MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f9233b7e07ec6df616188249b01afc694cabc2130291a15d3e7c434430c9783. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f9233b7e07ec6df616188249b01afc694cabc2130291a15d3e7c434430c9783
SHA3-384 hash: a75b71ccc78943dcfc025cbd7b6865a3da213ba8494e71b5a33912cb0ba3fc6f9224d1252ea318a5f8ea759aa4e27b19
SHA1 hash: 64e6b72a8e5849b7251716ca5a11867c4fec5305
MD5 hash: 69a549c5f6223381944d57e8ce312422
humanhash: california-hotel-stream-november
File name:FİYAT TALEBİ HAKT-120711-YG formu scann..07_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'375'744 bytes
First seen:2023-07-12 08:21:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:0gibyMr0GeL7brgT4c36bDLbnvv7RNclgr7olFAlewl5dMtx5b56Ue:0J7r0GoUTr3obv77wgr7olFqeW5Ctx5Q
Threatray 1 similar samples on MalwareBazaar
TLSH T1B255233A6428877ACDD583B03914997433F66EC87D20D1261E93B0F9BE7A7559308B3B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FİYAT TALEBİ HAKT-120711-YG formu scann..07_pdf.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-12 08:23:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bcb11e7d-fb81-4bbb-aae1-1589c297a3ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/416648/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12171.1788.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8f9233b7e07ec6df616188249b01afc694cabc2130291a15d3e7c434430c9783
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d43d0e34-52ad-41b9-bf0b-74ceac3dab45
Result
Threat name:
AgentTesla, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1271541
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1271541 Sample: F#U0130YAT_TALEB#U0130_HAKT... Startdate: 12/07/2023 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 6 other signatures 2->60 7 F#U0130YAT_TALEB#U0130_HAKT-120711-YG_formu_scann..07_pdf.exe 7 2->7         started        11 EtnzhkaCde.exe 5 2->11         started        process3 file4 40 C:\Users\user\AppData\...tnzhkaCde.exe, PE32 7->40 dropped 42 C:\Users\...tnzhkaCde.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\Temp\tmpBEC.tmp, XML 7->44 dropped 46 F#U0130YAT_TALEB#U...ann..07_pdf.exe.log, ASCII 7->46 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 7->62 64 Adds a directory exclusion to Windows Defender 7->64 13 F#U0130YAT_TALEB#U0130_HAKT-120711-YG_formu_scann..07_pdf.exe 7->13         started        16 powershell.exe 21 7->16         started        18 powershell.exe 21 7->18         started        24 2 other processes 7->24 66 Multi AV Scanner detection for dropped file 11->66 68 Injects a PE file into a foreign processes 11->68 20 EtnzhkaCde.exe 11->20         started        22 schtasks.exe 1 11->22         started        signatures5 process6 signatures7 78 Writes to foreign memory regions 13->78 80 Allocates memory in foreign processes 13->80 82 Injects a PE file into a foreign processes 13->82 26 aspnet_compiler.exe 15 7 13->26         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        34 aspnet_compiler.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        process8 dnsIp9 48 discordapp.com 162.159.135.233, 443, 49712 CLOUDFLARENETUS United States 26->48 50 192.168.2.1 unknown unknown 26->50 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->70 72 Tries to steal Mail credentials (via file / registry access) 26->72 74 Installs a global keyboard hook 26->74 52 162.159.133.233, 443, 49714 CLOUDFLARENETUS United States 34->52 76 Tries to harvest and steal browser information (history, passwords, etc) 34->76 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8f9233b7e07ec6df616188249b01afc694cabc2130291a15d3e7c434430c9783/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-12 08:22:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r6jdhn7ap3dn6ylbrasjwanpy2kmvpbbgaurufot47cdiqyms6bq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
524e1c26201725515b6a3f8321bf79c687aaf52ca170641b64f0173d04f37dab
AgentTesla
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230712-j9kdzace55/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Unpacked files
SH256 hash:
0f2c962b30006754a1b30122ff4fee7dff64d33cbb4312551f9a98997e6712f6
MD5 hash:
7326a9fd55dab0fe41a9d8e763adbbe0
SHA1 hash:
efa319e32965e4f6fa971ce8402df64a47e5cd16
Link:
https://www.unpac.me/results/bcc0d1b0-2a85-4e57-957a-5620982f7332/
SH256 hash:
04d6b95cb38289a24b4b9987671d10ed43626bb64ec8a01c00d955e26927a0c2
MD5 hash:
c2ef862befa830bd70f1a36bcc7993b2
SHA1 hash:
dcfc115330795193f75a3a0286d56c95aa026f52
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/bcc0d1b0-2a85-4e57-957a-5620982f7332/
Parent samples :
524e1c26201725515b6a3f8321bf79c687aaf52ca170641b64f0173d04f37dab
8f9233b7e07ec6df616188249b01afc694cabc2130291a15d3e7c434430c9783
SH256 hash:
388371dfddc07aecb644eef4d57a6287b0be09f4506dfe462ca2446cde7ce6b5
MD5 hash:
590c79e04be3ffa4247a6a834836cf8a
SHA1 hash:
c5c51b5c868e64c3c05f592ed2b740c691088eae
Link:
https://www.unpac.me/results/bcc0d1b0-2a85-4e57-957a-5620982f7332/
SH256 hash:
26e1b518c0712bee02813ed082c09bbcebb893f27e9db145e26c75aecf0580f9
MD5 hash:
9b50a8024ab4c2a1b8d9174f76b7325a
SHA1 hash:
2658596d07ed7f3c4d4cc3e40e34e23046f2d284
Link:
https://www.unpac.me/results/bcc0d1b0-2a85-4e57-957a-5620982f7332/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/bcc0d1b0-2a85-4e57-957a-5620982f7332/
SH256 hash:
2fea04d719747306ccd5aaeca0a9abe396e87376467c60ac4986336ffab1cd94
MD5 hash:
2d5a733d21dd735323899988e2ddeeed
SHA1 hash:
81cd9631a339ed7df7c186a26bf9e48120279bb1
Link:
https://www.unpac.me/results/bcc0d1b0-2a85-4e57-957a-5620982f7332/
SH256 hash:
3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9
MD5 hash:
a5228b97b33467ac41fac5cac2718252
SHA1 hash:
28bb020c8a53b046fc8e8106f2913e62c5941a0d
Link:
https://www.unpac.me/results/bcc0d1b0-2a85-4e57-957a-5620982f7332/
SH256 hash:
75730483faa68beb56a2fe2283b98ebb3f24c00993126d0b54d53a4abfe0e664
MD5 hash:
fbaf34d7d91b542ba66b2e8f5bc0ecb4
SHA1 hash:
04346518d01944dc0415084885a7fd5cf399a2ce
Link:
https://www.unpac.me/results/bcc0d1b0-2a85-4e57-957a-5620982f7332/
SH256 hash:
8f9233b7e07ec6df616188249b01afc694cabc2130291a15d3e7c434430c9783
MD5 hash:
69a549c5f6223381944d57e8ce312422
SHA1 hash:
64e6b72a8e5849b7251716ca5a11867c4fec5305
Link:
https://www.unpac.me/results/bcc0d1b0-2a85-4e57-957a-5620982f7332/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f9233b7e07e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV4
Create hunting rule
Author:Rony (r0ny_123)
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8f9233b7e07ec6df616188249b01afc694cabc2130291a15d3e7c434430c9783

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/416648/

Comments