MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9132d4e6f57fb6c3b51e61282fcb00c876182a1e6e85e9c4ee046c72129962be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	9132d4e6f57fb6c3b51e61282fcb00c876182a1e6e85e9c4ee046c72129962be
SHA3-384 hash:	bd969e21cb526f30ac664e6a543a7d272ee77d43611c607202fe34a335443f2bd06943a7eaca1be78d67df5d0b5e7b62
SHA1 hash:	78b81de8fede1c266809db17ce269a533362d685
MD5 hash:	58dfe1a93e7abd5f7ea0253c2c88807b
humanhash:	jupiter-solar-nineteen-oklahoma
File name:	ZhC0vTPTLEBCP0Q.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	757'248 bytes
First seen:	2021-09-22 14:19:00 UTC
Last seen:	2021-09-22 14:56:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:oMmtiK5oaoFv4tWUE7RnFneeZ/dRKpf3PNsS7zqAEHXD/1k:Z+FoaM44UE7RFekCpfFsS7zqAcDd
Threatray	10'142 similar samples on MalwareBazaar
TLSH	T114F48BC89D884613D7A44172DC5C620632292C4A7723878BDBE57D7B3FFE683C22D996
File icon (PE):
dhash icon	a28aa2e2e0aaa2a2 (14 x Formbook, 11 x AgentTesla, 5 x SnakeKeylogger)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

223

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ZhC0vTPTLEBCP0Q.exe

Verdict:

Suspicious activity

Analysis date:

2021-09-22 14:22:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/26375f82-d2a6-41e4-9fda-6709671908cb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/190308/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1ecfba8f-7b81-46bc-be44-d381c7fa1de6

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

spre.troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/855667

Signature

.NET source code contains potential unpacker

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: MSBuild connects to smtp port

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/9132d4e6f57fb6c3b51e61282fcb00c876182a1e6e85e9c4ee046c72129962be/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-22 12:41:22 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=seznjzxvp63mhni6meuc7syazb3bqkq6n2c6trhoarwheeuzmk7a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2be3d6560c3a180d25206ea6600502eb5397314eae97aeec53b27e2a53b1fb1f

AgentTesla

34b4bc7731f850fde6ae4ab681b262ea73ac01a2c1f6b1a8edb617133af63419

AgentTesla

4d32cde8b04dae775b23225a0a79b1165b778caac83033b3ed1a6b1e564e85cb

AgentTesla

8b36540feb94ebd4cc8347be22a49fd4cf480ca9b65678744197af3fb9814616

AgentTesla

93e5d93a217a419cd49cc911e02ece1167d7a13393fb91f9a1d5b88297a5e68a

AgentTesla

94b8559200017766c77f1087d53b3945f219f2ce0c7986efc00cbbad9a40d971

AgentTesla

b0ea314bac30cf5d80639c5257e354f810f8f735a481ae088b66bb2e962a6c1c

AgentTesla

c5727c6dd2a88adab36de5bb5967e52fa898497d1604f5987308e33069872bd6

AgentTesla

f7d8bb7108bdfc37cb94c9c04d73ba60d693f03411332ae31a7da4ad82e9a7ff

AgentTesla

+ 10'132 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210922-rmvv7afeej/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7

MD5 hash:

71a894ff252c767b80d65ab1e54fda2b

SHA1 hash:

bcc4ff628585ca28b8b0f2c30e63049b910d4d49

Link:

https://www.unpac.me/results/d030b64c-3b2a-428b-8ff8-4e420700103d/

SH256 hash:

0c71f50c0e46b5665941619ab659996157a0491ebc99251282c1a1aa0501cd5e

MD5 hash:

44fa840d59894371e2926dd116af4c2d

SHA1 hash:

bbd658d49de43833e0f42fee4c367141185fdaae

Link:

https://www.unpac.me/results/d030b64c-3b2a-428b-8ff8-4e420700103d/

SH256 hash:

6548b52e143f9bd9e3eed42a434091d595b1caced24e7dcec1b9c0447c7891c2

MD5 hash:

c4d04b766603ecef6101bd4edf223ac7

SHA1 hash:

aedd5a24249948268ee21258f8814dbe3c943958

Link:

https://www.unpac.me/results/d030b64c-3b2a-428b-8ff8-4e420700103d/

SH256 hash:

c7bf2d9a79f99b58e183d5c45718867b06bebcfb93201b357a532c11a4091fef

MD5 hash:

9ba3a02fc80ca8474376507acf7e5f45

SHA1 hash:

8c5a047928f41218542387d3d1dec6791c1ddaad

Link:

https://www.unpac.me/results/d030b64c-3b2a-428b-8ff8-4e420700103d/

SH256 hash:

9132d4e6f57fb6c3b51e61282fcb00c876182a1e6e85e9c4ee046c72129962be

MD5 hash:

58dfe1a93e7abd5f7ea0253c2c88807b

SHA1 hash:

78b81de8fede1c266809db17ce269a533362d685

Link:

https://www.unpac.me/results/d030b64c-3b2a-428b-8ff8-4e420700103d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9132d4e6f57fb6c3b51e61282fcb00c876182a1e6e85e9c4ee046c72129962be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/190308/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample