MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09607c48d3c5930249aeb27320d1a808becd0ca63bdf8b85d0673c45e23e843f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09607c48d3c5930249aeb27320d1a808becd0ca63bdf8b85d0673c45e23e843f
SHA3-384 hash: 79d1e3aefd8a58acdb8a04bde925a2f8d3d4997d207200225380a48eaf952292bad7de3b92563e96633fa796bd87e88b
SHA1 hash: c931e29d42d701d755be7d4f0ba0312f81613727
MD5 hash: 7772169448d6bb5bac9afc47f92b9d21
humanhash: ten-lemon-diet-oven
File name:file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:684'032 bytes
First seen:2023-01-19 14:33:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:GmTl4nu0bZBV4uNOwE7BztsXtktFSSiwxp5yKx:GmTl43Bx+9tAK9FNx
Threatray 9'414 similar samples on MalwareBazaar
TLSH T1F2E459411A7B87E2E4F94EB8163CA41827A51CD147ACA13EBD867DBE8CE770F4095723
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:.NET AgentTesla exe MSIL

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE NO. SFFPL22-23186.xls
Verdict:
Malicious activity
Analysis date:
2023-01-19 12:52:41 UTC
Tags:
macros opendir exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/51880409-9c6c-4942-b85f-5226d492ad58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354568/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.738.24166.24558.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c954dfd99bdea27b24fa86/reports/f9083bbc-3398-4649-a669-6b5b534d1143/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/62ddc018-af88-4c2a-b112-84b1b83096c8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154747
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 787499 Sample: file.exe Startdate: 19/01/2023 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic 2->74 76 Sigma detected: Scheduled temp file as task from temp location 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 5 other signatures 2->80 7 file.exe 7 2->7         started        11 HpoRYERseevzT.exe 5 2->11         started        13 zOwta.exe 2->13         started        15 zOwta.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\...\HpoRYERseevzT.exe, PE32 7->52 dropped 54 C:\...\HpoRYERseevzT.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\Temp\tmp99C.tmp, XML 7->56 dropped 58 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 7->58 dropped 92 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->92 94 May check the online IP address of the machine 7->94 96 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->96 104 2 other signatures 7->104 17 file.exe 17 5 7->17         started        22 powershell.exe 19 7->22         started        24 schtasks.exe 1 7->24         started        98 Multi AV Scanner detection for dropped file 11->98 100 Machine Learning detection for dropped file 11->100 102 Injects a PE file into a foreign processes 11->102 26 HpoRYERseevzT.exe 4 11->26         started        36 2 other processes 11->36 28 zOwta.exe 13->28         started        30 schtasks.exe 13->30         started        32 zOwta.exe 15->32         started        34 schtasks.exe 15->34         started        signatures5 process6 dnsIp7 60 api4.ipify.org 64.185.227.155, 443, 49712, 49714 WEBNXUS United States 17->60 62 mail.aktinos.in.netsolmail.net 207.204.50.16, 49713, 49726, 49727 DEFENSE-NETUS United States 17->62 68 2 other IPs or domains 17->68 48 C:\Users\user\AppData\Roaming\...\zOwta.exe, PE32 17->48 dropped 50 C:\Users\user\...\zOwta.exe:Zone.Identifier, ASCII 17->50 dropped 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->82 84 Tries to steal Mail credentials (via file / registry access) 17->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->86 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        64 mail.aktinos.in 26->64 66 api.ipify.org 26->66 88 Installs a global keyboard hook 26->88 70 2 other IPs or domains 28->70 42 conhost.exe 30->42         started        72 2 other IPs or domains 32->72 90 Tries to harvest and steal browser information (history, passwords, etc) 32->90 44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09607c48d3c5930249aeb27320d1a808becd0ca63bdf8b85d0673c45e23e843f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-19 11:23:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfqhysgtywjqesnowjzsbunibc7m2dfghppyxboqm46elyr6qq7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26fd5960f4df473e74ae181061882322a19eab1b37f4ebc846d8634f538d43e9
AgentTesla
2b924314517e86bfece5ecc1e2a6386ac415c9db078a48e7e974a08a8c6255ed
AgentTesla
2e45a9113007ef46e148979f14d5723b5af959b54503dd26c09895320d990eeb
AgentTesla
37b0b6c8e886ba54facc53bea8f5d11ea52bb2ad186ef496bac773ba989b9e89
AgentTesla
3ac0ff1d6a7bcbcd3feb5fd5f978b98845ac587b4b7e7be2233849295491e777
AgentTesla
72583f44847a7163594df6713b246140478f41f50448f9d8585ebfde2d4b3ca0
AgentTesla
cb7ffda616dbfb59cec05339b9bee2e7ecae48595545ee4e63d93e9751feb594
AgentTesla
d60b0841441e30f8c621ae74d82caed84a72125a8fef8669071c54617f4ce0f1
AgentTesla
e611419a4b0f0fb37a0c6ec8e6bd88c5314eb889f525ecf875eea8b6338a8f2c
AgentTesla
+ 9'404 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230119-rxe8gsdb7v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
9f75bfb67da98cefeb325bf89be2ebf0b235dabbe8617d9e23e117e03e4cf07e
MD5 hash:
babf1779f37d62b3f1b56622cd680ec2
SHA1 hash:
f340b46cf13975e4a083a621336d3ccf630e66f2
Link:
https://www.unpac.me/results/7ea60ec2-7443-4967-bbba-2a62e19cb534/
SH256 hash:
39ebf36daf6559e879fcfbd0c540dff4bc48885c6e29ad7c970e9ae5be8dfeb7
MD5 hash:
42a1714fb6ef79b88708474e1d714324
SHA1 hash:
d448a989fe2cede0fe56b89ca637b68b6f6fbcbc
Link:
https://www.unpac.me/results/7ea60ec2-7443-4967-bbba-2a62e19cb534/
SH256 hash:
54d781f0dee6692c47390edf1ada295fb17a7e80ed5ccd58ab14c6ddf80a0ad8
MD5 hash:
4f6caebd865502f7c8046fbae3284c61
SHA1 hash:
be357e832bf6f61454875b37a1759cf1c5fa5ca4
Link:
https://www.unpac.me/results/7ea60ec2-7443-4967-bbba-2a62e19cb534/
SH256 hash:
7f0d201d80f3d5c61c6c3c9c49d4bed8a55a2ca377b007cbb3ae59c94a78ac97
MD5 hash:
0868d9608bc629bdc8ee88f608ed307b
SHA1 hash:
7a3f3a5cd72a46277cd0f6e4e4467b901b7f4238
Link:
https://www.unpac.me/results/7ea60ec2-7443-4967-bbba-2a62e19cb534/
SH256 hash:
dfb3f48bda70d056b5ff0c3784da31cb61094c783aaea92763289c0ed7173238
MD5 hash:
24e9b81d78d067e2daa58d43be6fc3a1
SHA1 hash:
26c9d673b2ee0bd7d582e30c6aaa73412f2562d4
Link:
https://www.unpac.me/results/7ea60ec2-7443-4967-bbba-2a62e19cb534/
SH256 hash:
09607c48d3c5930249aeb27320d1a808becd0ca63bdf8b85d0673c45e23e843f
MD5 hash:
7772169448d6bb5bac9afc47f92b9d21
SHA1 hash:
c931e29d42d701d755be7d4f0ba0312f81613727
Link:
https://www.unpac.me/results/7ea60ec2-7443-4967-bbba-2a62e19cb534/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/09607c48d3c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/09607c48d3c5930249aeb27320d1a808becd0ca63bdf8b85d0673c45e23e843f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 09607c48d3c5930249aeb27320d1a808becd0ca63bdf8b85d0673c45e23e843f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2512450/
Cape
Cape
https://www.capesandbox.com/analysis/354568/

Comments