MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9720a63f66e6f0fe2d93c9bd9e1ca3df5ca8520b9eaad9f52bd41fcce8a731fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9720a63f66e6f0fe2d93c9bd9e1ca3df5ca8520b9eaad9f52bd41fcce8a731fe
SHA3-384 hash: ac3045ce95f07ce9a3f223b19fe0a6404abe75393a0948a6ff2c158ffdc6a8f33e7a84a2456cb181f1f37a606bfde209
SHA1 hash: 944724bdb753a9a557219199f503b1056e3f73a4
MD5 hash: 8cbc0ff91189383a65d97c1fddbd9a96
humanhash: nuts-don-quebec-paris
File name:ANAS AL FADHLI TRADING.xlxs.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:666'624 bytes
First seen:2025-04-17 05:57:16 UTC
Last seen:2025-04-17 06:38:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:KgCRxJnyLDfBiFE2UsJCYQAc0lwILuAbpfoCDLBc9WY:enYDf4NLuFWpY
Threatray 3'458 similar samples on MalwareBazaar
TLSH T1C8E412293799D913C4D60BF01D61D2F402BC6E8CB916C707A7DE3EAFF8A6B842545392
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
465
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
ANASALFADHLITRADING.xlxs.exe
Verdict:
Malicious activity
Analysis date:
2025-04-17 06:02:07 UTC
Tags:
evasion stealer netreactor exfiltration agenttesla ftp
Link:
https://app.any.run/tasks/cb44579d-3821-4acc-8891-3a93697f15e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2623/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6800995e280f5f89a0d02dbb
Tags:
virus micro lien msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/6800987190767142c3d87dc7/reports/c13aa33e-1938-4b38-8fa8-1cb5c1890d92/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9720a63f66e6f0fe2d93c9bd9e1ca3df5ca8520b9eaad9f52bd41fcce8a731fe
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d97d6c5-0724-44b1-a5ae-aef748740458
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667143
Signature
.NET source code contains potential unpacker
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9720a63f66e6f0fe2d93c9bd9e1ca3df5ca8520b9eaad9f52bd41fcce8a731fe
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9720a63f66e6f0fe2d93c9bd9e1ca3df5ca8520b9eaad9f52bd41fcce8a731fe/
Threat name:
Win32.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2025-04-17 05:58:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s4qkmp3g43yp4lmtzg6z4hfd35okquqlt2vnt5jl2qp4z2fhgh7a._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
125d241b0ec8516cdec0f7d117235d5f37058d4a7bf0735f6c5e09ebf3d95807
AgentTesla
8d131fafbcc174ab6d33a73b0e7cbb72060a403cac403234578acfa762cef7b6
AgentTesla
a32812ea87167fe0a9275823f6c873984de4dc7ece43895f02a175826aeecdce
AgentTesla
aba4d6ba306deaf02c3122060facf7e11d19da806321ac993c42461d4e9edcd7
AgentTesla
e9faca7e44847bde376839999ff7491a3ffb0409f47e170560a64fa878ebdb55
AgentTesla
fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa
AgentTesla
fc25ad86b8fbcf3ef16589806009d2025b9849a0af085e7848daa5543bdabab1
AgentTesla
+ 3'448 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250417-gn8hkatjt6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Agenttesla family
Verdict:
Suspicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/a12f9143-c626-475b-9baf-3f1a439e4e81
Unpacked files
SH256 hash:
9720a63f66e6f0fe2d93c9bd9e1ca3df5ca8520b9eaad9f52bd41fcce8a731fe
MD5 hash:
8cbc0ff91189383a65d97c1fddbd9a96
SHA1 hash:
944724bdb753a9a557219199f503b1056e3f73a4
Link:
https://www.unpac.me/results/40cb64b7-0e49-4e3c-8f32-22cdea18e489/
SH256 hash:
2b4d8618caebc5ed28682162f3185863292a54ea3c79dbfa1854460de9137927
MD5 hash:
3e4500484ee416ba02b0d977b6039a06
SHA1 hash:
05eaf512076af6a31d590e69ae8410b1ee187b43
Link:
https://www.unpac.me/results/40cb64b7-0e49-4e3c-8f32-22cdea18e489/
SH256 hash:
396a533c1aa5068ee6ce0139d961115d6697c44e7a5da0202e4babaaa0a92c9c
MD5 hash:
3eb7fa0b6d80290035a437f7b0dba459
SHA1 hash:
7bdffde1bd4bf57f32c027de47283ff783f1e66d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/40cb64b7-0e49-4e3c-8f32-22cdea18e489/
SH256 hash:
a7745746577828e675df9d9d252a6bfd940e5e415379838e9849d08b7a65cb6b
MD5 hash:
a0b53db27f8345237d9871f110a51104
SHA1 hash:
cd4330e55250289d072fead68b5cdb7c62b7a45e
Detections:
win_agent_tesla_g2
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
Link:
https://www.unpac.me/results/40cb64b7-0e49-4e3c-8f32-22cdea18e489/
Parent samples :
93c1f391cb06fe4cf2a57dc8236dc9b970d2afc688d5fbbc9abd4dc2ed4c089b
9720a63f66e6f0fe2d93c9bd9e1ca3df5ca8520b9eaad9f52bd41fcce8a731fe
f9510c8431f00936d5ad598f8cb291f8b7c332f3af0fed696a99a1474c0ed706
1ff4344aa791b6f759f9e9d9655c28b468e33fb13017e33f707fc623769cf2ed
fd18b3110de032bd03901bdac15cb00fcc17f2292fdd791e5c4072caf70facc8
6b0cd55a4c6a299025ba02dc9d1962b494401c31d0125651a19c655c7bfc2a8c
e4997c748608a44552daf6262f503b22f5d77e20bb4b411c6342bcf6c1690ff1
be382be770efca98969b48895a2e7c41595a77cd79154a730db6b5ea9f0d2270
240c09f1a97bb6068fbe9c61b6026c0997dc5f2a06ae80e0c15ec691f40f30ee
c37baca5c488614ed44b90ade56d534975201dfa94327ed216b3c87e3ff8cc7a
35f56e6019406ee4247dfaf7a96e210eee795c8b05dc3c3666a2f644a8d4beab
70bb4b9ac0088fce0935763104020af0a92019cb428e3babc917739aec044296
f4cc69d1063ddca10b48ccf8c8c1380585144405f1bf3f938bdf0906d6229020
d0fcc696c691aaa8f1e3af4d7f4fab044704d96cf3f908af6681175715dc62be
c0affc728572d1e897d2869bd72b870bbe6851423e77f4b026306ade7d978e25
9434611a36173f7b73f3e3392e2ae8be5031cfff80ddf9a6638d1ee1aa81d05d
013ac70a93289c1dd9d84ff03a4d4ffc6256f185b098c92ee8dda039201ef8ec
8e44219248894eb248a11f54284a1c9b999ea0177209907f868ab8bc2783b9b7
31a83a4477bc742ccccec7cd1ef6cf0b56fce9735efd420763eb1ac82ed81842
a33c0ffb1a4ff6c80695b6f068d8c9fd434086f091554d75a6d99205c26e805f
bdb7b7cd3368224c457242baf24c2235e60d077f13741363c2307f1fbccfe5ff
a4870649d8987960960d6ce4482ec7ea064c268eac6d85eec8caac07303b61cc
393fecc94068036d3e4515448c33085cc7d8b8374a98b401e37d3ff751be8dd7
4fe3d56a5cb89bdf31145b7ce1c17f22d8d1616dd491fdf1462bf623ca8b3a10
a0f63bbedc34b836ef3e4f2bae53abda8ac334c5541a6d12f5659c2b131db6a7
c3e60b1c3a6a89355139b5213bd09d61dce0505d36e792b972e24b99fbb89850
4cd5676a9e5f1f59e10c246d9a6c674518e66031fea5e17d23318ece2c5e9c67
cbbdd74333f2f2ebb9b1019d15b011b64594b1cf5651edbf8671d2a2bcab929c
efd69a0ac7b81d3d2fe4900b06a98066f2517e0d9364361d396e143d6f90d128
c0676910f1362864201df2da6fc69db6b679c8ba7fc0f66a2dc47c2236142bce
417c165a04979b22d52eeb3fda53a4b6a699f80c3fc89a69fd408ea0fbad16ac
a7a427b9b9f7ce1d847bce150139c546e43f61d49c637ee425d24f52803d47c8
f199e8a011ce9dc5c0e579358241f64e951ea530ff27052ebc41f09f1b6546b1
4c2d6b024e7af04fe1a42d5afad603b085bf37eff5f3a0b9d59a42b3c2828cc9
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9720a63f66e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV2
Create hunting rule
Author:ditekshen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_779cf969
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/2623/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments