MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9375fd07cd429efac657a3735c1787a8f6bf8f8076fec0e61abfb81d0dd28235. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	9375fd07cd429efac657a3735c1787a8f6bf8f8076fec0e61abfb81d0dd28235
SHA3-384 hash:	a5a079582fd31eb2972f9415313c084804f6d2b8e00c58f402e61f24a6af96fdf9f634e5e893305a0fccab01eb5bb5d0
SHA1 hash:	3db04d502cbfbbb6d0e1116968f9db3bae5bb73a
MD5 hash:	55591ef3036c998048648a992f5b1192
humanhash:	winter-charlie-uranus-item
File name:	CL030220pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	927'744 bytes
First seen:	2023-05-19 09:14:57 UTC
Last seen:	2023-05-20 14:55:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:F0EAZJLpNaPn0YPX/NarqFTmooTcbLNkcinxJ57+p5EJYtcYdBmmg+th0j50Hd1m:KEAZ8P0pwTboGZoCTzs+ti5B6N7cVrJ
Threatray	3'902 similar samples on MalwareBazaar
TLSH	T17E15D08126B88F55E2766BF96272E63443B53C54E726D21D5CE02CDB3D76F812B00BA3
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

CL030220pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-05-19 09:17:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4025c060-6d2c-4b44-bb3b-e49d6d4ba0a4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.31124.26270.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin packed

Link:

https://www.filescan.io/uploads/64673e174b051798b3d9d484/reports/afd81da0-3d0c-4330-b5d4-c829da0438b6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9375fd07cd429efac657a3735c1787a8f6bf8f8076fec0e61abfb81d0dd28235

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/810c51e7-baf3-4e77-a326-8cae122ffc29

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1237110

Signature

.NET source code contains potential unpacker

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected Telegram RAT

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9375fd07cd429efac657a3735c1787a8f6bf8f8076fec0e61abfb81d0dd28235/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-05-19 09:15:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sn272b6nikppvrsxunzvyf4hvd3l7d4ao37mbzq2x64b2dosqi2q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1680422c807dbbb8686d36461be752fbb2ad0d75d48711de16f85eb72d977203

AgentTesla

3298c3e6f25b777c9f772fb1d5123472df0b1046000598d9ed00bd369a56124d

AgentTesla

5190da5fffe0094c06dee97bbcf1e4446e1428c1bc956d21875f3cb5a04625d6

AgentTesla

82f5deb6c4fcc0e1024ce95e8723df267ebedbdccd94ec1e296e037fd59976f1

AgentTesla

a21c508de19d0b316579d1686ef31559928d3d0c105e0f41b16aac61cb1218d9

AgentTesla

ab8a0181d0835a210e35819cd3e2220e5d683e67eb5678d574ae8f168bba965e

AgentTesla

ad4b09d5bd45cb28e02d15b16313813aac8db083363be6aa81d2d6e53ed97a9a

AgentTesla

fc25fc39a2466760367fa55e0885ac65ae43395d8918e3ee5f3e4c094cdea58c

AgentTesla

+ 3'892 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230519-k7wjwsfg81/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5932003035:AAGiWu3EDh9FYzqRKIySebzjjQ5uW0afS3o/

Unpacked files

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/d643f212-7364-41e2-8e46-87645e570425/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

c2ab60716f6ef73c950fe8894fcec5813e0c189e36860065e29be549b82524fa

MD5 hash:

914b7a427efb89827cd7a84adc29eb80

SHA1 hash:

7874bebe83221a8ff9caf0bd5fe45a1c08cf7379

Link:

https://www.unpac.me/results/d643f212-7364-41e2-8e46-87645e570425/

SH256 hash:

cf83ebdd131f41a6d18026a3cd4d652dfa2d229565e5f4fed5ad3c9ffc544f53

MD5 hash:

bd09e6b84f43b13f3faa7d41792de99f

SHA1 hash:

6ad2ea32c617b9af7769034012bafba6f26b7baf

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/d643f212-7364-41e2-8e46-87645e570425/

Parent samples :

3298c3e6f25b777c9f772fb1d5123472df0b1046000598d9ed00bd369a56124d
82f5deb6c4fcc0e1024ce95e8723df267ebedbdccd94ec1e296e037fd59976f1
9375fd07cd429efac657a3735c1787a8f6bf8f8076fec0e61abfb81d0dd28235

SH256 hash:

f9b033080e74d966e4198875a8fbb78e307b17a6d9eb633ab91a8c0eec8b73c8

MD5 hash:

26d86f35d57d711b94fd469cbf42c3c5

SHA1 hash:

456dd22cb40dbe712594553050b359cb47b03cf0

Link:

https://www.unpac.me/results/d643f212-7364-41e2-8e46-87645e570425/

SH256 hash:

b178430918654661133e3cc86f68618dac7c1a56092e89c8d474cf3f05390a23

MD5 hash:

a74d4ff639d43c44d7dcf925dfc3b2d1

SHA1 hash:

1db08e8f485ac81d554e836a784589ab4cee8486

Link:

https://www.unpac.me/results/d643f212-7364-41e2-8e46-87645e570425/

SH256 hash:

9375fd07cd429efac657a3735c1787a8f6bf8f8076fec0e61abfb81d0dd28235

MD5 hash:

55591ef3036c998048648a992f5b1192

SHA1 hash:

3db04d502cbfbbb6d0e1116968f9db3bae5bb73a

Link:

https://www.unpac.me/results/d643f212-7364-41e2-8e46-87645e570425/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9375fd07cd42/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9375fd07cd429efac657a3735c1787a8f6bf8f8076fec0e61abfb81d0dd28235

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample