MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72608223bb6b1ef8d577f7302a5c63ada4976971ba0400fb0d01b296a0b2fba6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72608223bb6b1ef8d577f7302a5c63ada4976971ba0400fb0d01b296a0b2fba6
SHA3-384 hash: 269e4ac5696e2711dd269c346c4358266e101885caa8c7a4f5f3934683f74f4f6246fd174ad784e6c672c819c2e6ff5f
SHA1 hash: d28874a1fda3293a66ca164958c73c42433dbb41
MD5 hash: f1ed5e8e87ce482a8beabadad38ed488
humanhash: maryland-texas-jupiter-island
File name:Purchase Order 236pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'368'064 bytes
First seen:2023-05-10 12:22:28 UTC
Last seen:2023-05-12 10:42:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:WQBy9v4UIPc/gt2hv1+gjG0Fk2gQSxhYm/PzbTbTo2SDQMXyVpBIj0IS3:Zy9w2sXfXzbYyVXoc
Threatray 87 similar samples on MalwareBazaar
TLSH T1ED55E13A4FC6BEE9E3644DBCDC8721840E98A4775318D59C7DC8E14611AFB54EA28CF8
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f8dc888898a890b8 (4 x AgentTesla, 3 x SnakeKeylogger, 1 x Loki)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
239
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order 236pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-10 12:25:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3498a0e5-30b0-449c-86a7-dba78c496756

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388166/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Krypt.11.26466.22700.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/645b8ca607a2287e91f7da39/reports/9b9e66b6-8f6a-47cd-8b43-15e12ae6831c/overview
Verdict:
Malicious
Labled as:
MSIL.Krypt.Generic
Link:
https://www.hybrid-analysis.com/sample/72608223bb6b1ef8d577f7302a5c63ada4976971ba0400fb0d01b296a0b2fba6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d33073e1-3695-4e1c-93dc-f7331c22167d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229754
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 862736 Sample: Purchase Order 236pdf.exe Startdate: 10/05/2023 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic 2->61 63 Found malware configuration 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 7 other signatures 2->67 7 Purchase Order 236pdf.exe 1 5 2->7         started        11 Edctc.exe 2 2->11         started        13 Edctc.exe 1 2->13         started        process3 file4 35 C:\Users\user\AppData\Roaming\...dctc.exe, PE32 7->35 dropped 37 C:\Users\user\...dctc.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\...\Purchase Order 236pdf.exe.log, ASCII 7->39 dropped 69 Encrypted powershell cmdline option found 7->69 71 Writes to foreign memory regions 7->71 73 Allocates memory in foreign processes 7->73 15 InstallUtil.exe 15 2 7->15         started        19 powershell.exe 16 7->19         started        75 Antivirus detection for dropped file 11->75 77 Multi AV Scanner detection for dropped file 11->77 79 Machine Learning detection for dropped file 11->79 21 InstallUtil.exe 11->21         started        23 powershell.exe 13 11->23         started        81 Injects a PE file into a foreign processes 13->81 25 InstallUtil.exe 13->25         started        27 powershell.exe 13->27         started        signatures5 process6 dnsIp7 41 logxtai.shop 198.54.116.202, 49708, 49710, 49712 NAMECHEAP-NETUS United States 15->41 43 api4.ipify.org 173.231.16.77, 443, 49707, 49709 WEBNXUS United States 15->43 45 api.ipify.org 15->45 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->53 55 May check the online IP address of the machine 15->55 29 conhost.exe 19->29         started        47 api.ipify.org 21->47 31 conhost.exe 23->31         started        49 api.ipify.org 25->49 57 Tries to steal Mail credentials (via file / registry access) 25->57 59 Tries to harvest and steal browser information (history, passwords, etc) 25->59 33 conhost.exe 27->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72608223bb6b1ef8d577f7302a5c63ada4976971ba0400fb0d01b296a0b2fba6/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2023-05-10 00:46:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
19 of 37 (51.35%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojqiei53nmpprvlx64ycuxddvwsjo2lrxicab6ynagzjnifs7ota._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
272872a41e4e0ae720f6f61e50320720cf0313fe65d4c039334ed6c0cb7f37b0
AgentTesla
43a5329fe9f6d43a4de5875d0fe039a056f10a1887a52ad0acd11863587b9204
AgentTesla
6a57e513b61e8a308a00109c55555b710dcaa64629a25982ddcf3c4433fed248
AgentTesla
6f87506ad54bd39f08b8f3da216f4f31713377aa512b32628c2ef53162b222ff
AgentTesla
7640591719da5ed087f6006a0dff2ca19b6f76533e95554222f04b4fe3f93ded
AgentTesla
84c18f78f11b9bc3fd3e96925d2a7b76ab5ecfb927c377ad27456e191815b24a
AgentTesla
8a41b79f891041bd386d0886027e3a214bfc1597f5958dd897553612df87dc30
AgentTesla
91dff7bab30d0d6713ba56c522859ce8f773611c10ec7a7e7a0d9889612d0641
AgentTesla
a0959f72e13211452dc49f9359f43d5b7df3a98fb24f0fbaf0ec2c29d85bb1ec
AgentTesla
a86d1dc8abd7cdd7ce8eb34ee9e739c35ba49d2a4a4c9d62d0da1d2dc14addf1
AgentTesla
+ 77 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230510-pkfx5shf8y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/3d81d0e2-95ca-4b53-b4ea-0d1b624180ae/
SH256 hash:
4027fecea90c3ecadce2dea01b7f67133295b6d1a3fb36cf553412324b46ead8
MD5 hash:
4e66ada367963ccea6194610b137b91c
SHA1 hash:
c15ba9335b2a86db0102a0c1db28b9a3a7ff6ca2
Link:
https://www.unpac.me/results/3d81d0e2-95ca-4b53-b4ea-0d1b624180ae/
SH256 hash:
33eed90ee9d7f5e5dde26e930f424fc0a6a78b9f99a67837ef0be5a0b3945106
MD5 hash:
55a4b1839408ca24880d72641c323123
SHA1 hash:
02067283b2339edf44ca02794301b29eb529eb25
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/3d81d0e2-95ca-4b53-b4ea-0d1b624180ae/
Parent samples :
33eed90ee9d7f5e5dde26e930f424fc0a6a78b9f99a67837ef0be5a0b3945106
4ce7a341e7f7fa0e25a3e138f2586b70af6e10d69b29c5ed0242876dca67267f
72608223bb6b1ef8d577f7302a5c63ada4976971ba0400fb0d01b296a0b2fba6
16122022e662164152159bdefa62d7024c6aace27213b34ef150fb90fbb539fb
4ae529ced4b3a4e8da8ffbe6146321e551d333c0aa13daf516f1eb4e43837665
SH256 hash:
72608223bb6b1ef8d577f7302a5c63ada4976971ba0400fb0d01b296a0b2fba6
MD5 hash:
f1ed5e8e87ce482a8beabadad38ed488
SHA1 hash:
d28874a1fda3293a66ca164958c73c42433dbb41
Link:
https://www.unpac.me/results/3d81d0e2-95ca-4b53-b4ea-0d1b624180ae/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/72608223bb6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/72608223bb6b1ef8d577f7302a5c63ada4976971ba0400fb0d01b296a0b2fba6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/388166/

Comments