MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91f9f63b9d355ddcef27f8fd431029f4cb55cf8700f5257b0d20f6ae4c77baf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91f9f63b9d355ddcef27f8fd431029f4cb55cf8700f5257b0d20f6ae4c77baf9
SHA3-384 hash: c4badea99a924f1f9f4e9936b420c5120ad8ea1a3a560a1d0690d68887321dfe3c7ea6376bd173a1ab274d1b9d5fa91a
SHA1 hash: ca404e0046bc0d111ecc8dfb39ddb118e162fc93
MD5 hash: 8184b2a068185fff2dcb9da4b037a47d
humanhash: mirror-fifteen-louisiana-august
File name:Agree Ment Letter-34222876190544.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:677'016 bytes
First seen:2021-07-15 10:54:10 UTC
Last seen:2021-07-15 11:36:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:L3ZBubQcRLTaWRUuDOazs4HDBW9Lf2jFa3v/v7Fr8MGSityjKd:DZBURLTapaztWRuEnTFrvGdHd
Threatray 6'852 similar samples on MalwareBazaar
TLSH T1EAE4BF823144DCDAE4432DF258AFD57060786D9E8165CA0E3743BF2B95E734234ABB9E
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Agree Ment Letter-34222876190544.exe
Verdict:
Malicious activity
Analysis date:
2021-07-15 10:55:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0c218657-d649-419d-a6b0-6bc28cb93626

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171961/
Detection(s):
SecuriteInfo.com.W32.MSIL_Troj.AZF.genEldorado.24584.18342.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9db9b5e-8f0b-446e-bbf8-6290d969bc55
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816837
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 449248 Sample: Agree Ment Letter-342228761... Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 46 www.yahoo.com 2->46 48 new-fp-shed.wg1.b.yahoo.com 2->48 50 bsh.ddnsking.com 2->50 68 Found malware configuration 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 6 other signatures 2->74 8 Agree Ment Letter-34222876190544.exe 1 8 2->8         started        signatures3 process4 file5 34 C:\Users\user\AppData\Roaming\...\adobe.exe, PE32 8->34 dropped 36 C:\...\Agree Ment Letter-34222876190544.exe, PE32 8->36 dropped 38 C:\Users\user\...\adobe.exe:Zone.Identifier, ASCII 8->38 dropped 40 2 other malicious files 8->40 dropped 86 Creates an undocumented autostart registry key 8->86 88 Writes to foreign memory regions 8->88 90 Injects a PE file into a foreign processes 8->90 12 Agree Ment Letter-34222876190544.exe 3 8->12         started        15 powershell.exe 19 8->15         started        18 powershell.exe 18 8->18         started        20 powershell.exe 19 8->20         started        signatures6 process7 dnsIp8 42 C:\Users\user\AppData\Local\...\purestub.exe, PE32 12->42 dropped 44 C:\Users\user\AppData\Local\Temp\4.0.exe, PE32 12->44 dropped 22 4.0.exe 2 12->22         started        25 purestub.exe 12->25         started        54 192.168.2.1 unknown unknown 15->54 56 www.yahoo.com 15->56 58 new-fp-shed.wg1.b.yahoo.com 15->58 28 conhost.exe 15->28         started        60 www.yahoo.com 18->60 62 new-fp-shed.wg1.b.yahoo.com 18->62 30 conhost.exe 18->30         started        64 www.yahoo.com 20->64 66 new-fp-shed.wg1.b.yahoo.com 20->66 32 conhost.exe 20->32         started        file9 process10 dnsIp11 76 Antivirus detection for dropped file 22->76 78 Multi AV Scanner detection for dropped file 22->78 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->80 82 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->82 52 bsh.ddnsking.com 194.5.98.63, 2404, 49748, 49749 DANILENKODE Netherlands 25->52 84 Machine Learning detection for dropped file 25->84 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91f9f63b9d355ddcef27f8fd431029f4cb55cf8700f5257b0d20f6ae4c77baf9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 07:47:52 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sh47mo45gvo5z3zh7d6ugebj6tfvlt4had2sk6yned3k4tdxxl4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
022e5da6a6272208abe79ed8ef38c7732dd091a2dcad56e845f3e833165f66eb
AgentTesla
5dd92be22d005624d865ddf07402eb852426fc97baa52bbc58316690d41adb74
AgentTesla
65311e0d5afc8166606e9db1371b113b630cc15d4c28d8324273caa1540e211b
AgentTesla
81a5ce1c2439d2dca4eabecfc150f3fa1003f570913157a74cf1c5c1737f006d
AgentTesla
92d4922b8c19be945de3640add234d12c124bed9faf7f5a0840b9571bec5abe9
AgentTesla
a57f93957461f7437e7a1d608f3f65cd9c7a9f55fcc1922713ef4717a8e4e648
AgentTesla
bda8b57cfb54635dddd83ed0fb37e2c37450494b1692c0a4e5985024c009e814
AgentTesla
e41c50d817a963a03c07188bda3e42f164f1ce189f2875dc7f5125594d4ec159
AgentTesla
+ 6'842 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210715-r2xgdb5lse/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
05d6cb902c5cd0cd77ca13511cd210e177d41b872598659c3d80f09794733ece
MD5 hash:
69d826e59cc25f0d27b42d9b3e67f236
SHA1 hash:
6ed21b019e90b1fffca99ce87bdb38a322a82846
Link:
https://www.unpac.me/results/b4a79767-6a6f-43a9-98ed-69ce5bb47e6f/
SH256 hash:
625a4d4a736f301cb7d81dcec5f83e61456942504fe9c7f261e515fa6ae67c41
MD5 hash:
6cfaa6b7df7ccd7555643973d38ea3b5
SHA1 hash:
265c9e5bfa9d98f516167f8712bb1da3273326e4
Link:
https://www.unpac.me/results/b4a79767-6a6f-43a9-98ed-69ce5bb47e6f/
SH256 hash:
14a5d596c687b29cf2ead94fb9b53beab6f4be94bd403cb451f64b78a2ed10d7
MD5 hash:
b0a24637fd0178db03802281a4374c83
SHA1 hash:
c3570e189bb8cae7bde5be8791370c0242a3067a
Link:
https://www.unpac.me/results/b4a79767-6a6f-43a9-98ed-69ce5bb47e6f/
SH256 hash:
c244d5bebe1f26227a0630f4b710bfdc1147be94d1ab52d5ce7934ef88731e6f
MD5 hash:
2a5349c8e11046a3e74ec50f0d71779e
SHA1 hash:
7ce63b71bce09f292ac37d509f7abad12caa79b4
Link:
https://www.unpac.me/results/b4a79767-6a6f-43a9-98ed-69ce5bb47e6f/
SH256 hash:
17a04a1137cdf0832dcc73f89117acb40ed7471afac70272c2ebe075e9c266ee
MD5 hash:
9b824d74d78e28ecb5761ce59479d5ee
SHA1 hash:
7866abb9389d63fd138261f9fd543e2d60ad7b19
Link:
https://www.unpac.me/results/b4a79767-6a6f-43a9-98ed-69ce5bb47e6f/
SH256 hash:
91f9f63b9d355ddcef27f8fd431029f4cb55cf8700f5257b0d20f6ae4c77baf9
MD5 hash:
8184b2a068185fff2dcb9da4b037a47d
SHA1 hash:
ca404e0046bc0d111ecc8dfb39ddb118e162fc93
Link:
https://www.unpac.me/results/b4a79767-6a6f-43a9-98ed-69ce5bb47e6f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91f9f63b9d355ddcef27f8fd431029f4cb55cf8700f5257b0d20f6ae4c77baf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_731d40ae3f3a1fb2bc3d8395
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificate
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 91f9f63b9d355ddcef27f8fd431029f4cb55cf8700f5257b0d20f6ae4c77baf9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/171961/

Comments