MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 903cdb5e6c1c37c0934e99ab9e2db561273250fdd8a2cec152afb856a4f2b4cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	903cdb5e6c1c37c0934e99ab9e2db561273250fdd8a2cec152afb856a4f2b4cb
SHA3-384 hash:	1525264e8ca1fa6cc207c039da6863d15cba9ec555fc67083360f142b7cddaca2abda666042d83160782f0e0871f6173
SHA1 hash:	8abe6e2bbdfc82eb0d90b8421280a2f3ef667e03
MD5 hash:	42e7ae413e43f2344f6d669973ecfb3d
humanhash:	pennsylvania-mexico-sodium-edward
File name:	Purchase order No NSPONCIC3212022 Shipping documents.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	660'992 bytes
First seen:	2023-01-23 18:03:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	12288:dZC66Bm2iNNd8v06okql3nhUWEsCAM1hPym8C21PS8uSd0WN66B:yVM1rdmozH5cdES8uSSWNV
TLSH	T159E4F0920D68C258F2F51ABD4F7C972D8BB05C9917E3E2B41BF2B4EAA463783C411476
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

175

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase order No NSPONCIC3212022 Shipping documents.exe

Verdict:

Malicious activity

Analysis date:

2023-01-23 18:07:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/82323586-3db9-410f-8067-ad9d33a706a8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/355993/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63cecc142b351a3d0ea7f43b/reports/e1090199-4742-43c4-9954-434c05d7157b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7092f219-ba23-4395-ac5d-7e767bb28579

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1157518

Signature

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/903cdb5e6c1c37c0934e99ab9e2db561273250fdd8a2cec152afb856a4f2b4cb/

Threat name:

ByteCode-MSIL.Trojan.RedLine

Status:

Malicious

First seen:

2023-01-23 12:43:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sa6nwxtmdq34be2otgvz4lnvmetteuh53crm5qksv64fnjhswtfq._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

n/a

Score:

7/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/230123-wnk5laee39/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

b040df8045d726a22354a5402ab9ab5c1be7908d6337d3fd799ca096a17f2afd

MD5 hash:

00087d6e50a7933c10af83250a63d878

SHA1 hash:

ffa3a2e98d99d5b4b2b7f15336ede460423f7b5b

Link:

https://www.unpac.me/results/d646d8b4-0249-457d-be78-f96dede483ba/

SH256 hash:

2476ec97886397fb6a655c1511490e44ab9b46ddb254df30b1f4ab6766379844

MD5 hash:

8aa8e652d8dbd3c6c95373113b388bf5

SHA1 hash:

e3a5fb9da815889070229a2078b4e1d518260778

Link:

https://www.unpac.me/results/d646d8b4-0249-457d-be78-f96dede483ba/

SH256 hash:

5d7b69a7185f6109657453dcf4f5ef1db05c448eeecdbcdcbbf92ea6f0387e56

MD5 hash:

5cd1c67baf1559f1efa6d1734ff37349

SHA1 hash:

6ff5f82ec6030690dace504b0d98e762d62f9647

Link:

https://www.unpac.me/results/d646d8b4-0249-457d-be78-f96dede483ba/

SH256 hash:

20eda0a9b642a495ee216f13d2c37603ef860ff1aa1b8c89b2aa630a17574f71

MD5 hash:

d2dcd2d712c1f3c871e39fc27f889546

SHA1 hash:

167502f0388eb8c9525a048282600fa83d7254ad

Link:

https://www.unpac.me/results/d646d8b4-0249-457d-be78-f96dede483ba/

SH256 hash:

5660805bb86a7cc27e5eb9274608e6737af4976fc1beabae83d2e03f9d190575

MD5 hash:

586f0e2aa986a635f801026322233d63

SHA1 hash:

0b53d57a60d2ec9ecbb09b5031d16ceaf1d72dc0

Link:

https://www.unpac.me/results/d646d8b4-0249-457d-be78-f96dede483ba/

SH256 hash:

903cdb5e6c1c37c0934e99ab9e2db561273250fdd8a2cec152afb856a4f2b4cb

MD5 hash:

42e7ae413e43f2344f6d669973ecfb3d

SHA1 hash:

8abe6e2bbdfc82eb0d90b8421280a2f3ef667e03

Link:

https://www.unpac.me/results/d646d8b4-0249-457d-be78-f96dede483ba/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/903cdb5e6c1c37c0934e99ab9e2db561273250fdd8a2cec152afb856a4f2b4cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/355993/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample