MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 851ba7c21f63f16e1803b4adb7259bf64c0809218f58821f45f758b6b9a7ecb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 851ba7c21f63f16e1803b4adb7259bf64c0809218f58821f45f758b6b9a7ecb3
SHA3-384 hash: 87c3349d32a1e401437019f7627f5b762bfd2cd9ab8a539997095844370f0eca4bee16d3d1079b5c572a1801f61a628e
SHA1 hash: 96244989bfb72e98b9311201622df398e4f12c64
MD5 hash: 9b13276cd4f6a8594a691df57d5236d5
humanhash: blue-yellow-chicken-butter
File name:Purchase Order# DE198594RT57.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:686'080 bytes
First seen:2023-04-06 06:58:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:IC+jziEM1fmACWGcXi9Y+U16Z356EWspqfOUlQPPTN++ZudSS4f:IC+j+814gYJ16ZkEWs0GUl+p+Ab
Threatray 63 similar samples on MalwareBazaar
TLSH T1BEE4125933E95B35E45E1BBEC8A1305083BAB777A493E31C4E80A5EC4DB3B05C6526E3
TrID 49.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.7% (.SCR) Windows screen saver (13097/50/3)
7.0% (.EXE) Win64 Executable (generic) (10523/12/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon a4a5acaca6a7f808 (1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order# DE198594RT57.exe
Verdict:
Malicious activity
Analysis date:
2023-04-06 07:07:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b9d931b1-21aa-486e-9df0-185157b065c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380553/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/642e6db82254dc8912045d6f/reports/dcb0e64b-c12e-4f9f-9a5c-593a3d54a770/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/851ba7c21f63f16e1803b4adb7259bf64c0809218f58821f45f758b6b9a7ecb3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1ebb162-7bae-4140-bf78-435e902c3359
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209458
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 842375 Sample: Purchase_Order#_DE198594RT57.exe Startdate: 06/04/2023 Architecture: WINDOWS Score: 100 78 Sigma detected: Scheduled temp file as task from temp location 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 Yara detected AgentTesla 2->82 84 2 other signatures 2->84 7 Purchase_Order#_DE198594RT57.exe 7 2->7         started        11 xKFpRtcCO.exe 5 2->11         started        13 svchost#.exe 2->13         started        process3 file4 46 C:\Users\user\AppData\Roaming\xKFpRtcCO.exe, PE32 7->46 dropped 48 C:\Users\...\xKFpRtcCO.exe:Zone.Identifier, ASCII 7->48 dropped 50 C:\Users\user\AppData\Local\...\tmp5370.tmp, XML 7->50 dropped 52 C:\...\Purchase_Order#_DE198594RT57.exe.log, ASCII 7->52 dropped 86 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->86 88 May check the online IP address of the machine 7->88 90 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->90 96 2 other signatures 7->96 15 Purchase_Order#_DE198594RT57.exe 17 10 7->15         started        20 powershell.exe 21 7->20         started        22 schtasks.exe 1 7->22         started        24 Purchase_Order#_DE198594RT57.exe 7->24         started        92 Multi AV Scanner detection for dropped file 11->92 94 Injects a PE file into a foreign processes 11->94 26 xKFpRtcCO.exe 11->26         started        28 schtasks.exe 1 11->28         started        30 svchost#.exe 13->30         started        32 schtasks.exe 13->32         started        signatures5 process6 dnsIp7 54 api4.ipify.org 104.237.62.211, 443, 49699, 49701 WEBNXUS United States 15->54 56 mail.privateemail.com 198.54.122.135, 49700, 49702, 49705 NAMECHEAP-NETUS United States 15->56 58 api.ipify.org 15->58 42 C:\Users\user\AppData\...\svchost#.exe, PE32 15->42 dropped 44 C:\Users\...\svchost#.exe:Zone.Identifier, ASCII 15->44 dropped 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->66 68 Tries to steal Mail credentials (via file / registry access) 15->68 70 Creates autostart registry keys with suspicious names 15->70 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        60 api.ipify.org 26->60 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->72 74 Installs a global keyboard hook 26->74 38 conhost.exe 28->38         started        62 173.231.16.76, 443, 49704 WEBNXUS United States 30->62 64 api.ipify.org 30->64 76 Tries to harvest and steal browser information (history, passwords, etc) 30->76 40 conhost.exe 32->40         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/851ba7c21f63f16e1803b4adb7259bf64c0809218f58821f45f758b6b9a7ecb3/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-04-05 02:38:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qun2pqq7mpyw4gadwsw3ojm36zgaqcjbr5mieh2f65mlnonh5szq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d2d3cc50572a90b68558d070375be0474a2294f5cc1d4ac0249b19f21d12d8b
AgentTesla
1bd48635c48d95fc4fb94e31c015d3663d06e05a0493de2be102d59db4c9f8d3
AgentTesla
5d89fd91fbb0c2d4d75df1bde8c233dc0fe3e576966a5ab65b231ecc58935272
AgentTesla
60fb3a013ee75a17b50bd11ea23d64fd8e656594ecedcbae4f0e96670d658914
AgentTesla
86427b8288b61c876a94f3d5226fb04f843ee245ad937dcdb4b974e81ec8b404
AgentTesla
8ec8019892b2f4625446c785c98dce87ac6362cbbdef61f57c4787ec35bbb262
AgentTesla
d84a5f234b44723f4c8204264b4506cc2f06474790f6469acc09012029f35854
AgentTesla
e8baab9792dfce15247214c13c6ccbac6f622f08774e1cd81d86379ba90a35fe
AgentTesla
f2227038e0ff26cbcf040a694c1e6e0fd3c42316179c97eb539744aebc4ec0f2
AgentTesla
fbf65313c5df97b4605857a062c5f4161d189395369346927520cc2811a1a711
AgentTesla
+ 53 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230406-hr3xxsbh45/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
244730b1cfb441075d1f0e70266c4e09a28b822280cd53c877fd0924a009aadb
MD5 hash:
3a132d1d623cbca2fcf82525f3a9e5b2
SHA1 hash:
cbcf4e268d1749b5445f7ae83672d88026f92add
Link:
https://www.unpac.me/results/1b512c75-e3ee-41af-b7e9-e73b9e62a3d9/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/1b512c75-e3ee-41af-b7e9-e73b9e62a3d9/
SH256 hash:
232da5df9d2c56b2025e5f7b0d77039115706bd2419cff8783e32d32662c27bd
MD5 hash:
d3fa4785a03316b5fb1fa4159566e64c
SHA1 hash:
5d571272bdb412afbb320897af78f66c102cbe62
Link:
https://www.unpac.me/results/1b512c75-e3ee-41af-b7e9-e73b9e62a3d9/
SH256 hash:
7f2096e3c55223790eca0af0f7e7d1fef437282019f48a94794e3a5f07f9f0eb
MD5 hash:
b5dd66eee1c1c235a6d811a10ec98645
SHA1 hash:
5b5bd6d1f5e30efec315e1e8e43e473dafecd3f6
Link:
https://www.unpac.me/results/1b512c75-e3ee-41af-b7e9-e73b9e62a3d9/
SH256 hash:
bcb79be04776aa5600513c6a05332826e5e5707eaaaad8431966b44f05757459
MD5 hash:
f65576fc447ff732798fc2bdb6d79638
SHA1 hash:
47bec89756df7c634c02a57a36f951674626e538
Link:
https://www.unpac.me/results/1b512c75-e3ee-41af-b7e9-e73b9e62a3d9/
SH256 hash:
851ba7c21f63f16e1803b4adb7259bf64c0809218f58821f45f758b6b9a7ecb3
MD5 hash:
9b13276cd4f6a8594a691df57d5236d5
SHA1 hash:
96244989bfb72e98b9311201622df398e4f12c64
Link:
https://www.unpac.me/results/1b512c75-e3ee-41af-b7e9-e73b9e62a3d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/851ba7c21f63f16e1803b4adb7259bf64c0809218f58821f45f758b6b9a7ecb3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 851ba7c21f63f16e1803b4adb7259bf64c0809218f58821f45f758b6b9a7ecb3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380553/

Comments