MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9976d3013192eccd033fd429c7d9a14c2c144b8d1469d2b19fa2d6016aa74a1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash:	9976d3013192eccd033fd429c7d9a14c2c144b8d1469d2b19fa2d6016aa74a1c
SHA3-384 hash:	923a2b381c70dee9ef6a0c84f53d2ea161e6850272e0965a830b2d91c664602dd2a17886f189d29ca066d69f0b263f1c
SHA1 hash:	d9e3bb88009eeac39374acbbfb6da8540e52ded3
MD5 hash:	3be58772ec6b51dd1fa1e0ac7cbed75c
humanhash:	salami-delta-timing-kilo
File name:	Production list.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	77'384 bytes
First seen:	2021-04-09 13:39:24 UTC
Last seen:	2021-04-09 14:52:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	1536:kz1B3KgRo7PNBphlD43oF54kqIm4EXaBknAzbITx5uNm:kz1B6gsXJLHVEXvAzb6x5uNm
Threatray	45 similar samples on MalwareBazaar
TLSH	AC73FAE84DA554FBDA6CFBF490C251CEA231E53B25218A3B55C7C3C3C8166522DD82BE
Reporter	James_inthe_box
Tags:	AgentTesla exe signed

Code Signing Certificate

Organisation:	ApcWCjFsGXwbWUJrKZ
Issuer:	ApcWCjFsGXwbWUJrKZ
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-04-09T02:12:03Z
Valid to:	2022-04-09T02:12:03Z
Serial number:	8e0fa6b464d466df1b267504b04f7b27
Thumbprint Algorithm:	SHA256
Thumbprint:	d8bcfc1e3d2be3bd6a04a5308a8e19f2608e25bef04f31aeaf87df73fd4c12cc
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Production list.exe

Verdict:

Malicious activity

Analysis date:

2021-04-09 13:41:40 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/3376db94-97cb-46ec-bbc9-ac3af457119d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/133405/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.18255.16725.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Sending an HTTP GET request

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/9d667a0d-e90b-47bf-80ce-1cbc62f26b52

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/671458

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9976d3013192eccd033fd429c7d9a14c2c144b8d1469d2b19fa2d6016aa74a1c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-04-09 09:47:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tf3ngajrslwm2az72qu4pwnbjqwbis4ncru5fmm7ullac2vhjioa._file

Verdict:

unknown

AgentTesla

0f0159c20cfaa92f53f75ba6d3c934629359ca805f595d1a5d2247ae2df88737

AgentTesla

3ad6ce8aaf456bd0cfd4ea3f7be02d9d08b5e74249e1bb49be61ff58ed61f675

AgentTesla

42f380a4730febf7e17ebd7e610ba0f727d6324f9c68317df70c0e0bbebd9290

AgentTesla

4c482b22456df2e37106d59a8afeccdeb736ee89b13b3de6968acee2f3ce9f25

AgentTesla

57fe7f68965a1ccd46a9f6eabea78881182b47f01552f0274d5d951850a2d2fe

AgentTesla

74e35db0e018a83a1002237e7521e2cc0f2d03c6befa319d2b55c68f248f5bbd

AgentTesla

754f418e35d948ec99839d8219eed9d6fd8a8f8e11151af62b5fd08c206c204a

AgentTesla

86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36

AgentTesla

fcca738b7492f0d6fdb6eada6c111a2361d128ec5420fdcf91b8b56f1ecdb102

AgentTesla

+ 35 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/210409-6r3eaynsx2/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

9976d3013192eccd033fd429c7d9a14c2c144b8d1469d2b19fa2d6016aa74a1c

MD5 hash:

3be58772ec6b51dd1fa1e0ac7cbed75c

SHA1 hash:

d9e3bb88009eeac39374acbbfb6da8540e52ded3

Link:

https://www.unpac.me/results/69001951-15a5-47cb-817d-3578de949b32/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/9976d3013192eccd033fd429c7d9a14c2c144b8d1469d2b19fa2d6016aa74a1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/133405/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample