MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a065e7ac958ecf728cee5521723da7d6dce2e08184701ba88955fd5b16b8e04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 8 File information Comments

SHA256 hash:	9a065e7ac958ecf728cee5521723da7d6dce2e08184701ba88955fd5b16b8e04
SHA3-384 hash:	ccdfe823cac1cf64cef709987dd1c504842c82d565eb6bbb768f4f2230f1dc48e7234161131e02bbbb29973ffb6bcd0e
SHA1 hash:	9bc0fcfbe5e24841c2925a2973458d4a568bb4f5
MD5 hash:	41b0ce69b84e80516810f0154587f539
humanhash:	delta-seven-idaho-sink
File name:	Document.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	465'408 bytes
First seen:	2021-09-01 14:14:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:NGU7lLvCs7MyV1Uk+RyCW3f4dlH1lSIS:DvCaMS1NwyCW3faAIS
Threatray	9'284 similar samples on MalwareBazaar
TLSH	T1BDA402C3B400307EFAF6C577B8E5497551A005765C574A1E8CA03FA3BE2251DABE8EE8
dhash icon	d4923292e2ccb4c0 (13 x AgentTesla, 7 x Formbook, 3 x Loki)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

234

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Document.exe

Verdict:

Malicious activity

Analysis date:

2021-09-01 14:20:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/afeb0ed5-8471-48e7-9085-15b3eae37069

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/184490/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.16162.31598.3149.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

DNS request

Sending a UDP request

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d0ed5649-f80f-4bfa-a3de-b01d2684dab8

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/843390

Signature

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/9a065e7ac958ecf728cee5521723da7d6dce2e08184701ba88955fd5b16b8e04/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-01 08:35:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 45 (44.44%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tidf46wjldwpokgo4vjboi62pvw44lqidbdqdouisvp5lmllryca._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

102cc9a141c36c895d867ab6a432085ad0b4f5e1da01add23c26e6de5526c854

AgentTesla

6fe5e475ec18550353f2e1e2affdbeb8ea72603f9059af42c36ee24f4ce08c32

AgentTesla

b85e4c358cd20b0ad6e0bcdb93e578ee2dc2a898cfa60da1f39be1ea8424ce92

AgentTesla

c771be7912e20d4522cdcfed63feac0e59a91dc053ff96faf862be6a8f8dfa1b

AgentTesla

cac3ab8433e775a539ed661fb2d9caf7799213007b9f8bc01080557c452ccc41

AgentTesla

cb8a7d1d9c86d996899769e9abac0b326053dae7f9d8fc226aabfa89f3f8d16e

AgentTesla

e694eadb2f24bf7de44a2cc1d1fbc3d2e84d83d6cac2be444aef377bea95cc29

AgentTesla

f7bd786df639edd7ef050889027c751d321fc3bcf7670478da66a56cd6944c69

AgentTesla

f9af6e0e93f066a5788d1c5d0014204ff29c0080727647857e8f604885e552d8

AgentTesla

+ 9'274 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210901-t1262sw76e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

ebe1870f06a80f5a81758a98231bdd928eabece67ffa6b2a0672da45536a7d3c

MD5 hash:

70b2c18b0eff26042a8f560ca1d0a67e

SHA1 hash:

e347e8b13b751f6982d7ac40e56ba8de5e1d0255

Link:

https://www.unpac.me/results/ccf95be9-301d-43c8-8bb3-3506e3f49b09/

SH256 hash:

156aef06b84c13b216dd46cd250d1aa4bf063b90d27a35e70e045de7d349755a

MD5 hash:

12d105b19e2e12dd5555e6cf061c20ba

SHA1 hash:

c8685d919484871646b2920b1b79d29c4553b873

Link:

https://www.unpac.me/results/ccf95be9-301d-43c8-8bb3-3506e3f49b09/

SH256 hash:

acce890737e0ad098a55c80d5a79208acee5262e3759ae5389083709597e96d6

MD5 hash:

a58f79506d2d5dd64a9d8b3365277e84

SHA1 hash:

b5772c087c8de5ad87dacce591994e765a602f78

Link:

https://www.unpac.me/results/ccf95be9-301d-43c8-8bb3-3506e3f49b09/

SH256 hash:

9a065e7ac958ecf728cee5521723da7d6dce2e08184701ba88955fd5b16b8e04

MD5 hash:

41b0ce69b84e80516810f0154587f539

SHA1 hash:

9bc0fcfbe5e24841c2925a2973458d4a568bb4f5

Link:

https://www.unpac.me/results/ccf95be9-301d-43c8-8bb3-3506e3f49b09/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9a065e7ac958ecf728cee5521723da7d6dce2e08184701ba88955fd5b16b8e04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/184490/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample