MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9934bdb2357968d6993f6ea0ce78deb44b8f502144057bd3e74977675326a447. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9934bdb2357968d6993f6ea0ce78deb44b8f502144057bd3e74977675326a447
SHA3-384 hash: 1c9c94cb8207720b8e6052c2d347a6fae490bfe05e1e00a630e7471b0dcd5273a7461ebe0aba61406a7f9332f9bc0b62
SHA1 hash: e5503c4332c8e0785ad6da005fe5a3147083aac6
MD5 hash: a50061abca7c92e35381d8a8e2fa735a
humanhash: friend-purple-helium-cola
File name:kwez.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'063'936 bytes
First seen:2023-05-25 08:35:30 UTC
Last seen:2023-05-29 09:53:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:iTmIt9BEP8SDJZ0Aww0IV3UcVbbUAnQWNB0a7Jl/WYyAqpaCB:iTbBe8S0AwwV3rbUAnQWNB0a7Jl/WYyd
Threatray 4'223 similar samples on MalwareBazaar
TLSH T15635CE09F050D3AFC5560AF08AA5A2B1942F4DB1240B7393F589F86F7AB398791347B7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0ccd6aaaa96dcf8 (1 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
248
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
kwez.exe
Verdict:
Malicious activity
Analysis date:
2023-05-25 08:55:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/421997c8-b0e2-457b-92ab-5cb584b78a7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/391483/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/646f1e0174a37a9dca1b3d1e/reports/d3dbdf06-5c55-4e91-8d3e-c1aab6af37f3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9934bdb2357968d6993f6ea0ce78deb44b8f502144057bd3e74977675326a447
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6327228e-dd51-4d47-a001-117132f03be0
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1242306
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9934bdb2357968d6993f6ea0ce78deb44b8f502144057bd3e74977675326a447/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-25 04:23:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
17 of 35 (48.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=te2l3mrvpfunngj7n2qm46g6wrfy6ubbiqcxxu7hjf3wouzgurdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00cf6e9a873007d1f11859d3e30c85bda6f137cfbc53cd0bc9a4ac77a6ad5b04
AgentTesla
06045cf83f2510a653e35d63d4e77dcc1d2265050be035ef7ea00fc2b855da2f
AgentTesla
0a4e71d138b64a3b8b5b1e99b662536590a48e0bd1a993cff6a4dd98dd84f6cd
AgentTesla
1ceec340fd8873da552c966465caf7f4327560599fe6e4481c7a7db489bd98fd
AgentTesla
389cd12974a382686c0f491549b4bbe32c2dc9604b0b3a193ee4fb30ede8335d
AgentTesla
4229ac95a7cd9cc9eb93d0d77a73c9120aff761dbaf18fd51b23dfa766408137
AgentTesla
8b88f918a3b7c133e7bb6cf209ede9d0524cea021694ea55764ff1a292749d09
AgentTesla
973c7cf900b8d3fe8f945e15c64e4d786a659ea779196a0bb3fa135f3026c70e
AgentTesla
cd3f84c42ebdd57e9b3679216ef581b466aa1a646728156155a41055b070e788
AgentTesla
da108473566740a4ecd7f86677ee7a22779808be300f3329ca4a6d8877d0fcdf
AgentTesla
+ 4'213 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230525-khlcmagh97/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
9e48aa22f044cef260f679b550f314dee4b2ec8f852d46eb4eaa13499d17b943
MD5 hash:
0b2ee5701a7b6a7a6feec7e0f475d98c
SHA1 hash:
71950279029abf39ae5a3ab5e1b9b74c697ca62c
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/b2d1cbd0-a954-46b8-adbe-3631b8fa2d5d/
Parent samples :
973c7cf900b8d3fe8f945e15c64e4d786a659ea779196a0bb3fa135f3026c70e
1ceec340fd8873da552c966465caf7f4327560599fe6e4481c7a7db489bd98fd
8b88f918a3b7c133e7bb6cf209ede9d0524cea021694ea55764ff1a292749d09
9934bdb2357968d6993f6ea0ce78deb44b8f502144057bd3e74977675326a447
840f0822e110b24a1c9afd2c661265ca7e6c1336722d0333a6f82d33cb8cf056
SH256 hash:
e58e7e0e30fee092154dfa22205605d7fbcc5a4d0449e0f7063379b52398c92c
MD5 hash:
b51ca8c11ebc866a3b7c27cbfa35927b
SHA1 hash:
11f92ff3129612de3fc3494cf7e75f52d4b90259
Link:
https://www.unpac.me/results/b2d1cbd0-a954-46b8-adbe-3631b8fa2d5d/
SH256 hash:
b2876080a8892ec02a11cc322cc18952d45f9e419c1cb6d4d070860c59fe87eb
MD5 hash:
803e0c67b76960ff5d9ccb360ba9636b
SHA1 hash:
836d339682618638c6b2e3d156ad66a56e4f9ba5
Link:
https://www.unpac.me/results/b2d1cbd0-a954-46b8-adbe-3631b8fa2d5d/
SH256 hash:
178198a42590c16cac8d140d7a79210046604254d217fd436145d02027f6ecad
MD5 hash:
4a50ee00cbe85a166413de4075de37dc
SHA1 hash:
30619b6fc7505c33078541023dc067a8c424ea3d
Link:
https://www.unpac.me/results/b2d1cbd0-a954-46b8-adbe-3631b8fa2d5d/
SH256 hash:
d8fc5dfdf2800247eb610beb076fec4d2becf6d951e89445d43237fe97814218
MD5 hash:
e5d93dadd08b8bc727e4f4853c6881ba
SHA1 hash:
27e0e057d33f01586193b0cbf06561c2863951f4
Link:
https://www.unpac.me/results/b2d1cbd0-a954-46b8-adbe-3631b8fa2d5d/
SH256 hash:
9934bdb2357968d6993f6ea0ce78deb44b8f502144057bd3e74977675326a447
MD5 hash:
a50061abca7c92e35381d8a8e2fa735a
SHA1 hash:
e5503c4332c8e0785ad6da005fe5a3147083aac6
Link:
https://www.unpac.me/results/b2d1cbd0-a954-46b8-adbe-3631b8fa2d5d/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9934bdb23579/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9934bdb2357968d6993f6ea0ce78deb44b8f502144057bd3e74977675326a447

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/391483/

Comments