MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c92700f557efbce3d2bdde80abfe0397c6816f4df90487f2fae25d05ecdb1581. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c92700f557efbce3d2bdde80abfe0397c6816f4df90487f2fae25d05ecdb1581
SHA3-384 hash: 9777d43d06b4f2dab5eb51bb2a0da5d3c21b5efcfcedcd056b5e3405dc86ae85031ba7cb28febe2fb6d724e9356eab14
SHA1 hash: 716060ed46ff43fa9d34dc549175182d1780425b
MD5 hash: 17f10da48f408784b89b99b63c03c86f
humanhash: yankee-virginia-victor-twenty
File name:PRICE REQUEST FOR PO#017897.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:433'592 bytes
First seen:2023-04-03 05:55:17 UTC
Last seen:2023-04-03 06:34:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 6144:mT4DtVDc8/gxCuWcaUJSjqGV5+tgiTIF15HSUDsBeavld1RQsdlYMnkxaz5T:mTuSt3J6qsisSysLvld1X8Mncs5T
Threatray 1'423 similar samples on MalwareBazaar
TLSH T1F494020479B1F427C3A605352D3EDEB3ABADEC2254D24B7B27973B4E2D700D15A4B2A1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 56b120e4ceecf0d0 (2 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PRICE REQUEST FOR PO#017897.exe
Verdict:
Malicious activity
Analysis date:
2023-04-03 06:00:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0f13b733-054e-440d-b000-6476342e6544

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379501/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66168274.6567.1522.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76214/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
83%
Tags:
comodo guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/642a6a7e86877205784f55a1/reports/b914b148-37fb-45e7-9299-efb2d6c9cbde/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/c92700f557efbce3d2bdde80abfe0397c6816f4df90487f2fae25d05ecdb1581
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e7303bf2-1638-4b24-9b9c-6090ac6072d4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1206929
Signature
Antivirus detection for URL or domain
Found potential ransomware demand text
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 839845 Sample: PRICE_REQUEST_FOR_PO#017897.exe Startdate: 03/04/2023 Architecture: WINDOWS Score: 100 35 mail.primevisionuae.com 2->35 37 googlehosted.l.googleusercontent.com 2->37 39 4 other IPs or domains 2->39 51 Multi AV Scanner detection for domain / URL 2->51 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 9 PRICE_REQUEST_FOR_PO#017897.exe 1 23 2->9         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\Julesalaters.Dvs, ASCII 9->29 dropped 31 C:\Users\user\AppData\...\VMwareHostOpen.exe, PE32+ 9->31 dropped 33 C:\Users\user\...\QCA.HDP.CustomControls.dll, PE32+ 9->33 dropped 71 Suspicious powershell command line found 9->71 73 Obfuscated command line found 9->73 13 powershell.exe 12 9->13         started        signatures6 process7 signatures8 75 Very long command line found 13->75 16 powershell.exe 13 13->16         started        19 conhost.exe 13->19         started        process9 signatures10 47 Writes to foreign memory regions 16->47 49 Tries to detect Any.run 16->49 21 CasPol.exe 15 22 16->21         started        25 CasPol.exe 16->25         started        27 CasPol.exe 16->27         started        process11 dnsIp12 41 api4.ipify.org 104.237.62.211, 443, 49816 WEBNXUS United States 21->41 43 mail.primevisionuae.com 95.172.86.31, 49818, 587 SINGLEHOP-LLCUS United Kingdom 21->43 45 2 other IPs or domains 21->45 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->59 61 Tries to steal Mail credentials (via file / registry access) 21->61 63 Tries to harvest and steal browser information (history, passwords, etc) 21->63 69 2 other signatures 21->69 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->65 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 25->67 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c92700f557efbce3d2bdde80abfe0397c6816f4df90487f2fae25d05ecdb1581/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-30 08:49:07 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zetqb5kx566ohuv532akx7qds7dic32n7ecip4x24joql3g3cwaq._file
Verdict:
malicious
Similar samples:
0df9cc018e5258e289ffea0bb4137ae6f0bc8fe85b48b544520c7dae95453f68
AgentTesla
4709918939b87a9c054e217770dc158f33c7446815b548d5dabd4a6b138b61b8
AgentTesla
486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
AgentTesla
799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21
AgentTesla
cf890935581d55d30342de2c71190393c3c03b99258ba7a1e3e3139099ee0b97
AgentTesla
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
AgentTesla
cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3
AgentTesla
f7f5898bbed2b677a52a031071110b8aebb4b3eba2669703f6dd60e6953dc2a2
AgentTesla
+ 1'413 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230403-gm2nmaee4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks QEMU agent file
AgentTesla
Unpacked files
SH256 hash:
c92700f557efbce3d2bdde80abfe0397c6816f4df90487f2fae25d05ecdb1581
MD5 hash:
17f10da48f408784b89b99b63c03c86f
SHA1 hash:
716060ed46ff43fa9d34dc549175182d1780425b
Link:
https://www.unpac.me/results/e82576cc-a748-438e-8cff-c4494cce9dc9/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c92700f557ef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c92700f557efbce3d2bdde80abfe0397c6816f4df90487f2fae25d05ecdb1581

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/379501/

Comments