MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9720494b93d3f70f63839143313fa12ce52b42098dde7a41fd2c89562d9325f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9720494b93d3f70f63839143313fa12ce52b42098dde7a41fd2c89562d9325f6
SHA3-384 hash: 838b3dbfa6d0e8bfe2115d263dd46337fd726d7caed6de8861a7e83d38966390fe04c62e127275f6a727cd7187f306fc
SHA1 hash: 0b32ec47784370abe9c2a2f3283f3534bfd0a42c
MD5 hash: 92c9428d979e175e6b1ceb5c0dc77642
humanhash: august-pluto-victor-india
File name:92c9428d979e175e6b1ceb5c0dc77642
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'077'248 bytes
First seen:2023-02-20 12:14:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:IVs4yZ1arYEJhxun9PckB8Rb4xixCWY7jsoUf2:0A/EJ8kkBJhPSf
TLSH T15335AD09AAB0DA77C5AB01FE18381B0D3DA4B5437505E6688FB37FD291709FB35A9213
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 7aca8abab4a4b8da (33 x AgentTesla, 32 x SnakeKeylogger, 4 x DarkCloud)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
92c9428d979e175e6b1ceb5c0dc77642
Verdict:
Malicious activity
Analysis date:
2023-02-20 12:16:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/09ef591d-a886-454b-86b9-a2c8a7a754b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368410/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f3644a01b99ad33e7ea769/reports/f5d5f53b-3af2-4263-9c5c-92060bb54ca8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9720494b93d3f70f63839143313fa12ce52b42098dde7a41fd2c89562d9325f6
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/40b3d363-1951-428e-8b5c-e6c889d95534
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179174
Signature
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 811999 Sample: J6hT6E4uF0.exe Startdate: 20/02/2023 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 4 other signatures 2->64 7 J6hT6E4uF0.exe 7 2->7         started        11 xcKKev.exe 5 2->11         started        13 gcWPrHZ.exe 2->13         started        15 gcWPrHZ.exe 3 2->15         started        process3 file4 46 C:\Users\user\AppData\Roaming\xcKKev.exe, PE32 7->46 dropped 48 C:\Users\user\...\xcKKev.exe:Zone.Identifier, ASCII 7->48 dropped 50 C:\Users\user\AppData\Local\...\tmpA50A.tmp, XML 7->50 dropped 52 C:\Users\user\AppData\...\J6hT6E4uF0.exe.log, ASCII 7->52 dropped 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->74 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->76 78 Uses schtasks.exe or at.exe to add and modify task schedules 7->78 80 Adds a directory exclusion to Windows Defender 7->80 17 J6hT6E4uF0.exe 2 5 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        82 Multi AV Scanner detection for dropped file 11->82 84 Machine Learning detection for dropped file 11->84 86 Injects a PE file into a foreign processes 11->86 26 xcKKev.exe 11->26         started        28 schtasks.exe 11->28         started        30 gcWPrHZ.exe 13->30         started        32 schtasks.exe 13->32         started        signatures5 process6 dnsIp7 54 us2.smtp.mailhostbox.com 208.91.199.224, 49695, 49696, 587 PUBLIC-DOMAIN-REGISTRYUS United States 17->54 42 C:\Users\user\AppData\Roaming\...\gcWPrHZ.exe, PE32 17->42 dropped 44 C:\Users\user\...\gcWPrHZ.exe:Zone.Identifier, ASCII 17->44 dropped 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->66 68 Tries to steal Mail credentials (via file / registry access) 17->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->70 34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        56 208.91.198.143, 49697, 587 PUBLIC-DOMAIN-REGISTRYUS United States 26->56 38 conhost.exe 28->38         started        72 Tries to harvest and steal browser information (history, passwords, etc) 30->72 40 conhost.exe 32->40         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9720494b93d3f70f63839143313fa12ce52b42098dde7a41fd2c89562d9325f6/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2023-02-20 12:15:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 25 (72.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s4qess4t2p3q6y4dsfbtcp5bftsswqqjrxphuqp5fsevmlmtex3a._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230220-pew26sad5z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
aecc4329e8761c80d9f107298a27303c5eb7abbd735f37b06785c8436dbbf7ea
MD5 hash:
b389f7504a5fd70eaf821458668ee1de
SHA1 hash:
bf36fd00b13eaf899d40d917ce6a89f5a170494c
Link:
https://www.unpac.me/results/e2d60654-597e-4f01-a092-0e1bd0b13226/
Parent samples :
b6d0953157868a8702d0503d4e5303d208b6b8653d09bd76ec03b7c6c8f2f273
eb6e19ad2d2857d66c3c83696ab30c1ec626c40a463c858b89ffc70b280baf75
5988d11b83423cfd48d121732e165533443e8a5186bc83ff79659608c358559a
5e5c1a11d54b8ba5d9f76f68599cf3854eb77fffc00cad21a33e8d5a79268894
21cc3a0dca0b425b501cdb9ed42bda259843cfc1a997d3d08fbe9efa45776ae2
ea040b1b5f2777c07c5c620f3526d9ef9257e594911245713a2e6457de238160
5b3f12dc47ef49f67d5818abdbdc233b8ed994756dd5f881822e6452660058d8
6b534e2e8806b6916275d013d60a55058f945b7bc58c3c55796f20d7fe0705b8
e7e0689ace455992d052b1c39c3edb903bc4477358f4ecb8fb0fff62f8d2561e
SH256 hash:
ad17ff0b943e3dafa4b9e9e32685038e9f4137b8f52a81d747774234eda247bd
MD5 hash:
50842e5c84a68e1b52550ff95abed238
SHA1 hash:
2d8a7984a8bf5dfd1610eafe68a45bc1acef0bd0
Link:
https://www.unpac.me/results/e2d60654-597e-4f01-a092-0e1bd0b13226/
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/e2d60654-597e-4f01-a092-0e1bd0b13226/
SH256 hash:
febd5aecda58f43ec76dc2c88af75afc01fb191a6a8f8848aad1a68e3b55b5f3
MD5 hash:
eae360bede736b1f8871d10383e14fe8
SHA1 hash:
0b46ba6c937ceb971a4b49bdbb24b1b56e840398
Link:
https://www.unpac.me/results/e2d60654-597e-4f01-a092-0e1bd0b13226/
SH256 hash:
ea23eed15ebb02184e4502e6772c3f6197b5d99dac6a662b2d6a7564ada4a409
MD5 hash:
591a85b3272d45869fc9ff7c2eff1fef
SHA1 hash:
03914f2cf2835109bb50a8bc9195e8fb3bc463d0
Link:
https://www.unpac.me/results/e2d60654-597e-4f01-a092-0e1bd0b13226/
SH256 hash:
9720494b93d3f70f63839143313fa12ce52b42098dde7a41fd2c89562d9325f6
MD5 hash:
92c9428d979e175e6b1ceb5c0dc77642
SHA1 hash:
0b32ec47784370abe9c2a2f3283f3534bfd0a42c
Link:
https://www.unpac.me/results/e2d60654-597e-4f01-a092-0e1bd0b13226/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9720494b93d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9720494b93d3f70f63839143313fa12ce52b42098dde7a41fd2c89562d9325f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 9720494b93d3f70f63839143313fa12ce52b42098dde7a41fd2c89562d9325f6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/368410/
  
URLhaus
https://urlhaus.abuse.ch/url/2545728/

Comments


Avatar
zbet commented on 2023-02-20 12:14:28 UTC

url : hxxp://107.175.202.151/9901/vbc.exe