MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9665ad0e77d42b45873a756fd12d19cc8433e6336b31e64658a861b0bf91ab80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9665ad0e77d42b45873a756fd12d19cc8433e6336b31e64658a861b0bf91ab80
SHA3-384 hash: f8b26d3185389dffbe177ae630fbcecd99848667cb2e48fa7dcb81e47677c905ae798bbfbdb4896f3db2e02d6cb3113c
SHA1 hash: 6f9302ad7326a87fe441ddf3949133ff4a4e5fac
MD5 hash: 6d9a6b918ca3a3e1890ceba01d01342d
humanhash: nitrogen-missouri-neptune-ceiling
File name:75756884_f,pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'057'280 bytes
First seen:2021-03-22 07:28:13 UTC
Last seen:2021-03-22 09:36:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Onf4lfoIMwSEsw2B2A049C2nAw7c31n7iuV2nO8Lk1j3X2oNYlPTLe6yWE:OAlfoTEB2BXAw7oH2ObXdNkiW
Threatray 3'273 similar samples on MalwareBazaar
TLSH 6C25390663D86B48E27E1774256940568BF5BD0ADB32DBAEBD9070DA0A71F01DF33722
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ns3102519.ip-91-121-163.eu
Sending IP: 91.121.163.33
From: Felix <gibi@SovereignGroup.com>
Subject: Re: Statement Outstanding
Attachment: 75756884_f,pdf.xz (contains "75756884_f,pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
75756884_f,pdf.exe
Verdict:
No threats detected
Analysis date:
2021-03-22 07:35:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e2e4dff-54e3-468e-9bc0-4732207ccbd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.594.6929.12273.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/647417
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372674 Sample: 75756884_f,pdf.exe Startdate: 22/03/2021 Architecture: WINDOWS Score: 88 14 Found malware configuration 2->14 16 Yara detected AgentTesla 2->16 18 Yara detected AntiVM3 2->18 20 3 other signatures 2->20 7 75756884_f,pdf.exe 3 2->7         started        process3 signatures4 22 Writes to foreign memory regions 7->22 24 Allocates memory in foreign processes 7->24 26 Injects a PE file into a foreign processes 7->26 10 RegSvcs.exe 2 7->10         started        process5 process6 12 dw20.exe 22 6 10->12         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9665ad0e77d42b45873a756fd12d19cc8433e6336b31e64658a861b0bf91ab80/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=szs22dtx2qvulbz2ovx5clizzscdhzrtnmy6mrsyvbq3bp4rvoaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
168d180de146160d0ba93335e36e00d62029ea13f0a41ace68a76e8a2b547ac3
AgentTesla
2abef54041681b9251673959524c002821e9e90483c7cdc0e3668bf2cc2c91ce
AgentTesla
4dad4127df36f1ff3db7fd7dcc70e776f043cb621e3ec297551ad1e187dae0a6
AgentTesla
5e218a8b6cf31a57468b4954c81b8c43d377d9428edbe7f987dddcda3e755e47
AgentTesla
66299f1d16eab2cca6ebe65ac3239ab8fb27ea535d2fa6e2f472554c311d9f07
AgentTesla
942410ebb65f0bbc9c06ca40cdc921939085edbac07b7ffd5d3a21b3a113896a
AgentTesla
afb762081ead1cb5e87f45a39cd16a6875e901eb1d5ab40b978c25fe549d2662
AgentTesla
d1692c8db90c7a95a72e827ce43ffeb3bc88d3328203c7fd924a9401c8b220e7
AgentTesla
d60076d9ebcd69f0403422ebb01bf2df5faa59ce3fe2596b76ba0868ec666549
AgentTesla
dca80db9c7ade94a508600fcc3982e3f8ff292d464cf3041bae8cc1600f715a2
AgentTesla
+ 3'263 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210322-aaq3nlgc4j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c22b9993fd6abea236edcc1bf476bcd4a09015b4af09eedf660a43bf3d29a16f
MD5 hash:
1d1234ba19c430923b22f531bb19b369
SHA1 hash:
9868c1e97a3be16100a61b5ee1f7d2838b4782a8
Link:
https://www.unpac.me/results/b923eb0a-adeb-4100-9e3d-135337888880/
SH256 hash:
9665ad0e77d42b45873a756fd12d19cc8433e6336b31e64658a861b0bf91ab80
MD5 hash:
6d9a6b918ca3a3e1890ceba01d01342d
SHA1 hash:
6f9302ad7326a87fe441ddf3949133ff4a4e5fac
Link:
https://www.unpac.me/results/b923eb0a-adeb-4100-9e3d-135337888880/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/9665ad0e77d42b45873a756fd12d19cc8433e6336b31e64658a861b0bf91ab80

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

xz a881d298926ebef585c3faf7180398365356218eb2e0e3f01406c9c48ff03b47

AgentTesla

Executable exe 9665ad0e77d42b45873a756fd12d19cc8433e6336b31e64658a861b0bf91ab80

(this sample)

  
Dropped by
MD5 814bc01372513dc9e771548d1a2947a2
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a881d298926ebef585c3faf7180398365356218eb2e0e3f01406c9c48ff03b47

Comments