002286.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:701'952 bytes
First seen:2023-04-18 14:53:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'598 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:eg+goi1HBD7uWNTXxd6DZ8/l8nu7WCcp0FcIIxam+7jq8D:DBHBXuWN9sN8t8uKCm0FchxZr8
Threatray 251 similar samples on MalwareBazaar
TLSH T17EE4BE1E31779B06C26ED7FA105458713BB06287366DC27EACC703DB9ABAF01168475B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order No. 9100002286.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 14:57:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/07d08479-4e73-432d-889d-040e87b0bdf9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383064/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
floxif lokibot packed virus
Link:
https://www.filescan.io/uploads/643eaf0bc1735fe5e756760e/reports/752185a6-ce8e-4a7a-8675-e2079b479af1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e926584-c56a-4cd8-86a8-ffd0414613a2
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1216075
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 849002 Sample: Purchase_Order_No._9100002286.exe Startdate: 18/04/2023 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Sigma detected: Scheduled temp file as task from temp location 2->47 49 5 other signatures 2->49 7 Purchase_Order_No._9100002286.exe 7 2->7         started        11 vFYhSOwSaOS.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\...\vFYhSOwSaOS.exe, PE32 7->31 dropped 33 C:\Users\...\vFYhSOwSaOS.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp8EAC.tmp, XML 7->35 dropped 37 C:\...\Purchase_Order_No._9100002286.exe.log, ASCII 7->37 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 7->53 55 Adds a directory exclusion to Windows Defender 7->55 13 Purchase_Order_No._9100002286.exe 2 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        57 Machine Learning detection for dropped file 11->57 59 Injects a PE file into a foreign processes 11->59 21 vFYhSOwSaOS.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 us2.smtp.mailhostbox.com 208.91.199.223, 49697, 587 PUBLIC-DOMAIN-REGISTRYUS United States 13->39 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        41 208.91.198.143, 49699, 587 PUBLIC-DOMAIN-REGISTRYUS United States 21->41 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->61 63 Tries to steal Mail credentials (via file / registry access) 21->63 65 Tries to harvest and steal browser information (history, passwords, etc) 21->65 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-04-18 14:08:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
99
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nholegzw63pglskfiitcdpcvxln6xmbreuml27zyw4cnlinopeya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
5a9397f2ec2a6609708ad1bbbff41e1d6d099d863d0714003d35070be9786edd
AgentTesla
702cee46d4f13081bcca06cfe54412f0e9115a48035d440911fae79ea0100ae6
AgentTesla
7b0134022faef8ea8b527241b3dc2e74457b4b05fbe029eb9b0e9bc4d1206453
AgentTesla
80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d
AgentTesla
a036acc68623b42509e807b81be7270e1fc0c626aa15d8164d2f52bd321be1fd
AgentTesla
a15153863ec4bed33ce7f014da9861ef349b152b46a5978d5c03b5fe75544aea
AgentTesla
c046fa2c19c9ff918bc1918ec579fc4e01166553c97753ce85fe744561f0973d
AgentTesla
c70ed8b0ed3a434cadb2b4fcb796b3f6fb7266a3661c0a60ebe87a1e39613e21
AgentTesla
d89323dd840c86ee64285f6353eee84089b4c242df329b9b5f0c42a6b8944eb5
AgentTesla
f128c12c1f7a5f1d321e716497c03def8bc09e6efb47fa900f134a81559d3ffa
AgentTesla
+ 241 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230418-r9we8scb47/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
27a3dd95aec8ccfe63330170383480cb8d95b0451c3ed337a1a19c231ce4aa78
MD5 hash:
56f59cece068ae7d475997ba14ec3a70
SHA1 hash:
fde3b0d5b6bcfc0d702de7c0d08930e2c0a81761
Link:
https://www.unpac.me/results/17ce8c38-be33-46dd-b53a-1c6c3b1f080e/
SH256 hash:
022de27797ad907f38356d85bfba612515f93fdcc357377e918e3c0fa19a82f5
MD5 hash:
e626eed502220e346217a6a67102899c
SHA1 hash:
f022a910ff2b1bc2282c216af70ce7ef826a139f
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/17ce8c38-be33-46dd-b53a-1c6c3b1f080e/
Parent samples :
69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930
475bd18814dd4181d931894380857accd1428b171ae2f077a6b706411a0005ef
ebe78c5b5c43e135929a0e4d64b63a8707f90e9c1de2fd46ae36d67098d2a559
2736bb21fab5703708ab49c3f24660ff1e8f2fc8745ae19bc422f5e6aff5f5d8
d77497cc30720ab4a1b768d7f20e4e3697fe53c06bd151b6c988ee903e0b6cff
ca5fb8c65adb08fa65191c8c9fd1884cbb730afcff6c9231684bdf6b3a1b6fdd
84652d3181fc4dfad881b733e96b9181c2aa8bf5d3257781228613419f7583a2
72d5d936fa25c900e432099c68cabb79f4637ad70b19913494fd9f0e7534a3fe
a907c4b91d636f9cd26d83b87d50633f1848f9c4c5bb8c5c83b50f0c2dcfaf35
0dd26f6dce309836b816b12516eb74464d844ef234c52e2e0c4bfc46e5ed067f
88c781e6e6adf31e3e128be59b2d85d3e1f06a21cb7ff657e6484f2d6f9e6559
06fbce2c06c6be78142bf529523adc5fa803282dde64baf75861ddfd325dc666
84b007fa05a8254769962daa7fffecfa810cf65414f5c31134ad6b4f6ed0d85c
472336b7af69430e9e8597a1c143d45fb5759d1a58b8055db6cdc862b54c0122
SH256 hash:
99abe4f50a5a03428de3cd65308a9e466bf59f30666a4e4fd8741034c1466a72
MD5 hash:
854590713e55b6cf92d3899a5e18bf7e
SHA1 hash:
b8a789e26829666f5c3000e0dae5ddab1ea0c01d
Link:
https://www.unpac.me/results/17ce8c38-be33-46dd-b53a-1c6c3b1f080e/
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/17ce8c38-be33-46dd-b53a-1c6c3b1f080e/
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/17ce8c38-be33-46dd-b53a-1c6c3b1f080e/
SH256 hash:
69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930
MD5 hash:
4277ee8006ca2d9bd5530ca11c51a8cb
SHA1 hash:
0b48d324331294a61d284859361d0354301c444e
Link:
https://www.unpac.me/results/17ce8c38-be33-46dd-b53a-1c6c3b1f080e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/69dcb21b36f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/383064/

Comments