MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df89fca056d515beb7c51de45f2ea6442ae38924144b5422ce79017dadb82654. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df89fca056d515beb7c51de45f2ea6442ae38924144b5422ce79017dadb82654
SHA3-384 hash: c09db2e02551dddd6788f5e950bd6de9ae3becfe7fc3c9a6c0d13e82ff67a8f1b59bcc6906621bd7f6559ff55287a802
SHA1 hash: 0caa5eb0a625729335ab8681427e56492cef6f0a
MD5 hash: fbac3ff86a9c467a97c0b5cbbdca9bea
humanhash: carpet-blue-fourteen-paris
File name:QUOTATION_APRQTRA031244·PDF.scr
Download: download sample
File size:2'682'880 bytes
First seen:2024-04-10 16:39:01 UTC
Last seen:2024-04-10 17:20:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:5hWpgafb/fJD2vEsUZfWlRH2ST8T7NhAWZs+pH1bANYQHcVKizubk:TWpgawMXW2rT77vpHyKoi
Threatray 2'685 similar samples on MalwareBazaar
TLSH T18EC51200AE04A621DF8D57B49D33CA3403B99CA9A975E22E2DD4BCDB3F777C7500A196
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d4d4dad6d6dcc4e4 (34 x AgentTesla, 8 x Formbook, 7 x SnakeKeylogger)
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
411
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
df89fca056d515beb7c51de45f2ea6442ae38924144b5422ce79017dadb82654.exe
Verdict:
Malicious activity
Analysis date:
2024-04-10 16:39:46 UTC
Tags:
evasion agenttesla stealer
Link:
https://app.any.run/tasks/6eba41a3-b8e1-41bf-83c8-bd431ba6f21b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/df89fca056d515beb7c51de45f2ea6442ae38924144b5422ce79017dadb82654
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a13c99cb-1723-465a-bbc8-3573699e65ff
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1424040
Signature
.NET source code contains potential unpacker
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/df89fca056d515beb7c51de45f2ea6442ae38924144b5422ce79017dadb82654
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df89fca056d515beb7c51de45f2ea6442ae38924144b5422ce79017dadb82654/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-04-10 09:16:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=36e7zicw2uk35n6fdxsf6lvgiqvohcjecrfviiwopeax3lnyezka._file
Verdict:
malicious
Similar samples:
0cb284abb63cf61b070bfa0a5250ff536f92907bbf5eec07070b9aeafa4ac2bd
495c76a1f5b27c1d1dd4c02a2d6b14c33f02f7fff1d4720e9f751055f9dd9a51
9df4aaa956d54f55f1bb038f3e8f086169983e094ef8432cd71df928a888a2d0
b98ba4f48ad58a55a79732eea1f80838bc26dc0ab3ba0403d04a3c25df9c3d08
d545f5b27e90abc54cf5a37c35e866c08336a500cecd95e8267c0c729a6b9bbc
d6649e2e5ceba35b786f745b71b1b63dfde4e597cbbe093750065d08f0cb6e5e
df89fca056d515beb7c51de45f2ea6442ae38924144b5422ce79017dadb82654
f786d300e911c09396715900b66e26e1666570bb9483477f76040db3eaae15de
+ 2'675 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:zgrat keylogger rat spyware stealer trojan
Link:
https://tria.ge/reports/240410-t5zyzaea96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
f92b773660d5b2feddcbd0d63ae57d946b93dbb76f625b25a2110fd024400ead
MD5 hash:
2b6d544f2480c749baa66975c4a705a6
SHA1 hash:
e8ba3c3474679c3e0dee5962da5da19cee67d1f9
Link:
https://www.unpac.me/results/bb93331a-0d57-4d58-aa1d-7539a5f77d94/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/bb93331a-0d57-4d58-aa1d-7539a5f77d94/
SH256 hash:
64855fe58ff55ed385cadb3cba04512adfe04c61a0df845e2e122357ad159065
MD5 hash:
f808147a8af8ce1800007034bf8cd47f
SHA1 hash:
103fb6daf566fa9b4bcd1f460c4cb7f4ed52208c
Link:
https://www.unpac.me/results/bb93331a-0d57-4d58-aa1d-7539a5f77d94/
SH256 hash:
df89fca056d515beb7c51de45f2ea6442ae38924144b5422ce79017dadb82654
MD5 hash:
fbac3ff86a9c467a97c0b5cbbdca9bea
SHA1 hash:
0caa5eb0a625729335ab8681427e56492cef6f0a
Link:
https://www.unpac.me/results/bb93331a-0d57-4d58-aa1d-7539a5f77d94/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df89fca056d515beb7c51de45f2ea6442ae38924144b5422ce79017dadb82654

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments