MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89f1ed8a332907a1e20a452f773576cc53bc7bfcb2aeb20eb4501d57a5574d2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89f1ed8a332907a1e20a452f773576cc53bc7bfcb2aeb20eb4501d57a5574d2e
SHA3-384 hash: 29f05a268386f9cde2e572af9c18a2d0228637b61de4344efbdd9082751098e039549d86f42d1d68a9d2b2e7cd6ed7ac
SHA1 hash: 4045b5e89457e4368beada76833a5f8b8e79dcaa
MD5 hash: bfb5aa37d6759d0ff684f30a15ee87a0
humanhash: oklahoma-lion-six-enemy
File name:PURCHASE ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'581'056 bytes
First seen:2020-10-06 05:40:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:KAHnh+eWsN3skA4RV1Hom2KXMmHad1mm7ToS3XcAFaOkisTl5nlPjtus6QO5:dh+ZkldoPK8Yad1/ESNphel5nlxusa
Threatray 769 similar samples on MalwareBazaar
TLSH A875DF0273D1C036FFABA2739B6AF2415ABD79254123852F13981D79BD701B2273E663
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: eucatur.com.br
Sending IP: 103.99.1.141
From: Eucatur <encomendas@eucatur.com.br>
Subject: RE: PURCHASE ORDER
Attachment: PURCHASE ORDER.rar (contains "PURCHASE ORDER.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68396/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/482280
Signature
Antivirus / Scanner detection for submitted sample
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89f1ed8a332907a1e20a452f773576cc53bc7bfcb2aeb20eb4501d57a5574d2e/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 00:47:23 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rhy63crtfed2dyqkiuxxonlwzrj3y674wkxledvukaovpjkxjuxa._file
Verdict:
unknown
Similar samples:
12e5bd0d0f2a4e37702b096487a48992d98c846e79e9e0ef5c900e15e6e563f2
AgentTesla
48b1f899e7ad8d880a6bf9d97ada6507c4403c8d8e81815f83fb8181ca247008
AgentTesla
4951a0fc882c8d7590f4edac6f7b7e0408510d2db4353c3f5ff20c25ac60a92e
AgentTesla
628fb13f63d68b25083522f21c084fc565fd8fe57e05b95b35b76ac01fdbf5ff
AgentTesla
6d1cfff093998c807b9c5dc3fd122adbea40c5bad0cad4cbe10b43932c28bdd9
AgentTesla
a84c5039384d4ad73322e65677792efec6cad75a240a98f7b5adebe6537ddd6c
AgentTesla
b052d189fbba69117efc6e10e1cada3faee844cb59b5f0d1482734976c72bd58
AgentTesla
cda432c107c3fa22908941cec37a18edb507ceb2c83d70caf87031d2b5817afa
AgentTesla
da362c114efb6a8f52b94b4554a7dcf6594eb2408f16d22cbd3cdbc520eb86eb
AgentTesla
e897888dd36ab2a5740030d628f510ef0563d9d039e896b45134a4a5c4a82bb7
AgentTesla
+ 759 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201006-9nkyjsrk8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
89f1ed8a332907a1e20a452f773576cc53bc7bfcb2aeb20eb4501d57a5574d2e
MD5 hash:
bfb5aa37d6759d0ff684f30a15ee87a0
SHA1 hash:
4045b5e89457e4368beada76833a5f8b8e79dcaa
Link:
https://www.unpac.me/results/0ebde346-ee70-48fd-a505-4d02bf83379b/
SH256 hash:
0897d0954dded59cbe044276d8a380bcd3e5d2fdc86bddb01d3dfaac14050737
MD5 hash:
b23f431cfbca2c6409e18459da7d2fa0
SHA1 hash:
a7b54495e410718a5dbb77a2b179fbecf016a7e9
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/0ebde346-ee70-48fd-a505-4d02bf83379b/
Parent samples :
b052d189fbba69117efc6e10e1cada3faee844cb59b5f0d1482734976c72bd58
89f1ed8a332907a1e20a452f773576cc53bc7bfcb2aeb20eb4501d57a5574d2e
62da90f49f3a05c5daeb2b9a5edafa5e67cb8e2b32929ce7cb800a706af1d99f
08f4ca4ce85d82c9c563f815ce1c23a1f1526420ad9982d3c23b44ab41470a4d
436f7e9402eba8912904874a6c8085cf85c80b57968372d51c50739b25849e12
88ee51250e47627f9b734c897249cdc14a295d7297494b1ec7aab981370185ba
bbc94437bf54f676a86709d278fdf0977f5bac33bbc0262377fd4054561535a0
ed2d120151830f0dd5f1ba2f201d05bdf90702efa5d41365bd54b9b04c15aa28
de86cb4227717aa6e3818fc1f0ec62d733b1e5e941f410db7c0065ea4c4f7e94
7423c0c0302e6fa4b8ddc313963caad4189b570e9f43b201e83cfe56953b1e82
ac4013eb7d6c5dbbf90b163c9ebc5cf8fe40090132635764de6624ac2e3faf40
92d887eebd56236c7b64d7c4df54d34b63910982eddf27769b942d524c39a4a3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/89f1ed8a332907a1e20a452f773576cc53bc7bfcb2aeb20eb4501d57a5574d2e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 84e022894e2aa9e0f8fb3068178c4b1cea0c66bb051f8c8bf3439e417ce0024a

AgentTesla

Executable exe 89f1ed8a332907a1e20a452f773576cc53bc7bfcb2aeb20eb4501d57a5574d2e

(this sample)

  
Dropped by
MD5 8e0a202a475c258665314385ab6b3a0d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68396/
  
Dropped by
SHA256 84e022894e2aa9e0f8fb3068178c4b1cea0c66bb051f8c8bf3439e417ce0024a

Comments