MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09f9071b686b6820fed8af5f6be019e9a0d4624e3c999f4e3ca0cdb32740cc41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	09f9071b686b6820fed8af5f6be019e9a0d4624e3c999f4e3ca0cdb32740cc41
SHA3-384 hash:	5db3efa9ad7a5842e822aac2c1e8495c031e03f4c5baccc1254c3a1d727dec3caaaf848f82ff0178a84788d636ffa4f7
SHA1 hash:	37e5e8d6a913328d46e05c9a670f0f7757db446d
MD5 hash:	24644cfd1aeb82a9a2e7f196706af684
humanhash:	oregon-pasta-connecticut-arizona
File name:	CI & PL 2021 shipment for correction,pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	6'168'576 bytes
First seen:	2021-02-24 07:06:58 UTC
Last seen:	2021-02-24 09:03:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	98304:YvgY/wUHCPzsK5A5cL8gPbCkca6/5u3eetnk0Y/o22d0Af2XNu6n65GismFv6bU:YLjHCPTA528gPbEt0tnkG2As965lUU
Threatray	2'788 similar samples on MalwareBazaar
TLSH	E05623017384FB96F02A1E75C82B6918A3F9832B2571F24F34D7ABE51672712035FA5B
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: [154.127.53.215]
Sending IP: 154.127.53.215
From: Sara<s.zennaro@omn.it>
Reply-To: bur.staten@bk.ru
Subject: Re: re: Correction
Attachment: CI PL 2021 shipment for correction,pdf.zip (contains "CI & PL 2021 shipment for correction,pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

CI & PL 2021 shipment for correction,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-02-24 07:10:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a9ca73ad-4d9e-4ab4-b2ce-c2f2dae7e4f7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/118879/

Detection(s):

SecuriteInfo.com.Variant.Strictor.256624.14278.19995.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Sending a UDP request

Creating a window

Running batch commands

Launching a process

Creating a file in the %temp% directory

Creating a file

Creating a process from a recently created file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/09f9071b686b6820fed8af5f6be019e9a0d4624e3c999f4e3ca0cdb32740cc41/

Threat name:

Win32.Trojan.Strictor

Status:

Malicious

First seen:

2021-02-24 06:55:35 UTC

AV detection:

10 of 46 (21.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bh4qog3innucb7wyv5pwxyaz5gqniysohsmz6tr4udg3gj2azraq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1e358cdd08320d9b811ec7772ac2d2e3eb2a4c2d61da189a3a6aaa0cff000c97

AgentTesla

30872c755e58b1ee3bb273e169b0b965939575af5c3e4626f53622e0f0705cad

AgentTesla

77922c4a501aecfc8e78b5fcaa7c2ac1e97c70abc5f955407e7c72d918ce43f2

AgentTesla

8a249dd65a90624d877633b7f9baf3db4bee9ad8dd5a344e9ee59ca799bec8a7

AgentTesla

ad089fab61c2347b61b149e3cd7c2ea60355ecb279876a5123667b1d3accad88

AgentTesla

b5a2fbfeb80e2e92039a23615df8b8f63f42d1331528f514b312d4946dc22607

AgentTesla

cc424dade519d54fb637e0ab4526dff7fdfa37919f921d69f85b5f1b5209abb4

AgentTesla

cfe1f69c2984de3f5d476db3ce45aa4d95a8137f0ff1ba07c1b0cecf15075c93

AgentTesla

e141086d58ad7ed148d484568ae9ff70127cd360f4812cfa7b33ec79c0e351c8

AgentTesla

+ 2'778 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210224-mh6g1ls4za/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

09f9071b686b6820fed8af5f6be019e9a0d4624e3c999f4e3ca0cdb32740cc41

MD5 hash:

24644cfd1aeb82a9a2e7f196706af684

SHA1 hash:

37e5e8d6a913328d46e05c9a670f0f7757db446d

Link:

https://www.unpac.me/results/951f48ad-0bc8-4524-9e5b-06559e65f16f/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 5b7fd4fe79e3bef5054410b9289e84e86d8a7e844cf266fbc0d34dbf60fe75c7

AgentTesla

exe 09f9071b686b6820fed8af5f6be019e9a0d4624e3c999f4e3ca0cdb32740cc41

(this sample)

Dropped by

MD5 c45852584b666fd7fb4235143a721b78

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 5b7fd4fe79e3bef5054410b9289e84e86d8a7e844cf266fbc0d34dbf60fe75c7

Cape

https://www.capesandbox.com/analysis/118879/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

abuse_ch

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Unpacked files

File information

Comments

Login required