MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9126bf2a861c56d9490b7af3cb91b89c61eb18869c2894540e48a654909e8ab1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9126bf2a861c56d9490b7af3cb91b89c61eb18869c2894540e48a654909e8ab1
SHA3-384 hash: 18d875838c2fdd73e8176625816a807b75ea867021838a29e12eaf418ace5d4f0e486dc85e6ebf6b4500cd2aee3506c3
SHA1 hash: cf0ff3cbd49a36f24426622f868a971f1bcc18e5
MD5 hash: 1bf62efdf24fe9e1d60e07e91af847b0
humanhash: earth-quebec-hydrogen-maine
File name:1bf62efdf24fe9e1d60e07e91af847b0
Download: download sample
Signature AgentTesla
Create hunting rule
File size:495'616 bytes
First seen:2021-09-14 17:07:37 UTC
Last seen:2021-09-14 18:05:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:dxWc/GN2fo/DXRbdShb22eUbn/uglmwjyyTpG:HGN2fotdCb22eUboUTpG
Threatray 9'843 similar samples on MalwareBazaar
TLSH T143B4024A366C5B36D8DE0B7DA025405707B4CAAB7223FB0A9FD561E9048F7908D543EF
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1bf62efdf24fe9e1d60e07e91af847b0
Verdict:
Malicious activity
Analysis date:
2021-09-14 17:08:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7bb1df7d-cd9f-4480-93de-536e34b60754

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187870/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.16608.9539.28563.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
monero obfuscated packed
Link:
https://www.filescan.io/uploads/617510c79a5a1e91c5d20151/reports/20e9af89-acc9-4cc4-8b1c-77eafb796d68/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b89feb15-b19c-47bf-92f4-455bd60d5fe2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850860
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483291 Sample: 6522TrkXwt Startdate: 14/09/2021 Architecture: WINDOWS Score: 100 27 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->27 29 Found malware configuration 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 6 other signatures 2->33 7 6522TrkXwt.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\ZHaKTHnnG.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmp9055.tmp, XML 7->21 dropped 23 C:\Users\user\AppData\...\6522TrkXwt.exe.log, ASCII 7->23 dropped 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->35 37 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->37 39 Uses schtasks.exe or at.exe to add and modify task schedules 7->39 41 Injects a PE file into a foreign processes 7->41 11 6522TrkXwt.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 mail.karsanmax.com 67.20.76.71, 49819, 587 UNIFIEDLAYER-AS-1US United States 11->25 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 2 other signatures 11->49 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9126bf2a861c56d9490b7af3cb91b89c61eb18869c2894540e48a654909e8ab1/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 08:22:52 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06c48a7afff810fd70a5e3214495f52b0794d7893fed5761565867982e287a61
AgentTesla
18101c8143fc94452ed21e400ea2fa9842f516a9ceb8b61d600dfa7acb0e3e87
AgentTesla
4827c1bdf5000cc8fc280fa631d36c752d0cdd7b0b357671ef1ebc46a11c440f
AgentTesla
768346b8124137be2bd3df87a7ce2613446ddbcbd1ecb6761e7a902cd9f17b19
AgentTesla
9bd0e2f3db2198a11805aedadf2ef3e75aba1c02f1bbe0fe880eb71bb6a2651b
AgentTesla
a1629f14833195672e2b59b90d643fa90376f9ab7ceef315f08e0835860234c9
AgentTesla
c72b8203d03b577f7ca65cbec39de14a45c2a82f5d5e799635331480c8754651
AgentTesla
dab6df8c0c031a8812a6eab3bf8522f43743d8271679ef644ba1028e6d1aaf1a
AgentTesla
+ 9'833 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210914-vnkcmagae3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
db7d184d8d53c766669d7f5e6bccf2b761598c91d7ac6c059b9689eda579dd0a
MD5 hash:
67964b8b48b06dc10745e96a5eec562b
SHA1 hash:
cd61777a2f660a0d4e1910a6f68a266c7d961347
Link:
https://www.unpac.me/results/9f8ab06b-81c2-4ee9-b83a-da243d0e1c54/
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/9f8ab06b-81c2-4ee9-b83a-da243d0e1c54/
SH256 hash:
612425433bfe2ea035bd5548a4d4ab210eabfa2d7d521bf23a8d442d3186c75e
MD5 hash:
fd6c4c61c432e1f501376d2a4f0ae1d1
SHA1 hash:
0b7c34337e900977db7af4f642259ac42e20e325
Link:
https://www.unpac.me/results/9f8ab06b-81c2-4ee9-b83a-da243d0e1c54/
SH256 hash:
9126bf2a861c56d9490b7af3cb91b89c61eb18869c2894540e48a654909e8ab1
MD5 hash:
1bf62efdf24fe9e1d60e07e91af847b0
SHA1 hash:
cf0ff3cbd49a36f24426622f868a971f1bcc18e5
Link:
https://www.unpac.me/results/9f8ab06b-81c2-4ee9-b83a-da243d0e1c54/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9126bf2a861c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9126bf2a861c56d9490b7af3cb91b89c61eb18869c2894540e48a654909e8ab1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 9126bf2a861c56d9490b7af3cb91b89c61eb18869c2894540e48a654909e8ab1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1619638/
Cape
Cape
https://www.capesandbox.com/analysis/187870/

Comments


Avatar
zbet commented on 2021-09-14 17:07:38 UTC

url : hxxp://marketingintelligence.tech/nax/sso.exe