MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 911726d8a917e91553bc20985c0b4562768ba02202b5555be7a0e6ff6e0797c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 911726d8a917e91553bc20985c0b4562768ba02202b5555be7a0e6ff6e0797c3
SHA3-384 hash: d888eb9beb174a64932bca5d83fc652d94a94202eea72fa9c23b94fb60d76d4121e888fa68115829578a134ed2645128
SHA1 hash: c5ab14c881640dd35723aa3df2fb1f9414a3bc83
MD5 hash: e225571cad8c784a281b127c26676610
humanhash: edward-coffee-single-india
File name:DOCUMENTS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:595'968 bytes
First seen:2023-04-19 15:50:53 UTC
Last seen:2023-04-19 15:51:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:s5Moy4bihsG2EccmuexDsqpFSP7t5LdHG:sjbK2d/MP7tVhG
Threatray 277 similar samples on MalwareBazaar
TLSH T102C4F19DA7A5D6A3C2684FBE401666C83F3051E3763AC639DF8B449DFB57B080D84683
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
190
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DOCUMENTS.exe
Verdict:
Malicious activity
Analysis date:
2023-04-19 15:58:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a3d82bcf-62ca-471a-be45-b62b4d433593

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383373/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64400de9c1735fe5e7569a70/reports/4c30cfb3-2434-4372-ba8e-ed519d6f3bb7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/911726d8a917e91553bc20985c0b4562768ba02202b5555be7a0e6ff6e0797c3
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9541b139-1692-4404-8b3b-6b82ca2a82eb
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217419
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 850359 Sample: DOCUMENTS.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 6 other signatures 2->47 7 DOCUMENTS.exe 7 2->7         started        11 ICPVTIH.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\ICPVTIH.exe, PE32 7->31 dropped 33 C:\Users\user\...\ICPVTIH.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpD1E2.tmp, XML 7->35 dropped 37 C:\Users\user\AppData\...\DOCUMENTS.exe.log, ASCII 7->37 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->49 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Adds a directory exclusion to Windows Defender 7->53 13 DOCUMENTS.exe 2 7->13         started        17 powershell.exe 19 7->17         started        19 schtasks.exe 1 7->19         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 59 Injects a PE file into a foreign processes 11->59 21 ICPVTIH.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 mail.focuzpartsmart.com 162.240.214.202, 49699, 49701, 587 UNIFIEDLAYER-AS-1US United States 13->39 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->61 63 Tries to steal Mail credentials (via file / registry access) 21->63 65 Tries to harvest and steal browser information (history, passwords, etc) 21->65 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/911726d8a917e91553bc20985c0b4562768ba02202b5555be7a0e6ff6e0797c3/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=selsnwfjc7urku54ecmfyc2fmj3ixibcak2vkw7hudtp63qhs7bq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09d16715756085ded7748ecdaea1e54e91304db6471ad9b79deeafe64e390224
AgentTesla
0c5bd52278038e9194792544aa9ba56fa2fc62cdd74b5f5e47d8ab6ee7db5d0e
AgentTesla
187e9a262dac093e04914b16b11f41adec97c3115f4a6b5e5cf1125d2be8eeca
AgentTesla
23af85d9373c400f00f17590112f4545c9a522427bf6e1de80dcb028b8538bbd
AgentTesla
475bd18814dd4181d931894380857accd1428b171ae2f077a6b706411a0005ef
AgentTesla
9d4c77bd302c7e10db596ec2584943791c5c70038014fd786735cb0f4e2b931a
AgentTesla
a15153863ec4bed33ce7f014da9861ef349b152b46a5978d5c03b5fe75544aea
AgentTesla
a64f5b5615ebe7e09f5238788ab1e6dfc6e00acc1741ecceba0fbf3930389273
AgentTesla
d6d326af94b3d21d4b8167db56794bed6769e0e580cc48a9c53a348f25cb3980
AgentTesla
dd61f1cf7d31d1c68a08e22c4959c42e37a950926f1dc5a12d26baeda41c3300
AgentTesla
+ 267 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230419-tagtxabe84/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
863fd91f248ed6f241c343a0d26700f8ad291bcfa2bc0f524da788d8830b2d1a
MD5 hash:
5111bf62422f2ea32bb8343579605e9b
SHA1 hash:
df0d025462b3a3688bb8dfb92e26e8476f3e4499
Link:
https://www.unpac.me/results/14ce85b3-45ad-491b-a161-9a8a3ebc7ee2/
SH256 hash:
c0cf2db6bf4346bacd6ae97259e7e0def474697a620397a9f5142effcbf9e7ba
MD5 hash:
7f9dd275628d124406730f58445b668c
SHA1 hash:
9d3bdc1befaf4165717ce0d7382fba8ab8ba7866
Link:
https://www.unpac.me/results/14ce85b3-45ad-491b-a161-9a8a3ebc7ee2/
SH256 hash:
5e5c8fe4e53980a98b48fe6b19155edf0f0d285ed899c61dbf4f880583ddf1d2
MD5 hash:
b3bbc5461d12f07ea893bf415dfe7c89
SHA1 hash:
40c3156c471d2afe3fd88c7d20cf93e5782e1bd6
Link:
https://www.unpac.me/results/14ce85b3-45ad-491b-a161-9a8a3ebc7ee2/
SH256 hash:
9eaf1651ce818fe25affdeecb54775beb0c38e18dff0cea564a42ccf1048c003
MD5 hash:
24a745f4b8361552f051dc9a0d4c87ad
SHA1 hash:
27335cbd0029fdba7583fe6bc86f04f6cdb71420
Link:
https://www.unpac.me/results/14ce85b3-45ad-491b-a161-9a8a3ebc7ee2/
SH256 hash:
0600493ba6ab2f81f2b6e7d2828e07626df190f953068637c8ce82236222c0e8
MD5 hash:
82f10e879999652cdfe5f37f87993523
SHA1 hash:
0847ba136ab8971cc9b10ed7ca1d1eb099872469
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/14ce85b3-45ad-491b-a161-9a8a3ebc7ee2/
Parent samples :
9dae0685d3f0af089704c4b032d79696500de70d2ea1e2cbcecbc54e2c5f956c
a15153863ec4bed33ce7f014da9861ef349b152b46a5978d5c03b5fe75544aea
911726d8a917e91553bc20985c0b4562768ba02202b5555be7a0e6ff6e0797c3
98d4406e8ee40991fc7008774e833e0b6cf758ffedd7e06023a926a06646591d
028ea05169306fbb55d4243ddba1ab8ef6de4d044dc3b41eb5c4274131388bb1
89615850a0b6561bbf1c4402fe8ca95b4052f49ebd4a20f0e3ac8a176859ec58
5dab41ad35ad1c7557d6c8c6ff066f1fefed902d422877d0997d20d715a4a57b
a0fbf510a0ad55765026894b11a642401ba689147ac093aac30ddcb8d3f2988e
SH256 hash:
911726d8a917e91553bc20985c0b4562768ba02202b5555be7a0e6ff6e0797c3
MD5 hash:
e225571cad8c784a281b127c26676610
SHA1 hash:
c5ab14c881640dd35723aa3df2fb1f9414a3bc83
Link:
https://www.unpac.me/results/14ce85b3-45ad-491b-a161-9a8a3ebc7ee2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/911726d8a917e91553bc20985c0b4562768ba02202b5555be7a0e6ff6e0797c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 911726d8a917e91553bc20985c0b4562768ba02202b5555be7a0e6ff6e0797c3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383373/

Comments