MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e87092e93a1a144894d2221cc206afad0989a352a3eb4e9460dedc51af542597. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e87092e93a1a144894d2221cc206afad0989a352a3eb4e9460dedc51af542597
SHA3-384 hash: 8d5149ebeefa988f523adf7f71b2344107719493fda85cc074a44d667b8b7d46926c44c51449df2e13ff969030000e72
SHA1 hash: abe13f22469fd8d2256a5c5cf38ca33675781460
MD5 hash: 8dcc6d0b57946d786705863e1bacb658
humanhash: november-sad-twenty-lion
File name:Contract Draft & Drawing Specifications pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:676'864 bytes
First seen:2023-01-26 05:42:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:8SkOvbnR8ey/ZhNcXDyzFqIGby9s9EEstgmyPrmhan6Jjb3/MWn1B7Nz:GvNrXGG9sNKg/Paha6JEyN
Threatray 24'740 similar samples on MalwareBazaar
TLSH T11FE49D4023EC9F41F6BA4B7896B9505103B7BC877533E21D8ED120DE4EB2B14AB46B67
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 7eeceeccd6c2f2f2 (14 x Formbook, 9 x AgentTesla, 8 x RemcosRAT)
Reporter 0xToxin
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Contract Draft & Drawing Specifications pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-01-26 05:43:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5be5f812-dd3a-4911-8b31-e5ca4b10a6b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356979/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Setting a keyboard event handler
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d212e996add6d1cf48a706/reports/e7534c1c-5b7b-4136-9b39-a0be5ea33509/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be9d57ef-e4ca-4564-81c9-f26e88bc2419
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1159285
Signature
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e87092e93a1a144894d2221cc206afad0989a352a3eb4e9460dedc51af542597/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-26 05:43:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5byjf2j2dikerfgseiomebvpvueyti2supvu5fda33ofdl2uewlq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2a890802046e55c856e2a6be5a2268fb8ba4410c15ac51415a1c30b0cd2336b2
AgentTesla
6600f2c51ef233a254c85c0a3070eb9a81046692dd9918de53213c23e26a733f
AgentTesla
9a8c1fe1c53db8a44a8971664845fc5a63f34199504f3156101d8005059247a9
AgentTesla
d548bfcde55e09b8314b273b6fc1eff79563961b965cb83a763f4bb1b6c424ac
AgentTesla
d9d9e3cc542fd9391c9ae953b0071b0a4a450df7d6e3e5563df812b128ab2620
AgentTesla
ed1dd3f734ad29aaa1da6ada3823d8537704310f257e44524ea08d4c5f81ff3e
AgentTesla
f76fef3e72be648d3a32fb43e48276ef6f04cc0f5a21b89d58983c3232775adc
AgentTesla
f873aff34af07e0be6364498ef313f9e21454ba6fcab0a24c5da2a438de2770c
AgentTesla
+ 24'730 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230126-gekp5scf32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
790c6e25872681949636e4425bed57c0abc5b2849a84ce57564acd569b778366
MD5 hash:
828a69ae6bcf097e4d98c45e2c588f39
SHA1 hash:
fed71c5c4f7cd389b5673e5bae0ef6213a60cc01
Link:
https://www.unpac.me/results/0062ed6a-af00-4170-a28a-8fbb743a77e8/
SH256 hash:
284921d895fb6ae60ecda1ca8eb0cd2d3e8310636a28d272101524673535e2f9
MD5 hash:
cddff1351db54de5bc395b4a8d1c3ee4
SHA1 hash:
c1901a2ed4e0db250619ca886a1897a3fc4ec399
Link:
https://www.unpac.me/results/0062ed6a-af00-4170-a28a-8fbb743a77e8/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/0062ed6a-af00-4170-a28a-8fbb743a77e8/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/0062ed6a-af00-4170-a28a-8fbb743a77e8/
SH256 hash:
9153e33be7999ad1808800cceb4cf7960c166c591a22025bd728c8c9ca61e2e0
MD5 hash:
c77d3fa4ec5286648b28500c16da9188
SHA1 hash:
1d99f54363a46ee602d2dbfee11b84d75e3e12a9
Link:
https://www.unpac.me/results/0062ed6a-af00-4170-a28a-8fbb743a77e8/
SH256 hash:
e87092e93a1a144894d2221cc206afad0989a352a3eb4e9460dedc51af542597
MD5 hash:
8dcc6d0b57946d786705863e1bacb658
SHA1 hash:
abe13f22469fd8d2256a5c5cf38ca33675781460
Link:
https://www.unpac.me/results/0062ed6a-af00-4170-a28a-8fbb743a77e8/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e87092e93a1a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/e87092e93a1a144894d2221cc206afad0989a352a3eb4e9460dedc51af542597

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356979/

Comments