MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f89e980cad0c8767b2d3b8cca3c7d4f336baec22f35899d0ba870b9f0bc44afd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f89e980cad0c8767b2d3b8cca3c7d4f336baec22f35899d0ba870b9f0bc44afd
SHA3-384 hash: 0049f5598121357eb06f63b435a7833595cd9287061c5a73cffa62bdcc66001b8695ffc40d24c48a94d27c7dc763a974
SHA1 hash: 7f82e1ba19799ed4656c5bd54b7e56c9d6c7fb21
MD5 hash: d86a0b37b32a68e999e94f3299c9bbb4
humanhash: princess-green-nuts-speaker
File name:Invoice_0230621_087860_092920-DOCX.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:939'008 bytes
First seen:2023-06-22 07:41:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 24576:/dvDcAwwYhFX5znf9rWY1HK1CvpBL0jb85:/dvQRHX5bfNF1q1MnL0385
Threatray 5'580 similar samples on MalwareBazaar
TLSH T16215C2C60A14A387FFFC82B51099E53F516E7F4DAA40A1CF5E9173B4A233A0E49D1A47
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 16874d4c4e0e8756 (2 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice_0230621_087860_092920-DOCX.exe
Verdict:
Malicious activity
Analysis date:
2023-06-22 07:45:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/66a90e1b-3220-4da6-8dc0-e01fb185462d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/401584/
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.64740.24614.14976.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6493fb4dbf0c96409e799bcd/reports/81c744ce-9252-4f70-b67d-22d02f1a8581/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f89e980cad0c8767b2d3b8cca3c7d4f336baec22f35899d0ba870b9f0bc44afd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1194893d-d427-43f2-ba84-36c1e31c4b61
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1259497
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f89e980cad0c8767b2d3b8cca3c7d4f336baec22f35899d0ba870b9f0bc44afd/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-21 11:58:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7cpjqdfnbsdwpmwtxdgkhr6u6m3lv3bc6nmjtuf2q4fz6c6ejl6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09d437e435136bba2a59d8abf84da5e2dedf46ec0afd38ddaa40d07ec6119ba5
AgentTesla
4d60f9998376b2059e5a19aa9337f44285cce66c0e6bf0535de18a87d3aaf973
AgentTesla
5206fb34c3360635f7a152e0f3f336dafbca03f1e3d2bb957b8cb9adc726240e
AgentTesla
7c588579baa7695841603d6d5b2cbd0ae9af1ff49be00df6a44bc180b58beb6f
AgentTesla
c1b407328dfb3df00e409a9c3661b8ed81aea549322104e30929f1d669404d06
AgentTesla
d2b24cbb8fe2a9485ea49df5ffd98cd0073cd47de55e0da79e91618afc4528fe
AgentTesla
f0a7fdb30ada4af66a53c9540e8daa4c2acdda345aa8ec28aedfd02c4be6edff
AgentTesla
f37444849fb5d3f512aa399c0ccc8bbac2dac9a725c7965f445cc472f64a727e
AgentTesla
+ 5'570 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230622-jjnnpsdb35/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6225886424:AAE04Y_inojm0Tzj3dwMSlWwGuV885bHLak/
Unpacked files
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/767e55fe-c614-46f8-8742-aa1dd911a8ff/
SH256 hash:
6454fbf3bbeb37287bc2f95ed0f131ed38c88d20be9ac0621ff664396d6e0a17
MD5 hash:
e3a6d1c52415cc8114f7313f812022e6
SHA1 hash:
bdfd06baf7048bdc2f3df5937f7214e4266c0a00
Link:
https://www.unpac.me/results/767e55fe-c614-46f8-8742-aa1dd911a8ff/
SH256 hash:
fcd9a285076c520c73421fa9b0456c06cdbb3c087481f167e6bd5b18555dc191
MD5 hash:
bc1c82571e046deac0795f832966fda6
SHA1 hash:
76a5bf8577374c9e61abc76f4ba88ee044580525
Link:
https://www.unpac.me/results/767e55fe-c614-46f8-8742-aa1dd911a8ff/
SH256 hash:
4d8e40df97883819fba786dbbc103a5e3750f653a920c2e8add6505dcb753996
MD5 hash:
52973ae6444fe0e4313476458fab1ad6
SHA1 hash:
5d3bf3a4389512a4c5c99ca874f3415752731307
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/767e55fe-c614-46f8-8742-aa1dd911a8ff/
Parent samples :
f89e980cad0c8767b2d3b8cca3c7d4f336baec22f35899d0ba870b9f0bc44afd
7e7f1d18321207cbaabea3f8c316d13c13dbfae51a52a42c5a9d3c5478f75454
21afd28ee430548fc6e79700fee08f4c4a22e4d22fb12ad0bcc72f4df6f25540
da3b0d0acac3c2309c7ea606212b9c9a301b8f6405ca6a18a442286c6d00ddcf
SH256 hash:
83a294a7d418309e77d414238ef057c6948c61432a44eac2012b01ab8531c693
MD5 hash:
76f97856706f9212fdcfcca3c8a9039e
SHA1 hash:
10719af8c49062a548e558d9c6fc52c58371c12a
Link:
https://www.unpac.me/results/767e55fe-c614-46f8-8742-aa1dd911a8ff/
SH256 hash:
f89e980cad0c8767b2d3b8cca3c7d4f336baec22f35899d0ba870b9f0bc44afd
MD5 hash:
d86a0b37b32a68e999e94f3299c9bbb4
SHA1 hash:
7f82e1ba19799ed4656c5bd54b7e56c9d6c7fb21
Link:
https://www.unpac.me/results/767e55fe-c614-46f8-8742-aa1dd911a8ff/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f89e980cad0c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f89e980cad0c8767b2d3b8cca3c7d4f336baec22f35899d0ba870b9f0bc44afd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 4aecd36974b86ce7332cf642818cca0f64637a2315d7b75a09ecac04808dfcc6

AgentTesla

Executable exe f89e980cad0c8767b2d3b8cca3c7d4f336baec22f35899d0ba870b9f0bc44afd

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4aecd36974b86ce7332cf642818cca0f64637a2315d7b75a09ecac04808dfcc6
Cape
Cape
https://www.capesandbox.com/analysis/401584/
  
Dropped by
MD5 c8b70e9ddadd8ed102da94229453cf7e

Comments