MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87889f8e467ad320665a7205170c8f238076d87303822694d3064b9511913169. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87889f8e467ad320665a7205170c8f238076d87303822694d3064b9511913169
SHA3-384 hash: d4873743720f09ebad6df6084d3a23f983177affc832cc990f547f327fcb38c9be2a46c4fb89c9458158c5944fc7e825
SHA1 hash: 0d72483b99ff1951e1d697d3dea365b551fce6b9
MD5 hash: 30e5fe8a4abbb20856722e8725bff2e3
humanhash: speaker-yankee-jupiter-stairway
File name:RFQ#84839PRODUCT_MATERIAL_TEXHONG_TAN_CANGc.pif
Download: download sample
Signature AgentTesla
Create hunting rule
File size:429'478 bytes
First seen:2023-11-24 10:51:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f67aeda01a0484282e8c59006b0b352 (51 x GuLoader, 9 x RemcosRAT, 9 x VIPKeylogger)
ssdeep 6144:I1onyRuPBD7zAjmPJl/tWOZwskIXrcdecSkOpFlxVWp7AUqA44zUB:QoyEpbVJl5f8vVUZiCB
TLSH T1C694230CB7C7A0D7DE9745F02AB68E6BD37F8628152502CB2B601F6998B7140D63F2C5
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe pif

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459998/
Detection(s):
SecuriteInfo.com.Adware.Generic12.HOD.14374.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/65608052fb92213b19d5caf5/reports/c2c81078-cbd7-4565-b675-da6ce781305f/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/87889f8e467ad320665a7205170c8f238076d87303822694d3064b9511913169
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab0e3b31-6f10-49b0-92ab-7b929a5d92e9
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1347365
Signature
Antivirus detection for URL or domain
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1347365 Sample: RFQ#84839PRODUCT_MATERIAL_T... Startdate: 24/11/2023 Architecture: WINDOWS Score: 100 30 time.windows.com 2->30 32 fp2e7a.wpc.phicdn.net 2->32 34 2 other IPs or domains 2->34 40 Snort IDS alert for network traffic 2->40 42 Found malware configuration 2->42 44 Antivirus detection for URL or domain 2->44 46 6 other signatures 2->46 9 RFQ#84839PRODUCT_MATERIAL_TEXHONG_TAN_CANGc.pif.exe 1 29 2->9         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\BgImage.dll, PE32 9->24 dropped 26 C:\Users\user\AppData\Local\...\Banner.dll, PE32 9->26 dropped 28 C:\Users\user\AppData\Local\...\AdvSplash.dll, PE32 9->28 dropped 12 powershell.exe 12 9->12         started        process6 signatures7 56 Suspicious powershell command line found 12->56 58 Very long command line found 12->58 60 Found suspicious powershell code related to unpacking or dynamic code loading 12->60 15 powershell.exe 15 12->15         started        18 conhost.exe 12->18         started        process8 signatures9 62 Writes to foreign memory regions 15->62 64 Maps a DLL or memory area into another process 15->64 20 MSBuild.exe 8 15->20         started        process10 dnsIp11 36 64.188.12.78, 49707, 80 ASN-QUADRANET-GLOBALUS United States 20->36 38 cp5ua.hyperhost.ua 91.235.128.141, 49708, 587 ITLASUA Ukraine 20->38 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->50 52 Tries to steal Mail credentials (via file / registry access) 20->52 54 Tries to harvest and steal browser information (history, passwords, etc) 20->54 signatures12
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/87889f8e467ad320665a7205170c8f238076d87303822694d3064b9511913169
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87889f8e467ad320665a7205170c8f238076d87303822694d3064b9511913169/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-24 00:06:45 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
13 of 23 (56.52%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6ej7dsgpljsazs2oicrodepeoahnwdtaobcnfgtazfzkemrgfuq._file
Verdict:
unknown
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231124-mydntshh72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
AgentTesla
Unpacked files
SH256 hash:
227a52e0785b070baf673c4d97d28ced967c3c01ea62bd1da5f5c593940919db
MD5 hash:
3138dac7ef0377dc6a37ba84dc56badd
SHA1 hash:
ec071ccfd71645a8c5d0687f7d12f04ec432dc6c
Link:
https://www.unpac.me/results/67417061-5cce-4676-9ddb-4ce77783f764/
SH256 hash:
71460532a633e6eca5eb8fface6031710d75629dfccf3e1bf3528fdc39886107
MD5 hash:
9bd669a97174926e548440482d2acec1
SHA1 hash:
87b994b738cb322c94c72e0d8019e381549995e3
Link:
https://www.unpac.me/results/67417061-5cce-4676-9ddb-4ce77783f764/
SH256 hash:
2e9845f77e55c8932406f9179f7d3fe037986e0b5277cc2eca6c27e42f12482a
MD5 hash:
5fe4ea81a3bc8737724da4b12f8b2975
SHA1 hash:
31cc375439116a2d6d3480d522b90aef82ee8b29
Link:
https://www.unpac.me/results/67417061-5cce-4676-9ddb-4ce77783f764/
SH256 hash:
510e466a715933499fb9d5a1753b483826b2bf89161b9d466dd2ad7e52ede2fc
MD5 hash:
c22c9d7b6937b8960fba4c8a145076b2
SHA1 hash:
2e45c2dd6e5132a942fe940dccdaf771e0f9e81e
Link:
https://www.unpac.me/results/67417061-5cce-4676-9ddb-4ce77783f764/
SH256 hash:
9bf33690090655e91389469beb5dbdd45942192f2e2486c9fa82fa6d74a0f88b
MD5 hash:
15d8eee287329e2030c34c6bb3e62c87
SHA1 hash:
1de23c0883f7a80a489e140c55b16970dd0264ab
Link:
https://www.unpac.me/results/67417061-5cce-4676-9ddb-4ce77783f764/
SH256 hash:
87889f8e467ad320665a7205170c8f238076d87303822694d3064b9511913169
MD5 hash:
30e5fe8a4abbb20856722e8725bff2e3
SHA1 hash:
0d72483b99ff1951e1d697d3dea365b551fce6b9
Link:
https://www.unpac.me/results/67417061-5cce-4676-9ddb-4ce77783f764/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/87889f8e467a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87889f8e467ad320665a7205170c8f238076d87303822694d3064b9511913169

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 87889f8e467ad320665a7205170c8f238076d87303822694d3064b9511913169

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/459998/

Comments