MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89a0e99ef4a97ea1ad4212d7f539c9e851b97108f93a6ff64bbb0b5a5e8997d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89a0e99ef4a97ea1ad4212d7f539c9e851b97108f93a6ff64bbb0b5a5e8997d7
SHA3-384 hash: 29b9019f4f62e69de3ef3f2a7998dfa438bdd383165684b2a6309f9a5d1c10b6e14c3a5dea594f551e95627f9daab979
SHA1 hash: 5738e00ef9f37a76c1416cec3af4427e28d07ff3
MD5 hash: 1b71cb032f4f8a2ca0004c0d57553974
humanhash: tennis-sink-snake-early
File name:QUOTATION.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:275'015 bytes
First seen:2023-03-07 12:29:06 UTC
Last seen:2023-03-08 14:43:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya6tqbIlkemg8GoGhG+D8KwTKMU4vOzriVFzZ2EaRhcM576kf0:/YXoN2oHzKwDKrWFzoRhC
Threatray 1'177 similar samples on MalwareBazaar
TLSH T11D4412517265D293F87B4F715DFAAB6B6FA7D0392CB8D20B2F004A0D7976142C42EB21
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe QUOTATION

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUOTATION.exe
Verdict:
Malicious activity
Analysis date:
2023-03-07 12:45:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6d314abb-ccb5-426e-9e47-b376446ab959

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BumbleBeeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372226/
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20230307-1132.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64072e4b660450d9feb94737/reports/49f74726-a57d-42c8-995f-837e524384d4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/89a0e99ef4a97ea1ad4212d7f539c9e851b97108f93a6ff64bbb0b5a5e8997d7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/383b4266-74f2-4558-8d24-2774c8d3ad2c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188527
Signature
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 821406 Sample: QUOTATION.exe Startdate: 07/03/2023 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AgentTesla 2->45 47 2 other signatures 2->47 7 QUOTATION.exe 19 2->7         started        10 ajfo.exe 2->10         started        13 ajfo.exe 2->13         started        process3 file4 27 C:\Users\user\AppData\Local\...\nnjqndae.exe, PE32 7->27 dropped 15 nnjqndae.exe 1 2 7->15         started        55 Antivirus detection for dropped file 10->55 19 WerFault.exe 4 10 10->19         started        21 WerFault.exe 10 13->21         started        signatures5 process6 file7 29 C:\Users\user\AppData\Roaming\...\ajfo.exe, PE32 15->29 dropped 33 Antivirus detection for dropped file 15->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->35 37 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->37 39 Maps a DLL or memory area into another process 15->39 23 nnjqndae.exe 2 15->23         started        signatures8 process9 dnsIp10 31 mail.focuzpartsmart.com 162.240.214.202, 49692, 587 UNIFIEDLAYER-AS-1US United States 23->31 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->49 51 Tries to steal Mail credentials (via file / registry access) 23->51 53 Tries to harvest and steal browser information (history, passwords, etc) 23->53 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89a0e99ef4a97ea1ad4212d7f539c9e851b97108f93a6ff64bbb0b5a5e8997d7/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 01:04:54 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 39 (56.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgqothxuvf7kdlkccll7kooj5bi3s4ii7e5g75slxmfvuxujs7lq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2c5117280800871fbceb13a571a8d602c17f3c08247c8ccf546bb9dc8adda73e
AgentTesla
2e5c6d2c1e1eac4e565f8d71544b7d54c7b1834555edf51254ea70c9a23a28f2
AgentTesla
498a462f90680268425f0be93b68cf289a0aafa02c9159e2f708a55d7c694896
AgentTesla
506cd82114715316ac634852726575bca6bbb040ddef761d253cc6e26562330f
AgentTesla
63dfdf139256d716209f2c662066602cf83e2b8d5988195c6e3cc07c2746a430
AgentTesla
d9d9e3cc542fd9391c9ae953b0071b0a4a450df7d6e3e5563df812b128ab2620
AgentTesla
edbe483f1204111a68f4942f898fcf1093ee26a4664bdea61a2b0f100cffb551
AgentTesla
f873aff34af07e0be6364498ef313f9e21454ba6fcab0a24c5da2a438de2770c
AgentTesla
+ 1'167 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230307-pnzjnahd2t/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
41eaef4ba8d469346f815e2cc5bca952bab3765b64b1ac34002fece7d1598418
MD5 hash:
d6f1fb19fcd590e93bb8380fefca3287
SHA1 hash:
f7ee761166a117ad70f7aca24aed07353987b9b5
Link:
https://www.unpac.me/results/e1f2d861-5174-428d-8ecd-92ceb33abd97/
SH256 hash:
6498f004f0f2c3726d56535375e319d4adfe4d5bd32938e734d1079515040a80
MD5 hash:
155da90ffc9658c26bc61b2ee6e92e1d
SHA1 hash:
7012b67cc939480cd830ca66f11327213c3dd6ca
Link:
https://www.unpac.me/results/e1f2d861-5174-428d-8ecd-92ceb33abd97/
SH256 hash:
51d95acae4522f3a8df0810c490be9f21fb25d7177928bb97800c2e27a9c2057
MD5 hash:
345c29e106f71d9a547e28aa64980db2
SHA1 hash:
d74cc8147902b5ae1d798f04710afd3ccc3a2cfe
Link:
https://www.unpac.me/results/e1f2d861-5174-428d-8ecd-92ceb33abd97/
SH256 hash:
89a0e99ef4a97ea1ad4212d7f539c9e851b97108f93a6ff64bbb0b5a5e8997d7
MD5 hash:
1b71cb032f4f8a2ca0004c0d57553974
SHA1 hash:
5738e00ef9f37a76c1416cec3af4427e28d07ff3
Link:
https://www.unpac.me/results/e1f2d861-5174-428d-8ecd-92ceb33abd97/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89a0e99ef4a97ea1ad4212d7f539c9e851b97108f93a6ff64bbb0b5a5e8997d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 02876cdedf9481c017eb1ccb1b594bcfe7e791a6b9095752730c77705c47fcb8

AgentTesla

Executable exe 89a0e99ef4a97ea1ad4212d7f539c9e851b97108f93a6ff64bbb0b5a5e8997d7

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 02876cdedf9481c017eb1ccb1b594bcfe7e791a6b9095752730c77705c47fcb8
Cape
Cape
https://www.capesandbox.com/analysis/372226/
  
Dropped by
MD5 56147741a28e6e2a82a865534a9c57c4

Comments