MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89823f7c472a09c6062578082579da7f8cdb093c99de1a7c92aafa5d741c7316. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash: 89823f7c472a09c6062578082579da7f8cdb093c99de1a7c92aafa5d741c7316
SHA3-384 hash: a02ad5cc958738854387421f6a775cd973bffbfae822393e568d017e135dc16fd578cffdc07c1e865e376764a61d5740
SHA1 hash: 597bce6e93351125632e9b92fb2ca35fca8bc75d
MD5 hash: 24b0be710ed42b1ec10224db8db55bf6
humanhash: vegan-oxygen-fifteen-montana
File name:Purchase order.exe
Download: download sample
Signature AgentTesla
File size:762'368 bytes
First seen:2022-07-25 09:10:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (32'074 x AgentTesla, 11'214 x Formbook, 6'133 x SnakeKeylogger)
ssdeep 12288:AiekMj/31humhJGu/8k9kKuB/04ZZmz3Cr/KNdS2iyNAlCj+:Fcnumiu5kKMc4Lu3rNYwSlCS
TLSH T112F4CF1A762BDD03C27C03B6C5C6145883F08606D16AD7CB6FDA62D61A03BEADDC9787
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b271c0cccccc61b2 (16 x AgentTesla, 8 x Loki, 8 x SnakeKeylogger)
Reporter @adrian__luca
Tags:AgentTesla exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
276
Origin country :
HU HU
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
–°reating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 672759 Sample: Purchase order.exe Startdate: 25/07/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 17 other signatures 2->43 7 Purchase order.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\zwLLFjVv.exe, PE32 7->27 dropped 29 C:\Users\...\zwLLFjVv.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\Temp\tmp1E2.tmp, XML 7->31 dropped 33 C:\Users\user\...\Purchase order.exe.log, ASCII 7->33 dropped 45 Adds a directory exclusion to Windows Defender 7->45 47 Injects a PE file into a foreign processes 7->47 11 Purchase order.exe 15 6 7->11         started        15 powershell.exe 25 7->15         started        17 powershell.exe 24 7->17         started        19 schtasks.exe 1 7->19         started        signatures5 process6 dnsIp7 35 api.telegram.org 149.154.167.220, 443, 49770, 49771 TELEGRAMRU United Kingdom 11->35 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures8 process9
Threat name:
ByteCode-MSIL.Trojan.RemLoader
Status:
Malicious
First seen:
2022-07-20 14:39:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument
Unpacked files
SH256 hash:
9e27a4b4aa5c60ffa37383feb1d1b3941f993528022694ab4febd5dd704dc849
MD5 hash:
f57684dde8648ca94e5ad191509c928d
SHA1 hash:
eb26e73e191fc58430cc1b1a171907660b1d68a8
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
SH256 hash:
98dbff3834a008af02e994c03edc3419c823f182815bb07ddf302b49dafe3b56
MD5 hash:
0eacdf63c054985ec141ecc4bbaf5908
SHA1 hash:
c2b3757ca25b711e59ff5bd30a510dd3d0a4b981
SH256 hash:
520c8f10e0c05cd0275d97fa2eb687ea93850d6c73ffc55c7daa090595a5c6c3
MD5 hash:
a55dbc8c1c32baed695afb57b8193a6a
SHA1 hash:
9ec15dee9753ff25acff11a0c5af80e08d088476
SH256 hash:
ca4e3745f87ae419e10fa9dd15e9814f66a7dca601ae70bd3ae3b0b0781e9491
MD5 hash:
6491ab64072f34a6124f4cdf1d9bdd43
SHA1 hash:
78008e0c188d1732ebb5bbfe6d15892ebe32b1f7
SH256 hash:
89823f7c472a09c6062578082579da7f8cdb093c99de1a7c92aafa5d741c7316
MD5 hash:
24b0be710ed42b1ec10224db8db55bf6
SHA1 hash:
597bce6e93351125632e9b92fb2ca35fca8bc75d
Malware family:
AgentTesla.v3
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 89823f7c472a09c6062578082579da7f8cdb093c99de1a7c92aafa5d741c7316

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments