MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c89d8cc3c52b8b56669289df85876ab472b3451e459f18cfd35d7f74e24dc8fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c89d8cc3c52b8b56669289df85876ab472b3451e459f18cfd35d7f74e24dc8fd
SHA3-384 hash: 9d92931b0400419c1fb2d7a2d00aa2b2963ba88bef6f6b5f9a4c06edbf59dc8e6488ad2e3f11a06ee6cbb37ec8657481
SHA1 hash: 1aa50b9219bd7dc957faf163b1880c9aa95f4ce9
MD5 hash: 720a9fbdadec452d644e2eb3992d5cf5
humanhash: cold-low-nebraska-carbon
File name:RETURN PAYMENT TT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:993'792 bytes
First seen:2023-03-02 07:00:12 UTC
Last seen:2023-03-02 08:27:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Oqb7JFYADz1KGwdBnYorrbT2vNSddzYUjVjMvQBnDy06IxJeXSX5/bIttfJ:9XJwdrr6IvvVjEqndJ15G
Threatray 1'121 similar samples on MalwareBazaar
TLSH T18D258DC677BDD522F8EBA172050411C93A79B587B212F13BAB33BB519601BFF7A89500
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 3044b271f0e8e0ba (14 x SnakeKeylogger, 13 x AgentTesla, 4 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
200
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RETURN PAYMENT TT.exe
Verdict:
Malicious activity
Analysis date:
2023-03-02 07:01:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b8cfdec1-82cf-4086-908d-6c07735f6853

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371018/
Detection(s):
Sanesecurity.Rogue.0hr.20230301-1732.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/640049b0bfec0852a68e63b7/reports/b27da75c-ac23-43a2-bb7d-8d0cc1cf65ec/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c89d8cc3c52b8b56669289df85876ab472b3451e459f18cfd35d7f74e24dc8fd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b3d56b07-b54a-46a4-98f0-f1213204de93
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1185460
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c89d8cc3c52b8b56669289df85876ab472b3451e459f18cfd35d7f74e24dc8fd/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 08:40:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zcoyzq6ffofvmzusrhpylb3kwrzlgri6iwprrt6tlv7xjysnzd6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1a7d3c68a19d93324a37bfda905c8d9df54a6ca7c3d45176e3dce50fa736da65
AgentTesla
216509ca0f82c10daa1b7ea155f150766effa1270b1cc4d946f7b6d26851f092
AgentTesla
24055d43a09021ce0a445076e9b729b335a726937080337752854f2883103f67
AgentTesla
7870fc0f2fdeb1a6d5c5a713da63a813078d07e49d55adb031cc6bbda41ea9a0
AgentTesla
ba278e9a224009e14aa8b65a174afa76cd51e9a6fcfcf501d715abb7270d505c
AgentTesla
cd007e27773f87ed822f914b60667b5639f369e0cc1f533b6f8593589efdb337
AgentTesla
d6571f062d5171a70f5750fa082728fe3407c7ed8e8562913c1ff66437b569ae
AgentTesla
f1108b5eb80973aef37bd03b02d776a3bd44d9ec9425da749e4c8b22c0c16c67
AgentTesla
f711597a4eb7c26df4f434b6ba92ba617918340e1fafcf106aadfb0ff4902775
AgentTesla
+ 1'111 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230302-hs782abd9w/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4b285c20ab0272c7b0cc6ba731951a0e82a9453bf4081f895bb6c7ec58c02c1b
MD5 hash:
dee6be8e9ccf642e017ababa2be45c28
SHA1 hash:
d6e427b2f8a49e55248e8f94ee2cab88d00b6a05
Link:
https://www.unpac.me/results/9e150c79-64ed-4e18-a7dc-642d26de70a8/
SH256 hash:
b8590ddce45548534ea2782bd6cee909a223dd7d01185c822256a1f042752449
MD5 hash:
a34989f6e297fe9a4f213751d259d49a
SHA1 hash:
a03f64442e4daf1078f18091412db23b0b2d3de7
Link:
https://www.unpac.me/results/9e150c79-64ed-4e18-a7dc-642d26de70a8/
SH256 hash:
2d609d51baccc33f53314c8d7072bfec7d1f5cc899086845b87864af763b051d
MD5 hash:
a75d4da1f53b73be428bc107dfd3048b
SHA1 hash:
6a76898df0df5ab221311cf75211db677da3792f
Link:
https://www.unpac.me/results/9e150c79-64ed-4e18-a7dc-642d26de70a8/
SH256 hash:
c82f249c16490ba1180f74950b3dc33edb4896930efee6381e25a5c54564fa16
MD5 hash:
01a051e392e08959181a50735f60783c
SHA1 hash:
22b1fee9dd6a5bad617a0b8a2745c6b12ca77873
Link:
https://www.unpac.me/results/9e150c79-64ed-4e18-a7dc-642d26de70a8/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/9e150c79-64ed-4e18-a7dc-642d26de70a8/
SH256 hash:
c89d8cc3c52b8b56669289df85876ab472b3451e459f18cfd35d7f74e24dc8fd
MD5 hash:
720a9fbdadec452d644e2eb3992d5cf5
SHA1 hash:
1aa50b9219bd7dc957faf163b1880c9aa95f4ce9
Link:
https://www.unpac.me/results/9e150c79-64ed-4e18-a7dc-642d26de70a8/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c89d8cc3c52b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/c89d8cc3c52b8b56669289df85876ab472b3451e459f18cfd35d7f74e24dc8fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c89d8cc3c52b8b56669289df85876ab472b3451e459f18cfd35d7f74e24dc8fd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/371018/

Comments