MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a8d62fa3b66f6afa63911f0e456899199f80686435ac3253a18214ed27460c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a8d62fa3b66f6afa63911f0e456899199f80686435ac3253a18214ed27460c2
SHA3-384 hash: 6e27fb1b7e9bb6f35874d2671aa0b57919933b62613266ca82dd8e7558f245916ad5815b06ae0cb78120cd97c6036af0
SHA1 hash: 33b639f15e2537405569ff368095a5e46defff08
MD5 hash: c8ff7aa9dce32cd13d48c623c108c8a8
humanhash: minnesota-steak-california-floor
File name:DUE INVOICES66584.EXE
Download: download sample
Signature AgentTesla
Create hunting rule
File size:389'632 bytes
First seen:2020-11-05 07:34:46 UTC
Last seen:2020-11-05 13:41:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a2e488bb8211c84ecadafdfe470552d (6 x AgentTesla)
ssdeep 6144:0n4ilitk9V1Nap254gE5/JhKy7890s/9Japg/5VmJJ/DbWvtZw3mLfrCodgCxhHr:ctlWI1gg4h5/J8908JapGHmJVDbSw3mY
Threatray 2'525 similar samples on MalwareBazaar
TLSH 9D8423B6E26F2035FA3B94F256C79172CD112FE18B44EE94DD54FC803F38AD8961819A
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/83087/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521016
Signature
Contains functionality to detect sleep reduction / modifications
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a8d62fa3b66f6afa63911f0e456899199f80686435ac3253a18214ed27460c2/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 07:07:06 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tkgwf6r3m33k7jrzchyoivujsgm7qbuginnmgjj2daqu5utumdba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0233c43ce1cf759e1d8c8d343b03bfbad84652b12fe32b0e54b7fc7c08bdcc88
AgentTesla
22235f4edec77bf047d6f5f3ea4d7b4abcc5b3468d306cb66b92e49001768fae
AgentTesla
3944c8a551e1b51be2f29adf187b63497c7dab93f88755bc086f4e7fc30a759d
AgentTesla
3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa
AgentTesla
46df88abb8b7f783add8e2688ed3fc2632020fc30f6a87172264a4f434af2524
AgentTesla
493ba8398eed500e3af5e0ae2ea45fa5bfdfbc6371bf67a17ee20c050c117927
AgentTesla
512a3ca963394c011a96212499373a7baa29456fa0d501f72f42f49dd224f4a9
AgentTesla
98b586cd2517a8296335f30e0e363ab72b047d10e50cec33f41ed93b6b492ca6
AgentTesla
a20e29b157ca333fd7f6503315be7f41df98bf15172c0a8f6cab83451945effe
AgentTesla
f00571fb0c082a4a7d66d08af1628b4be7515a74e153adee51db8136ed5918ce
AgentTesla
+ 2'515 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201105-qx3eyz3w1n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
9a8d62fa3b66f6afa63911f0e456899199f80686435ac3253a18214ed27460c2
MD5 hash:
c8ff7aa9dce32cd13d48c623c108c8a8
SHA1 hash:
33b639f15e2537405569ff368095a5e46defff08
Link:
https://www.unpac.me/results/466eea6f-4f1a-4789-987a-6a0ed912f111/
SH256 hash:
acc40495efdf2b9cd705679dfb5db45812619d810dd5c930ab269a19c1500dbf
MD5 hash:
909701881abe75ee1a294f3194c18f62
SHA1 hash:
e254e9ee769edd3a47c1023d949a076d98da5d1f
Link:
https://www.unpac.me/results/466eea6f-4f1a-4789-987a-6a0ed912f111/
SH256 hash:
516e1da61d0686f7e0ddf7ae5d5ab5b96fdf90bb29b738b91c9d529d12b03e1f
MD5 hash:
c8f590332d1367af9999cd7b346e0f8a
SHA1 hash:
40e53ff6815dc0542d5fcc713b73af986f8e1819
Link:
https://www.unpac.me/results/466eea6f-4f1a-4789-987a-6a0ed912f111/
SH256 hash:
653e3ba5f5d08e98424d70542547b28071d72b79002a25dcc7ea45b17c079c82
MD5 hash:
8a75bd13e4e947d60ed3a910164eee93
SHA1 hash:
5a5ce70b9dd220e95c63cd124ba5b7c8464f6738
Link:
https://www.unpac.me/results/466eea6f-4f1a-4789-987a-6a0ed912f111/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 9ad40935dd7c7b9269d0265f39f11070e5fc1189c9fce7b60292049be83fe05b

AgentTesla

Executable exe 9a8d62fa3b66f6afa63911f0e456899199f80686435ac3253a18214ed27460c2

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/83087/
  
Dropped by
SHA256 9ad40935dd7c7b9269d0265f39f11070e5fc1189c9fce7b60292049be83fe05b

Comments