MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d9870e41cc277f5ae025cc7b5f062da933e1a78d39f76393f0c12ff45f57fe5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d9870e41cc277f5ae025cc7b5f062da933e1a78d39f76393f0c12ff45f57fe5
SHA3-384 hash: b272e24d9dc5ebab4a579c53d61cda75c7d17b60845cdb476f868705410d700bb35cf148f30df7b8e9cf1cf85f4b50c7
SHA1 hash: 297abfd15049bca958d60ee48f44ea8421503ffd
MD5 hash: c8c0151bd68bb23bde2a9dd9ec7b9db4
humanhash: fourteen-skylark-social-white
File name:c8c0151bd68bb23bde2a9dd9ec7b9db4.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'013'248 bytes
First seen:2023-03-13 10:19:19 UTC
Last seen:2023-03-13 11:29:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:IyKWarhfh1cvkX8dsPHz7JBWacfSj6j0EttUlD:rab1cXsPHz9BW1Kj9GtU
Threatray 632 similar samples on MalwareBazaar
TLSH T11F25DF51A311E939CF1A263FF1811D5822246E02EBFCCA8D7F497E9148D5BC84DC69BB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
c8c0151bd68bb23bde2a9dd9ec7b9db4.exe
Verdict:
Malicious activity
Analysis date:
2023-03-13 10:20:28 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/2be4bf60-04df-4147-91d7-f7a4964f497e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/373971/
Detection(s):
SecuriteInfo.com.Variant.Lazy.311906.20222.2701.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/640ef8d756d2bc8d80b7207e/reports/4db6b940-d236-47ed-b3fc-3251ed95ec45/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1d9870e41cc277f5ae025cc7b5f062da933e1a78d39f76393f0c12ff45f57fe5
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e2e30d7-11e6-4f7a-af49-fa46851409ef
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1192468
Signature
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d9870e41cc277f5ae025cc7b5f062da933e1a78d39f76393f0c12ff45f57fe5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-12 23:19:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwmhbza4yj37llqcltd3l4dc3kjt4gty2opxmoj7bqjp6rpvp7sq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04ff0a9d357afb8e0d2f7dc07f9a9d3ded1104c25f4cad3dc08524f235283245
AgentTesla
255169d7b1e38899a7ab422e4c44cf11b39b0259144178e24b437cb864674a4d
AgentTesla
294729ec196ae05dac756fc559dd4acbbb9368486901157424a0d71354018b60
AgentTesla
4905116d90f4b6b08798705b2bce585c9c17e8ebb83cc17b998265e2ceb97525
AgentTesla
5e63926b7ce5fb0d4bc1363397c655d0c3b29114497308db183b124b048c033f
AgentTesla
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d
AgentTesla
754d1ba349e7f1633d9a6ee33497c5543aeb8710e70e89e799368d00b6e7062a
AgentTesla
78fedb4b5349e928c359cdbc4e5b0e106ce84a0ee729538e9a28795c5c8fea4e
AgentTesla
8fea022b2f3c3f6f97a8c4ebe93fe862fb731fa82f8d23ac8cd11c21a4824041
AgentTesla
d5ed9504812940d2447bb851ae8bb2467a1578b4554b52bac7654ca62d9e04c1
AgentTesla
+ 622 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230313-mc4m5abh6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c234684a33231d86ca3a0c6459d4fc982bfd2516807b0022d9094868d2111719
MD5 hash:
33846e3d38c36db71b091f1d26d97491
SHA1 hash:
a92e54e4016e792bd11828e92c66684f69309ea2
Link:
https://www.unpac.me/results/5699e4a3-dc62-4cab-a5f5-a9259b7d742c/
SH256 hash:
648749114b1a7f198b44dba4261ea0ca4f6752d76bd1842f1b3f6429c7f2506f
MD5 hash:
583545ed70314bb191ffcafb5a686fb9
SHA1 hash:
4977b87e43a706353cb5161bf1d3512aa0938282
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/5699e4a3-dc62-4cab-a5f5-a9259b7d742c/
Parent samples :
082690655361b35e9d40944052ab73cc0a621c46b26797b4103eac51b25d7247
c1f9f8a6133d2f6f01574b1a8dafabae2376448bc7a6727a66b8070b66ff15dd
7c84afbd1d85d46654f72829812a1f2eb3cee52899e39d7bc54be3a4c8fe45d8
397e51f9b8a9a61de32f21b12d23334dca268c256d9024cfe4fb3605bd9c4204
a76b7df57b1b16e4bac4e1e19e88b1a03c0b31aec4441046be5cbe7ce68cd58c
d8ead95646470952403879a6bc78117d895ffe37a3b3a551cf65731a1260c8ad
42c55bc7230056d825019e88be1682afb9a3500de5d0e4582a1db497f9ec902d
8431eb1fb2cdcdc154e0692322e26cfb020248e5c64a5bb1f5989878ea69974c
b05d969714238e447faff32ccbe88b5ddef15a089157a0dcfd18a2f03cd493bb
ffbed79e038cf8090a789bd931d8e17f940f7c51bd1491c1102530c76b0ff502
3703e29e26455c33c0f38d99036cb9ca0a0126e4f46ed5ff5900b4b4dc49cd14
cdf98d2d51a7776d859d4e866bcca6c3d323e076ef86654b0e1071137433368f
9f9cd55cae9d3807b8b594dc0d21f373b011ced9fb9c5b5c967245e274966647
67e9518c5adca9e7235912cdf74ad530841ff8879a5cb38c5d7767b8ea16d491
4be7ea0807b3e60e8d123107ce1da7dde5c044c2cbc04a8ff9733540a3c4ffaf
b4afb050b3582ac523796306096936a520c5faf302d60b934d8f59bbdc97aceb
300e22ba7444d4fd02bfbdd2e336bbc861ec4be97576b1065bfa49309946fd4c
9705354879b69702831083e4c3113e7f61c2d33a8eff41a73c7c1ca678df9588
fb948365420fb40a1f19fdb12b15670c15b1eb8626d6e12f792184683e72b557
18e15b5d7924548af144cf5449eda73c8d67c093a6c945ac00db6de533ff13db
ceeb2e11ecbce4f2948f5505afa83c9e7594284d701234791c8d32d0b05521de
7a5b7449fcd765f1a3be1dc0c8286cb46afe94b8c8040a0d268b27fe8d658ee4
f826131b5c356693f53746f0af896eaac4217ef48a1e148759541c21fe29b07d
04698304959253365ac8015e9af904b4be0e1938c63a5b91276028636a90cbbc
971dfc5c82fae0d102f99d405119645d49629ab7679fe0d7eafeffeba4041d45
3d38bac8b15d5ab3b1f5b2c13610928eb7482057dbd2b111be9c287aefc407e8
c5805f6651b3ac3e15f770607a867a8c014d2637a8af30ac272b744409b0d170
564e748a2164cc70ec2c77d9830e301dedc3439f165fd8cc798bbd53fa168862
c6922f3de8e40e5e56073a9a180de581ac3ae0eacf20f6623e0de4c7eef693e1
770c54042217d87ffe83dd0674d556c6bde9d1acc4a4cd830820170ebf2e7ca4
a53eafec588919d171746ba18abf11ca4643c9e2b858d3e825b5141946af0901
5b4d52030d1568ee351d1f51d467ec102f4923ad9947f7a9237076fff39b7791
5113b6fbc97bc224a327cdcdfa5558d3526652b76b5a157e744f2fd9a9be0aa7
9df08396c2e40b7ad647f56a6441a309996dd3b6ac40cb5944753c9fee5a38bb
df439bff97d28e23956a71daa13d628a07b7cc2973ca3a6956d7b9036d13700c
17b6e0bb426b762e1caee67606532e3350d8c752c0625994424916e0fba527ab
af2a4df6137e85a5f69a4e5478992d32bee91b7208757879e3b98aba9ec88919
78fedb4b5349e928c359cdbc4e5b0e106ce84a0ee729538e9a28795c5c8fea4e
e82d940033891932405dfdeedbd283a3be9dcea92d0a4d3cda675abc3345dfc4
094b5e896bf9c2b8b10f16de33313f39384a9e42784a49e3176a0d9b565bb0d7
2dd2ebd30b691da32cc47292b130a4781fabf091f341e045a7a72b53c5566ba6
f18a2b2d68691d79ca7b517b7111b3bcdc5f978f70735cbda33ba0260b54780f
754d1ba349e7f1633d9a6ee33497c5543aeb8710e70e89e799368d00b6e7062a
4905116d90f4b6b08798705b2bce585c9c17e8ebb83cc17b998265e2ceb97525
2ada13943b92d98911f75e2844fe9beba7659cfeef2aaa521ff9df0fb4bf7f15
8fea022b2f3c3f6f97a8c4ebe93fe862fb731fa82f8d23ac8cd11c21a4824041
04ff0a9d357afb8e0d2f7dc07f9a9d3ded1104c25f4cad3dc08524f235283245
d7e3abee48bb92e413e8a2dab38594934ea6bcdde8dd493dccd01bd4808020b6
1d9870e41cc277f5ae025cc7b5f062da933e1a78d39f76393f0c12ff45f57fe5
d5ed9504812940d2447bb851ae8bb2467a1578b4554b52bac7654ca62d9e04c1
de46ab143d523dfdba34843a47df51f1112cac3bc7b3c8c053ab791b2c0a5010
3bc2c61a0e15a16eb536081daadd7275600e57f0be74d284dc64ef64552e2cc4
5020f288ce75458c32396de7fbf75933adb16ae00d868f999667ee34a2eb295c
SH256 hash:
40f484ac45b535810d766bf646633a0f528d400dcf1e560fc2095a2223273b16
MD5 hash:
b7acec0731e24a7b460756bd3fb18561
SHA1 hash:
38c44fc21107e5c02a25b2fe7f8dcde408bee240
Link:
https://www.unpac.me/results/5699e4a3-dc62-4cab-a5f5-a9259b7d742c/
SH256 hash:
2b878b575d2eba9d25a771160c34c4b7e3b9b8814ddfe142df0ab800db08f7d6
MD5 hash:
d82960a2255df944fad04b076c0fa1d8
SHA1 hash:
28561db888854390f5d4aaf5a6eaca742229f049
Link:
https://www.unpac.me/results/5699e4a3-dc62-4cab-a5f5-a9259b7d742c/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/5699e4a3-dc62-4cab-a5f5-a9259b7d742c/
SH256 hash:
1d9870e41cc277f5ae025cc7b5f062da933e1a78d39f76393f0c12ff45f57fe5
MD5 hash:
c8c0151bd68bb23bde2a9dd9ec7b9db4
SHA1 hash:
297abfd15049bca958d60ee48f44ea8421503ffd
Link:
https://www.unpac.me/results/5699e4a3-dc62-4cab-a5f5-a9259b7d742c/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1d9870e41cc2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/1d9870e41cc277f5ae025cc7b5f062da933e1a78d39f76393f0c12ff45f57fe5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 1d9870e41cc277f5ae025cc7b5f062da933e1a78d39f76393f0c12ff45f57fe5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/373971/
  
URLhaus
https://urlhaus.abuse.ch/url/2271081/
  
Delivery method
Distributed via web download

Comments