MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff99df4d6553a40959fd0dfca9f24dd3476ab91ebb084f0fe1f2037491a9e3c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	ff99df4d6553a40959fd0dfca9f24dd3476ab91ebb084f0fe1f2037491a9e3c6
SHA3-384 hash:	7e6eba5eff0e89eccecedde43dca8af738e78375b13a80900533c2f523f472f08e77cd9a4676a4d9569a8bd3422f74ea
SHA1 hash:	ed91f6354ee8838d4be47004501b546b33c8a36b
MD5 hash:	cd9f49845106e4f30eba149ba143f292
humanhash:	kansas-mockingbird-lima-lima
File name:	Purchase Orders.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	590'336 bytes
First seen:	2023-04-28 06:49:27 UTC
Last seen:	2023-05-13 22:55:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:07HypZXdK0sjuYYZ7f1bOJD9PcWf5rLEBcXXf8zhj:4jufkLffE8Xkz9
Threatray	2'471 similar samples on MalwareBazaar
TLSH	T11DC4F85B5B5B85B6DC7B9AB3D6E0DCB7BD9F9C97AC21C51600D338CC2132AB2244122D
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

290

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Orders.exe

Verdict:

Malicious activity

Analysis date:

2023-04-28 06:52:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b73a5a7a-5959-47bd-a032-762278906fe6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/385381/

Detection(s):

Sanesecurity.Rogue.0hr.20230427-1133.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/644b6c9e1facab193c6693b0/reports/2dc063b8-6937-4c14-afe2-972af32f8a2f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ff99df4d6553a40959fd0dfca9f24dd3476ab91ebb084f0fe1f2037491a9e3c6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dd52acd8-b64a-4fa8-b884-f79753465c93

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1222626

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ff99df4d6553a40959fd0dfca9f24dd3476ab91ebb084f0fe1f2037491a9e3c6/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-04-27 04:07:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=76m56tlfkosaswp5bx6kt4sn2ndwvoi6xmee6d7b6ibxjenj4pda._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

493781dc1d845e09f96742dfdc2edaef673ac5d4b2139875929166f2627dc161

AgentTesla

5453c16d0530e3bf32f870269a92db07188195005273c769b05752f4bb7c18e1

AgentTesla

5cbc840400d0d9d44bd5b3c7563bbe4c24eec4647e909c8ce524a60fe5b86ba5

AgentTesla

729b3e10a37e42bba3f9999ce8a17bc69f8642d86420f05836a5d0271a718efc

AgentTesla

7d08f27ae105b7caea0e95746f0554fac544bd272d6c823c835091cace0a5c21

AgentTesla

89ddd74ff391e9b89ca13cbd5f6d3b9568c1b5bfd1e7a0ff7b860444fc7e7a34

AgentTesla

f4e535a66881a91014aa12b837175eb110849a0d387a925444576387aafd633b

AgentTesla

+ 2'461 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230428-hlye9acd62/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

3aa9f12524e8f4ddee37d05669fd21e8994c34f38d0c609b2b47950d59b56902

MD5 hash:

5594bcfd04202590fdbc30f7c18afa9f

SHA1 hash:

cf9fdfb54b32bd54d722218b1a10035ae6a4a49e

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/2a39d310-fa6d-4c80-8562-d6a524cb3dc7/

Parent samples :

ff99df4d6553a40959fd0dfca9f24dd3476ab91ebb084f0fe1f2037491a9e3c6
0aba674b0db534de4f52e8250710b173b697397cbbf0011a4a6a3e9127e77781

SH256 hash:

df651f81cfd338fc24237ce28a08bf065db302e17ddc4ed5c0a446426a3d9211

MD5 hash:

8510715a3435dea32f63e75df0dc90f2

SHA1 hash:

a268cfa47034b5b5dc508c19a4c0586c50cad8ad

Link:

https://www.unpac.me/results/2a39d310-fa6d-4c80-8562-d6a524cb3dc7/

SH256 hash:

ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d

MD5 hash:

27f5124bf8f451bca8d8a15c73c4f521

SHA1 hash:

5fd557e109b8fd1c3b362b64f0ba9f1600c07211

Link:

https://www.unpac.me/results/2a39d310-fa6d-4c80-8562-d6a524cb3dc7/

SH256 hash:

ff99df4d6553a40959fd0dfca9f24dd3476ab91ebb084f0fe1f2037491a9e3c6

MD5 hash:

cd9f49845106e4f30eba149ba143f292

SHA1 hash:

ed91f6354ee8838d4be47004501b546b33c8a36b

Link:

https://www.unpac.me/results/2a39d310-fa6d-4c80-8562-d6a524cb3dc7/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ff99df4d6553/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/ff99df4d6553a40959fd0dfca9f24dd3476ab91ebb084f0fe1f2037491a9e3c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.