MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9431de0e7a6f14542adabb08e4a2e577d12e221913a7c08ec40aaef66658fff9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9431de0e7a6f14542adabb08e4a2e577d12e221913a7c08ec40aaef66658fff9
SHA3-384 hash: dfc180777d866084752f932094f6bd97a8eb4d0b19b7a54f2ad61124c5cb4ad7a6e186a0a68b1d46944246e83ddae8c9
SHA1 hash: 551018ce51f62c6d7bd896986a7888fe363f8d0b
MD5 hash: 94df12994899680e0d9ef7cf9b3f8b4d
humanhash: cardinal-nebraska-emma-pennsylvania
File name:PURCHASE ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:841'728 bytes
First seen:2023-01-29 07:17:38 UTC
Last seen:2023-02-01 07:17:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:r2T8irmdjXHNOrAe/Iu4olr6Ue8L61U8rssK2mUJFUyZV:Ilr69/1UeK2mUIi
Threatray 20'700 similar samples on MalwareBazaar
TLSH T13A05483D2D7793F2D474F97252E5A0A0BA9F4482B3A7C9A9C9D61BC05F022827DCE11D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f08f898c8e8a8fb0 (37 x SnakeKeylogger, 19 x AgentTesla, 17 x AveMariaRAT)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PURCHASE ORDER.exe
Verdict:
Malicious activity
Analysis date:
2023-01-29 07:20:25 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/23efa68f-6654-49f7-85e0-f36e7bee2f6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357880/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d61dac696b2d972574cc84/reports/198680ae-ce21-41a7-b22f-87fc84bce066/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5b4f485-c9ac-4add-980a-695510ec101e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160969
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 793706 Sample: PURCHASE ORDER.exe Startdate: 29/01/2023 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 9 other signatures 2->56 7 PURCHASE ORDER.exe 6 2->7         started        11 brsZQRDyDyaFAv.exe 5 2->11         started        13 zBwkauB.exe 2 2->13         started        15 zBwkauB.exe 2->15         started        process3 file4 38 C:\Users\user\AppData\...\brsZQRDyDyaFAv.exe, PE32 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp9471.tmp, XML 7->40 dropped 42 C:\Users\user\...\PURCHASE ORDER.exe.log, ASCII 7->42 dropped 72 Writes to foreign memory regions 7->72 74 Injects a PE file into a foreign processes 7->74 17 RegSvcs.exe 2 5 7->17         started        22 schtasks.exe 1 7->22         started        76 Multi AV Scanner detection for dropped file 11->76 78 Machine Learning detection for dropped file 11->78 24 RegSvcs.exe 4 11->24         started        26 schtasks.exe 1 11->26         started        28 conhost.exe 13->28         started        30 conhost.exe 15->30         started        signatures5 process6 dnsIp7 44 dmstech.in 208.91.199.89, 49695, 49696, 587 PUBLIC-DOMAIN-REGISTRYUS United States 17->44 46 mail.dmstech.in 17->46 36 C:\Users\user\AppData\Roaming\...\zBwkauB.exe, PE32 17->36 dropped 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->58 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->60 62 Tries to steal Mail credentials (via file / registry access) 17->62 64 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->64 32 conhost.exe 22->32         started        48 mail.dmstech.in 24->48 66 Tries to harvest and steal ftp login credentials 24->66 68 Tries to harvest and steal browser information (history, passwords, etc) 24->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->70 34 conhost.exe 26->34         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9431de0e7a6f14542adabb08e4a2e577d12e221913a7c08ec40aaef66658fff9/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 03:27:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
25 of 39 (64.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqy54dt2n4kfikw2xmeojixfo7is4iqzcot4bdwebkxpmzsy774q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
056fefb924727f883dacfa1b86cf30fd3f62c5802d4ab3c6a0ae3493e9aaab98
AgentTesla
47cbf7971536b01b92965a84e3dd0c437ce964178a037b0171be0e291e311683
AgentTesla
54983544e9fd6e0423bcd9ea883e4ff1375abcdd58876d79701e9d24882500ed
AgentTesla
97c28174a64eab003f2a1b2f4a742acbcbb8394249d136d176c19711908da21a
AgentTesla
addb8abf312513a24de1ffda4ef7297b961d8dd69ff52e868d579dfc8bf15b60
AgentTesla
bb43a5754a893cb89704ada5e6ab99172fcaba378a12b890b6baae58fd6d35ba
AgentTesla
ceeaf351408125592c58eb70508f0387f293210a0f8ce14cbbda70fd6ef2254c
AgentTesla
dcc60226dc95db85e94d9e78b8af2ccb0bb0b201af107999e315ea01cbe52475
AgentTesla
e698d6cffbf6c53ef3c0763c21b54ef12c7f985058c579c2746bc349be12a2b1
AgentTesla
+ 20'690 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230129-h4ytqsdd79/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
739b0d0c25dab5d69c516941cb4f370df005fc8e1a77df445358776b22c3dd52
MD5 hash:
0a3d628f3d14fecd845cc89b4fee11b0
SHA1 hash:
c072047c81115be2e2307cc85f01fe98a8079c87
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/26bb0680-fb79-4303-acba-3d3a2444cd5f/
Parent samples :
dcc60226dc95db85e94d9e78b8af2ccb0bb0b201af107999e315ea01cbe52475
322a82cb52dd04f516915780a9eb9865e24bd284fedecf938e345270fa0f83b3
7de9e6cacff646823bd04add2f12f423bc654548163ac37e17860d1eb5b315f1
ea43d517a6f297bacd8199f6df1f0cfaa00acac3c3c2eb125093df80c73a87a6
056fefb924727f883dacfa1b86cf30fd3f62c5802d4ab3c6a0ae3493e9aaab98
b3e12ecdee9eacc7354a7d43ccd3ebe7e6db207e93f73b7a847ff4bee9f27f86
bb43a5754a893cb89704ada5e6ab99172fcaba378a12b890b6baae58fd6d35ba
b27f7a44bbe68d1ceb1d8d2b0a81fe4dcb9dc8047080e6a79aaca37b409cf240
97c28174a64eab003f2a1b2f4a742acbcbb8394249d136d176c19711908da21a
b188a13a9f8d13e388089ecbe4725f5c0e2a17c2f1036e0a7ab0cf5aab878549
baa6318542fec07e6a7ee6bbdccbfa99519c4b76fe6d57bf573c6d33d943db9a
21ffa6cab8603732b5f615cd0db3e5e6deef95d75fa33598815e4bcbcb1da691
36e7dd656f73069c8c78ae8f100a746a6d48df103fa11739355c09f03e45b0bd
25b6b99d864c11f150199c742850366511b9213ec5cf408ff57ced3622653143
570bb8f8e76556ba2158370d21c83415e1773c5cf25d92a84e4a066c82a61051
3ef08f39f739e970a5e143decd013ff75086300f30aea4441c33b609f4c2e9d5
f22e0e86d77e67ae822fbd78fef1108767918aec0df59bc554e0378a45a4c068
2ad2b641db99003656d22d4e31f884ebb887d3ffe7a92e8338b37a7aad60a711
5930c5866f8eed59c28ce8c986a3e44a289cfbb12a7a7197d2d6c6caad4cdb69
a6a9d25fbff8fc2d49d743951692f0f583420945d6a28393298713346c984809
67746033de06b15b8b02f5dc873f8b82696b94158c5074e8251ae1433b671c3a
a21f3e9612275b3514ddbada4ff1763efbb2cee160ea6d530d66b9f9449baa88
4f2a16d1aa218f8e423b803df72a63c2c6748d2701fe664c5eee59e096af3921
8e3410b701ab440ca72fc04705a3f8f663031f64fcf6b06b4a07d2ba3d5b4bf2
5dd95385f904bef50b5b57a7ab6427c78df4b9a93386f0ca16ee484b67ae939e
8cac9d66650d477750c772f06ca469eeff8056f6c058b1e5dfff1cea549a35ea
9431de0e7a6f14542adabb08e4a2e577d12e221913a7c08ec40aaef66658fff9
9c3660ffe5ce0c638949f25a1a1adc5d7ab366824e46d6ea3064e8c7426730f5
9c08966b170f8f713f07c3be1ed598d62e1efe93ab427fe4f44a4e372454a3c1
99adda59edc208010068f4ea20b251bce6e3f397847259d2f47b893f1c7f0a6a
54ec5ddfdaffbd07bb289eacfcdcb34cd15a36a720ad521b3b91665d54f2dfc2
9b8088bdfac6cdced72f50e8020779923a75804ffd8a8738d2373e97a097f908
b72cbdbe49d3141dfc0a63bafd35d2ae2bd6f3a213a1374d7c7e347d7cad756c
d33eea86eb7794132b9d99edf58f349f912b482cd2be5e5c63068e2700279fcd
32cb45b7a29d11d5962d991558f0e216de55cf5882282b55c9a2bb625e01873a
3c4d4ae6875508403d1c24d4422c588a14cd0515d7c11a388e8ea6403d03540d
6b0e8e6683df482c7579f4ba45e062d65af78a2eb8d310bdde706437dab53904
fcdf163e514b0aa3364e9da405c1d7bc249d7b870482392e590e8d4f37eae529
967faf62f7ca8a187e54a09b1cf77ec300cb9e2dc935a4b0d0462b498f3d004c
SH256 hash:
21fe49e059014bae48df7846d52b01e54d1910405cea43de08d321e2a6e42d39
MD5 hash:
a4f2c8700c3901eeeae231fb5ed84bcc
SHA1 hash:
badcd19abcb2010b21750a524c5e6ea16816bd00
Link:
https://www.unpac.me/results/26bb0680-fb79-4303-acba-3d3a2444cd5f/
SH256 hash:
1c20bfc61ce0617859cc91d0b29fd3bec6bd7d96a7f2168d8f039ede8bcc9baa
MD5 hash:
57144fe2f924afdf60ecbbe00593ede5
SHA1 hash:
2250bef47b7bc4e617c014ceda481e6f7918eb14
Link:
https://www.unpac.me/results/26bb0680-fb79-4303-acba-3d3a2444cd5f/
SH256 hash:
9431de0e7a6f14542adabb08e4a2e577d12e221913a7c08ec40aaef66658fff9
MD5 hash:
94df12994899680e0d9ef7cf9b3f8b4d
SHA1 hash:
551018ce51f62c6d7bd896986a7888fe363f8d0b
Link:
https://www.unpac.me/results/26bb0680-fb79-4303-acba-3d3a2444cd5f/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9431de0e7a6f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9431de0e7a6f14542adabb08e4a2e577d12e221913a7c08ec40aaef66658fff9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9431de0e7a6f14542adabb08e4a2e577d12e221913a7c08ec40aaef66658fff9

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/357880/

Comments