MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09fb849e8e9e88b102e2935c7e7fac8fa1fe4c71e464e397bbad798a16e94c18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09fb849e8e9e88b102e2935c7e7fac8fa1fe4c71e464e397bbad798a16e94c18
SHA3-384 hash: 07869bd74015a17a5a8691ca33c28433d10d9ac14e20a4b46c079efa6ab122be5ea8d06208edabdb9fba08683f3eb16c
SHA1 hash: 137d454ba92c85fa0d2a27320d71f9c1d1f28e97
MD5 hash: a611a2c5484e8adaf3ca49e2e9278e7a
humanhash: september-august-music-foxtrot
File name:Shipping Documents 7639081.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:334'496 bytes
First seen:2023-02-28 10:25:52 UTC
Last seen:2023-02-28 13:04:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:/Ya6PHN/vNPjkb7B7cFcDjCGg3ZfdsRD++ZYZtZj+Cr4JKzd3e:/YdHN/hi+IjCtJfdeD+AYZtZddO
Threatray 977 similar samples on MalwareBazaar
TLSH T1B8641217FBA5E64FD4690332287557595BF8A72162B8920B3388BB387C36521CF0E772
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
208
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping Documents 7639081.exe
Verdict:
Malicious activity
Analysis date:
2023-02-28 10:28:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c9ea6b97-f374-4ca1-8223-95703e1c32b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370608/
Detection(s):
Sanesecurity.Malware.28947.BadP.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63fdd6bd2ea6b36966300028/reports/3327fb09-b817-4928-9067-7d8c5273c042/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/09fb849e8e9e88b102e2935c7e7fac8fa1fe4c71e464e397bbad798a16e94c18
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8402ff90-4680-4a16-a4b4-2c5f55580b3b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1184269
Signature
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 817117 Sample: Shipping Documents 7639081.exe Startdate: 28/02/2023 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected AgentTesla 2->38 40 Sample has a suspicious name (potential lure to open the executable) 2->40 42 2 other signatures 2->42 7 Shipping Documents 7639081.exe 19 2->7         started        10 tdmirnwgcluq.exe 2->10         started        12 tdmirnwgcluq.exe 2->12         started        process3 file4 26 C:\Users\user\AppData\Local\...\jtkjkqupd.exe, PE32 7->26 dropped 14 jtkjkqupd.exe 1 2 7->14         started        18 WerFault.exe 4 10 10->18         started        20 WerFault.exe 10 12->20         started        process5 file6 28 C:\Users\user\AppData\...\tdmirnwgcluq.exe, PE32 14->28 dropped 52 Detected unpacking (changes PE section rights) 14->52 54 Detected unpacking (overwrites its own PE header) 14->54 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->56 58 4 other signatures 14->58 22 jtkjkqupd.exe 17 3 14->22         started        signatures7 process8 dnsIp9 30 mail.flash-tours.gr 22->30 32 api4.ipify.org 64.185.227.155, 443, 49711 WEBNXUS United States 22->32 34 2 other IPs or domains 22->34 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->44 46 Tries to steal Mail credentials (via file / registry access) 22->46 48 Creates multiple autostart registry keys 22->48 50 Tries to harvest and steal browser information (history, passwords, etc) 22->50 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/09fb849e8e9e88b102e2935c7e7fac8fa1fe4c71e464e397bbad798a16e94c18/
Threat name:
Win32.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2023-02-28 08:59:32 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bh5yjhuot2elcaxcsnoh475mr6q74tdr4rsohf53vv4yufxjjqma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10be0a18f4ee73fd9816b7b3acd31fc50cbdb61e3357751850887c7bbe53abbf
AgentTesla
1143b577b1f61ea03807acd45383937486fd8f7873df1d1485848e0af7bc8780
AgentTesla
4059686e35766f53fb8adf6d48a91c3773542bc25001a400b6065193a40136c7
AgentTesla
8f81fd0cd66548518e82ab4238cf83a55989de7b1ab9099ef43892d0272b41e5
AgentTesla
b7edcf412d229e488db5a92975a1b2398f4bc4e7dc0317f9e226b706140994f2
AgentTesla
f372f32242ba5521234305f8d8cb0f314b89be5417f875e9f2789348fab3d3c1
AgentTesla
fa851cb6401d335ba0efbeac4916ef565963723f68c939a772e28866c3863e9c
AgentTesla
+ 967 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230228-mghw8aah58/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
fa821bdcaeb52e69aa738ec8be8b0d772e98df034e35a34a13ae15db0f6f94e3
MD5 hash:
8a6390fde0f7c7d1397db8e3d988213e
SHA1 hash:
dcdb617a518b89a90f4f30da00113b9d5e097681
Link:
https://www.unpac.me/results/9c9bd8d6-da57-4ab4-b16c-45a4b519a9d0/
SH256 hash:
762a423977f8cbaee11713efad653a3c228a052d819ddd228be3abe1fb846fdd
MD5 hash:
c80e2dcaf0d8f627e23eb389ca9413b8
SHA1 hash:
4886614fec425268b55093b721f83db053efc570
Link:
https://www.unpac.me/results/9c9bd8d6-da57-4ab4-b16c-45a4b519a9d0/
SH256 hash:
7f2da32ceb5dc6061385c98ed3fcfbe225b52fb7af04196279dbad02a67265bb
MD5 hash:
a7ef2b27a588b3dc0eb24a12d9849c8d
SHA1 hash:
b8224d20f4d99e56dec75724e07a73d512846bb0
Link:
https://www.unpac.me/results/9c9bd8d6-da57-4ab4-b16c-45a4b519a9d0/
SH256 hash:
09fb849e8e9e88b102e2935c7e7fac8fa1fe4c71e464e397bbad798a16e94c18
MD5 hash:
a611a2c5484e8adaf3ca49e2e9278e7a
SHA1 hash:
137d454ba92c85fa0d2a27320d71f9c1d1f28e97
Link:
https://www.unpac.me/results/9c9bd8d6-da57-4ab4-b16c-45a4b519a9d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09fb849e8e9e88b102e2935c7e7fac8fa1fe4c71e464e397bbad798a16e94c18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 96c8c2196fef322e2105038652779d1db20d20318af282cc3dcb9642d998dcbc

AgentTesla

Executable exe 09fb849e8e9e88b102e2935c7e7fac8fa1fe4c71e464e397bbad798a16e94c18

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/370608/
  
Dropped by
SHA256 96c8c2196fef322e2105038652779d1db20d20318af282cc3dcb9642d998dcbc
  
Dropped by
MD5 6997eb39e68d1527a5bf09b3695861f6

Comments