MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e685dbb18a96ef4d8877f5b516ab8e5821ae79512d7dfe011330633775c289c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e685dbb18a96ef4d8877f5b516ab8e5821ae79512d7dfe011330633775c289c
SHA3-384 hash: ad89f0eb2c846391ef976ccd037a908177815e70e6b139720e2bd855b51e750c180217b428ad0ca139b852bc75ff21fa
SHA1 hash: c317daba3ab703d738a9c0147bef7aaef877820e
MD5 hash: 15759eaa8df8ab86a1f1c989b0ecce0d
humanhash: eight-butter-bacon-mexico
File name:Scan doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:685'056 bytes
First seen:2020-08-14 10:13:07 UTC
Last seen:2020-08-14 11:01:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:ks3xLfYO5TT6nTFgNpmH9CwE25Uk/aj6JoRfmSdzNu5tu:ks3xjYO5T2TFgjmdT1JZgjA5I
Threatray 9'544 similar samples on MalwareBazaar
TLSH 87E4E0297690DD05D2395B3ACADA840443F9AC07AB36DB1EBF97339C09117B36B4219F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: TRUONG THI HIEN TRANG <truongthihientrang@sales.aviva.com.vn>
Subject: Payment Sent T/T Receipt Attached - Overdue Invoices Payment
Attachment: Scan doc.rar (contains "Scan doc.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45788/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.53369.17699.9671.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/429380
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e685dbb18a96ef4d8877f5b516ab8e5821ae79512d7dfe011330633775c289c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-12 12:09:43 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tzuf3oyyvfxpjwehp5nvc2vy4wbbvz4vcll57yargmddg524fcoa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
383afa9b82f107b9f040868f783c06115083de21eb8caa8a744a68c92782acae
AgentTesla
3ac8a6bb8e3551f1889bcdbe567d78c4d1afd90f91904d5bbaffc6879abbb37a
AgentTesla
6c3bf021d2c48ff27cfeab73b69e09f5137945707ad8bdefbbcf97df508499f9
AgentTesla
822c61d76c4a9dc067978f8537aba073e1d90ccae770b89fc88993edde81386a
AgentTesla
8a6cdb7717a1c7db76da7b23406ca85b31e7f53a29c9ea29dd832dd821d3d44d
AgentTesla
9dc9ad5a5c2a56c7155bc775dc4b1d53c995f1498678a1ddb5d23010dd11c889
AgentTesla
bc83749e54465e28ddd8d7d615088989b9c17ab971969c536cef06f94887d51a
AgentTesla
dbc161933aaec1f13250088d9923431b800c6b1dac117c4fbbe834c43b0b441b
AgentTesla
e7b11adb00aa3b9264a0f647ed236e547d635674418e1a45d282913244d07ae0
AgentTesla
f242ad8f253e4e481529cffa7b3d697683649ba31b8c8500f2d24d2bf591e553
AgentTesla
+ 9'534 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200814-6v4nl2mrax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/9e685dbb18a96ef4d8877f5b516ab8e5821ae79512d7dfe011330633775c289c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 7f73efba80081fd73987ce8b2ab970a79e8f5624d8f33661378d413b3d6f5ce8

AgentTesla

Executable exe 9e685dbb18a96ef4d8877f5b516ab8e5821ae79512d7dfe011330633775c289c

(this sample)

  
Dropped by
MD5 62cd175818ac95c159afa67b06da99c7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45788/
  
Dropped by
SHA256 7f73efba80081fd73987ce8b2ab970a79e8f5624d8f33661378d413b3d6f5ce8

Comments