MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80eabb4ed2bf442079ed36b1a74aa1afd5627eeea83bc48cf4c9d2a4b719c0a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	80eabb4ed2bf442079ed36b1a74aa1afd5627eeea83bc48cf4c9d2a4b719c0a9
SHA3-384 hash:	6fbb38f1f0a2e283681d367e0bfcf0518e37da0b8c3423c40db9c4f663660a2bb0cba486d9dc78ce0222e36d515faf7f
SHA1 hash:	d5b973cbf83d8226dc69624119cad6cc260b6e99
MD5 hash:	9d00317b8d93146fa0605f04c796b762
humanhash:	music-virginia-yankee-mirror
File name:	PURCHASE ORDER_shrunk.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	864'256 bytes
First seen:	2023-03-17 17:04:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:JXjkj+rHRS/B1loJPbyxYq2CIebJ3v6EIBMTn:JXjkkHo/B1l2yxYq9xvjzz
Threatray	1'668 similar samples on MalwareBazaar
TLSH	T13F05015DB76AEB22C67D9BFEB0B1306053F3940F6235F3995CCE24EA2A62F910501947
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	f0c4f4c4dcdcdcf8 (8 x AgentTesla, 6 x SnakeKeylogger, 2 x Formbook)
Reporter	Anonymous
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

228

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PURCHASE ORDER_shrunk.exe

Verdict:

Malicious activity

Analysis date:

2023-03-17 17:05:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/90e2007f-db0b-48ba-ac89-96e164825ac6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/375183/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64149dc028f6cfd59136ade6/reports/f0bb8010-3140-4884-bc30-59051fb2f1b8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/80eabb4ed2bf442079ed36b1a74aa1afd5627eeea83bc48cf4c9d2a4b719c0a9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7a9bc380-c4b3-4028-a107-a9ff0f87a144

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1196079

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/80eabb4ed2bf442079ed36b1a74aa1afd5627eeea83bc48cf4c9d2a4b719c0a9/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2023-03-17 14:53:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 39 (51.28%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qdvlwtwsx5cca6png2y2osvbv7kwe7xova54jdhuzhjkjnyzycuq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

8dde42f559b48a6ba626f3981dc84afc97a34f3906cbdc0f82c45122a420a22e

AgentTesla

8e29d519291fb68d63f8c3b163c207f6445dd99479bff557b7fc090e780031c5

AgentTesla

9d8720d03350b0737e0a315bdf24d79a1344d87c1027a7f01b9971a3e000d01c

AgentTesla

a74fa0d307bc42f7118fb46c786b9f9bde4aa25826d6edea9b582b9174013b1e

AgentTesla

a8c3da8603f25f41857ee7ccde840828c700867c91f49e7e16dce2a0fdd1ffaf

AgentTesla

d519e342f95c5d96e84a3cca2fc999fedc3f0ee24133806a07f59a4688a22f99

AgentTesla

f07e48ea979743c38e1531d1b9b66585956d3d204546958b45fb7aeba189ba96

AgentTesla

fb5b5d55ac9ee07c66add37354f42ad26308b493228641b76d5856ece8c8ec31

AgentTesla

+ 1'658 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230317-vlttaabc5y/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5954474519:AAEGnfW1mRvGRxq-zIAvwJfpKEbhLLiqVaM/

Unpacked files

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/cb977810-e32a-44c0-8bc4-d333ac2db6a5/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

1430d5b9f94f1122fb510b93e4855986e3f801f13c30e2a68955b8dbb00d786a

MD5 hash:

51e576da8d1890a1511d4d2610892e30

SHA1 hash:

7a868c2bbcf4bac5e78a6ed6a8f01638ef0747d5

Link:

https://www.unpac.me/results/cb977810-e32a-44c0-8bc4-d333ac2db6a5/

SH256 hash:

d3dbdaaf7b9fc8d1a1a96e918820ac12e1bd646e9f7e9a6046dba82bc3d2dd8b

MD5 hash:

a56e700f21451e499f847378e456eb07

SHA1 hash:

5f5ab6d817dae1f62c4d29ddc8da1d9b9634d6d5

Link:

https://www.unpac.me/results/cb977810-e32a-44c0-8bc4-d333ac2db6a5/

SH256 hash:

9370108607b4c315b239c1714096fc9fe3b138c4b89cf89b143ad1d2128e9371

MD5 hash:

be04fc3fd0e014e97848111cc7b60210

SHA1 hash:

353a1b40dd7c08e883bb6155ef8e3e3cc9bfbd70

Link:

https://www.unpac.me/results/cb977810-e32a-44c0-8bc4-d333ac2db6a5/

SH256 hash:

2d490262eecc0ec622418e1e72b7a640eccfb5f7884da7ca9e296c2a1a4765fd

MD5 hash:

bc2ff0ea085cd53497db50174db6adc1

SHA1 hash:

2705bda05df55b0b9bfa9093a0dd73820e3748ba

Link:

https://www.unpac.me/results/cb977810-e32a-44c0-8bc4-d333ac2db6a5/

Parent samples :

dd041c843c4f3873fa61bd5fcc04afb335ac4ffd27d32d213966f610dc228330
cdbb23d2903063282fe152ac63e2838af4c099c2fa18e91d44448ede4cef0a30

SH256 hash:

80eabb4ed2bf442079ed36b1a74aa1afd5627eeea83bc48cf4c9d2a4b719c0a9

MD5 hash:

9d00317b8d93146fa0605f04c796b762

SHA1 hash:

d5b973cbf83d8226dc69624119cad6cc260b6e99

Link:

https://www.unpac.me/results/cb977810-e32a-44c0-8bc4-d333ac2db6a5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/80eabb4ed2bf442079ed36b1a74aa1afd5627eeea83bc48cf4c9d2a4b719c0a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/375183/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample