MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87455c255848e08c1e95370d6744c196a9d6ba793353312d929e43a4e2c006ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87455c255848e08c1e95370d6744c196a9d6ba793353312d929e43a4e2c006ea
SHA3-384 hash: f5eebab39b5cbb511b10cf7a57d0a1db8c2d1451604997c056fd8077f8086b1c9fcd828ba2f7e84ec4926332167b139e
SHA1 hash: d021b46c74e131124a7b4c3b6b004ff8e38d5395
MD5 hash: e51789e6769e567dfe2ed2cc98b9f4d7
humanhash: sink-sierra-saturn-charlie
File name:Prefer Quotation.pdf
Download: download sample
Signature AgentTesla
Create hunting rule
File size:184'824 bytes
First seen:2024-04-17 07:56:51 UTC
Last seen:Never
File type: pdf
MIME type:application/pdf
ssdeep 3072:7vRtf4KV41iOBoekcHFXJnHbtuzj7yNp40UFI/z/92+xNhNr5+m8hH4:7vAhk6gKnHbQzj7Umxczg+Jp5+mWH4
TLSH T164041279E87FE48AD8464C7BDD6A359F4B29B10283FA19B2B0754F5A9004E71F272370
Reporter xme
Tags:AgentTesla pdf sansisc

Intelligence

File Origin
# of uploads :
1
# of downloads :
457
Origin country :
US US
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
PDF File
Link:
https://app.docguard.net/87455c255848e08c1e95370d6744c196a9d6ba793353312d929e43a4e2c006ea/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
phishing
Link:
https://www.filescan.io/uploads/661f80ce51edb67852f62ebc/reports/42653e94-e7e8-4926-8783-56405e404f6b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/87455c255848e08c1e95370d6744c196a9d6ba793353312d929e43a4e2c006ea
Label:
Benign
Suspicious Score:
2.8/10
Score Malicious:
28%
Score Benign:
72%
Link:
https://www.malware.ai/gui/files/?id=2a1e40f8-a42c-4b59-9823-1ca0b9189533
Result
Verdict:
MALICIOUS
Details
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1427226
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Clickable URLs found in PDF pointing to potentially malicious files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Downloads suspicious files via Chrome
Drops executable to a common third party application directory
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427226 Sample: Prefer Quotation.pdf Startdate: 17/04/2024 Architecture: WINDOWS Score: 100 91 api.telegram.org 2->91 93 playerenterprises.org 2->93 109 Snort IDS alert for network traffic 2->109 111 Multi AV Scanner detection for domain / URL 2->111 113 Found malware configuration 2->113 117 12 other signatures 2->117 11 chrome.exe 23 2->11         started        15 Prefer Quotation.exe 2->15         started        18 Acrobat.exe 18 61 2->18         started        signatures3 115 Uses the Telegram API (likely for C&C communication) 91->115 process4 dnsIp5 101 192.168.2.5, 443, 49703, 49711 unknown unknown 11->101 103 192.168.2.6 unknown unknown 11->103 105 239.255.255.250 unknown Reserved 11->105 87 C:\Users\user\...\Prefer Quotation.zip (copy), Zip 11->87 dropped 20 unarchiver.exe 4 11->20         started        22 chrome.exe 11->22         started        141 Writes to foreign memory regions 15->141 143 Allocates memory in foreign processes 15->143 145 Injects a PE file into a foreign processes 15->145 25 AppLaunch.exe 15->25         started        28 cmd.exe 15->28         started        30 cmd.exe 15->30         started        32 AppLaunch.exe 15->32         started        34 AcroCEF.exe 117 18->34         started        file6 signatures7 process8 dnsIp9 36 cmd.exe 1 20->36         started        38 7za.exe 2 20->38         started        97 firstviewautoservice.com 64.37.52.95, 443, 49725, 49726 DIMENOCUS United States 22->97 99 www.google.com 64.233.177.106, 443, 49731, 49747 GOOGLEUS United States 22->99 127 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->127 129 Tries to steal Mail credentials (via file / registry access) 25->129 131 Tries to harvest and steal browser information (history, passwords, etc) 25->131 41 conhost.exe 28->41         started        43 schtasks.exe 28->43         started        45 conhost.exe 30->45         started        47 timeout.exe 30->47         started        49 AcroCEF.exe 2 34->49         started        signatures10 process11 dnsIp12 52 Prefer Quotation.exe 14 5 36->52         started        57 conhost.exe 36->57         started        85 C:\Users\user\...\Prefer Quotation.exe, PE32 38->85 dropped 59 conhost.exe 38->59         started        89 23.63.158.36, 443, 49715 AKAMAI-ASUS United States 49->89 file13 process14 dnsIp15 95 playerenterprises.org 193.222.96.147, 443, 49728, 49732 SWISSCOMSwisscomSwitzerlandLtdCH Germany 52->95 83 C:\Users\user\...\Prefer Quotation.exe, PE32 52->83 dropped 119 Writes to foreign memory regions 52->119 121 Allocates memory in foreign processes 52->121 123 Drops executable to a common third party application directory 52->123 125 Injects a PE file into a foreign processes 52->125 61 AppLaunch.exe 52->61         started        65 cmd.exe 52->65         started        67 cmd.exe 52->67         started        69 cmd.exe 52->69         started        file16 signatures17 process18 dnsIp19 107 api.telegram.org 149.154.167.220, 443, 49735, 49737 TELEGRAMRU United Kingdom 61->107 133 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 61->133 135 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 61->135 137 Tries to steal Mail credentials (via file / registry access) 61->137 139 Uses schtasks.exe or at.exe to add and modify task schedules 65->139 71 conhost.exe 65->71         started        73 schtasks.exe 65->73         started        75 conhost.exe 67->75         started        77 schtasks.exe 67->77         started        79 conhost.exe 69->79         started        81 timeout.exe 69->81         started        signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87455c255848e08c1e95370d6744c196a9d6ba793353312d929e43a4e2c006ea/
Threat name:
Document-PDF.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2024-04-12 16:36:11 UTC
File Type:
Document
Extracted files:
14
AV detection:
8 of 38 (21.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5cvyjkyjdqiyhuvg4gworgbs2u5notzgnjtclmstzb2jywaa3va._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87455c255848e08c1e95370d6744c196a9d6ba793353312d929e43a4e2c006ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

pdf 87455c255848e08c1e95370d6744c196a9d6ba793353312d929e43a4e2c006ea

(this sample)

  
Link
https://isc.sans.edu/forums/diary/Malicious+PDF+File+Used+As+Delivery+Mechanism/30848/
  
Delivery method
Distributed via e-mail attachment

Comments