MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 009b4de6d61871ef45ca8a91d5918d6940a9ad8470bc9b746d398033c3b9557a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 009b4de6d61871ef45ca8a91d5918d6940a9ad8470bc9b746d398033c3b9557a
SHA3-384 hash: 867ceaecc25e8ba8ca42524a93151a8a2762d959f2a972e02ab9cd6b8cfccb5e34c3127f017440cd3486bc4d126c6ab8
SHA1 hash: 16a4711247bbfb9ad19eb1ec49c1c9de8e10ef75
MD5 hash: 9b273c781403d005ca76515542e5ab21
humanhash: hydrogen-don-twenty-potato
File name:9b273c781403d005ca76515542e5ab21
Download: download sample
Signature AgentTesla
Create hunting rule
File size:292'352 bytes
First seen:2023-02-07 09:19:16 UTC
Last seen:2023-02-07 11:37:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:SOe7vYYo2U4YRNNbKL4pTYdkhVoi4Fc+dVkR52:SNvYYowYtiisdkEDFc+7kr2
Threatray 26 similar samples on MalwareBazaar
TLSH T195544DAAF6AA46D0F95C4CB074DB8135171B3C33BA9C19E1D80B37D313F5268A09ADE5
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 68cce3b3b9cbec70 (2 x Smoke Loader, 1 x AgentTesla, 1 x Zyklon)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
9b273c781403d005ca76515542e5ab21
Verdict:
Malicious activity
Analysis date:
2023-02-07 09:20:54 UTC
Tags:
trojan loader smoke stealer
Link:
https://app.any.run/tasks/97c8e7a6-1968-4dfd-aa82-1e19e628135d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361302/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.43091.19091.8269.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi packed
Link:
https://www.filescan.io/uploads/63e217c31c9cbf7d625658b1/reports/347a6490-72f4-4a0b-be9a-34144ef460f7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/009b4de6d61871ef45ca8a91d5918d6940a9ad8470bc9b746d398033c3b9557a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7455147e-4099-47d7-88ec-70bcb3823a11
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1167509
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800290 Sample: v9Lyz1CSRI.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 8 other signatures 2->69 8 v9Lyz1CSRI.exe 15 4 2->8         started        13 urfdicb 14 4 2->13         started        process3 dnsIp4 57 deepaliart.com 103.142.175.243, 49712, 49721, 49726 HKBIL-AS-APHONGKONGBRIDGEINFO-TECHLIMITEDHK India 8->57 45 C:\Users\user\AppData\...\v9Lyz1CSRI.exe.log, ASCII 8->45 dropped 81 Encrypted powershell cmdline option found 8->81 83 Injects a PE file into a foreign processes 8->83 15 v9Lyz1CSRI.exe 8->15         started        18 powershell.exe 16 8->18         started        85 Multi AV Scanner detection for dropped file 13->85 87 Machine Learning detection for dropped file 13->87 20 urfdicb 13->20         started        22 powershell.exe 13 13->22         started        24 urfdicb 13->24         started        file5 signatures6 process7 signatures8 97 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->97 99 Maps a DLL or memory area into another process 15->99 101 Checks if the current machine is a virtual machine (disk enumeration) 15->101 103 Creates a thread in another existing process (thread injection) 15->103 26 explorer.exe 1 6 15->26 injected 31 conhost.exe 18->31         started        33 conhost.exe 22->33         started        process9 dnsIp10 59 alpatrik.com 45.81.39.147, 49723, 49724, 49725 LVLT-10753US United States 26->59 61 cletonmy.com 172.105.103.207, 49720, 80 LINODE-APLinodeLLCUS United States 26->61 47 C:\Users\user\AppData\Roaming\urfdicb, PE32 26->47 dropped 49 C:\Users\user\AppData\Local\Temp\3562.exe, PE32 26->49 dropped 51 C:\Users\user\...\urfdicb:Zone.Identifier, ASCII 26->51 dropped 89 System process connects to network (likely due to code injection or exploit) 26->89 91 Benign windows process drops PE files 26->91 93 Injects code into the Windows Explorer (explorer.exe) 26->93 95 3 other signatures 26->95 35 explorer.exe 26->35         started        39 3562.exe 14 2 26->39         started        41 explorer.exe 26->41         started        43 4 other processes 26->43 file11 signatures12 process13 dnsIp14 53 alpatrik.com 35->53 71 System process connects to network (likely due to code injection or exploit) 35->71 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->73 75 Tries to steal Mail credentials (via file / registry access) 35->75 77 Tries to harvest and steal browser information (history, passwords, etc) 35->77 55 deepaliart.com 39->55 79 Machine Learning detection for dropped file 39->79 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/009b4de6d61871ef45ca8a91d5918d6940a9ad8470bc9b746d398033c3b9557a/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-07 08:51:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=acnu3zwwdby66rokrki5lemnnfaktlmeoc6jw5dnhgadhq5zkv5a._file
Verdict:
malicious
Similar samples:
0e02e6a114b1d11170578a5742eb65a51940b2adbb8c1dac260e942068728060
AgentTesla
1d8026ad409084260f2dae852d0f179766b5c59e32f892e97d04b3c6cfda392a
AgentTesla
243649be893511b111872619c1710fd84d6a75db38bf63dcb2193544f7cd5ff7
AgentTesla
556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31
AgentTesla
7c2afe7ddb9bace6a0b1c8876c27790612b3d21b542c980357910d5b6644c37b
AgentTesla
d0a4e0e3ed54a45113962e05be0fecc8143c3484fbcbb3c890d8ea41f7586e36
AgentTesla
d8bfac190a02982a1df4b78937e75be37887d6d158d021391db60f9af2ca45c0
AgentTesla
e876ad440761c60b772b110b7e6f08c4e156ebdb17d78c55aa4594edc65ff78a
AgentTesla
f62ff438b7fc20e6a86d790a39e768b639cad74f781035447f86b102c67c4095
AgentTesla
+ 16 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:smokeloader backdoor collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230207-larecaag57/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Detects Smokeloader packer
SmokeLoader
Unpacked files
SH256 hash:
009b4de6d61871ef45ca8a91d5918d6940a9ad8470bc9b746d398033c3b9557a
MD5 hash:
9b273c781403d005ca76515542e5ab21
SHA1 hash:
16a4711247bbfb9ad19eb1ec49c1c9de8e10ef75
Link:
https://www.unpac.me/results/487df0db-bc5a-4a75-94e5-8a46f14ad03c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/009b4de6d618/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/009b4de6d61871ef45ca8a91d5918d6940a9ad8470bc9b746d398033c3b9557a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 009b4de6d61871ef45ca8a91d5918d6940a9ad8470bc9b746d398033c3b9557a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2532852/
Cape
Cape
https://www.capesandbox.com/analysis/361302/

Comments


Avatar
zbet commented on 2023-02-07 09:19:23 UTC

url : hxxp://198.46.174.165/77/vbc.exe