MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac89b1793f4bcf33b007eb2c682afd7086bc0d493c95650148674ee85da540de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac89b1793f4bcf33b007eb2c682afd7086bc0d493c95650148674ee85da540de
SHA3-384 hash: db962bf5c4f8546b325c18e2ad0637307a0ad176a0ab4278134ce62ad08968cb6097d040589a86b1786b18446a2c85bb
SHA1 hash: c5275563903246e58d47f65dd7c4d4b838afe2dd
MD5 hash: 77ac501ee50612f55fd8d9135727a6f8
humanhash: ink-salami-princess-violet
File name:Request for Tender for SAUDI ARAMCO - SAUDI ARABIAN REFINERY RENOVATIONS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:706'560 bytes
First seen:2023-10-04 06:33:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:0U/iSAx5PWPQQ8ahT9aDtG7Coyjw3rvmA74qWvS0lhO9k+lHpsGMADk++:007Ax5uPNktG7cgdlWvSC0RTDk+
TLSH T1CDE4120A3BBC09ACEB1ECA7E1171449603FF2211AB85C6951F4B24CB7ED63675286F53
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
337
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Searching for the window
Creating a window
Launching a process
Creating a file
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ac89b1793f4bcf33b007eb2c682afd7086bc0d493c95650148674ee85da540de
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4232ba0e-e8f8-4fce-940e-6c4a1423803b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1319214
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ac89b1793f4bcf33b007eb2c682afd7086bc0d493c95650148674ee85da540de/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 02:23:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 23 (82.61%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vse3c6j7jphthmah5mwgqkx5ocdlydkjhskwkakim5hoqxnfidpa._file
Verdict:
malicious
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231004-hbrvqahe7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
b3f00ba91bd199feaf96065d6c67ece934f40562fab73487f69f18c1963e2cb2
MD5 hash:
7392325624a30894c3bea4db8d4e53b0
SHA1 hash:
dedf31a7c4ac43e97b3970ef8f6871b7d05ce50c
Link:
https://www.unpac.me/results/da59a5b0-3770-42bd-8441-02fddebf0300/
SH256 hash:
4ce538e63a74373cb51f0c3aa5569c0bf5c6e58052264ea4ab3fc6d1cabad339
MD5 hash:
478d49c0cc871572c9969311eebfcc6d
SHA1 hash:
ab0148d42f2c383663038bb3ef0285d56ea2fd48
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/da59a5b0-3770-42bd-8441-02fddebf0300/
Parent samples :
ac89b1793f4bcf33b007eb2c682afd7086bc0d493c95650148674ee85da540de
db19c9886fae3d7d0b1fa2afe5918fec9e993b31775d8520a523dc9653fcbad8
ccfe18e731f5ae4678feb7154097e80ef78905f861d3eb207040f4319f783ef6
a6b452e2523c6ba1385ddadeda97afa51c951fec8d8ee39acf2ffced68a396b5
95598427818779308437272ced1a1a8e293da280290791c15721d4a5b3e25fb0
9fd0c32521c7d152ba2b6d68f90cc43f6ead072c6030601ae0724889debe4234
SH256 hash:
9ee1c25efe549050973fb03aea321b676e785fb102ba5072acc4e86c32346137
MD5 hash:
8f6d261e06a19d31d4adfb46706d6f47
SHA1 hash:
9352110b199e6c40f6f0769912089bb62b60bd8b
Link:
https://www.unpac.me/results/da59a5b0-3770-42bd-8441-02fddebf0300/
SH256 hash:
df4ae14aba1386482151a3b8cc58ef081c58306da7f4cc0c35e0718242cf043c
MD5 hash:
8383b9306b9b5929b0aed1f24991d929
SHA1 hash:
6acebb9f139a62de981a3ec15ce35f61f5c3132e
Link:
https://www.unpac.me/results/da59a5b0-3770-42bd-8441-02fddebf0300/
SH256 hash:
ac89b1793f4bcf33b007eb2c682afd7086bc0d493c95650148674ee85da540de
MD5 hash:
77ac501ee50612f55fd8d9135727a6f8
SHA1 hash:
c5275563903246e58d47f65dd7c4d4b838afe2dd
Link:
https://www.unpac.me/results/da59a5b0-3770-42bd-8441-02fddebf0300/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac89b1793f4b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac89b1793f4bcf33b007eb2c682afd7086bc0d493c95650148674ee85da540de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ac89b1793f4bcf33b007eb2c682afd7086bc0d493c95650148674ee85da540de

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments