MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b0fd69ae3566f372e59db7964a9186d570aebf499d89294be290bfba0248fa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b0fd69ae3566f372e59db7964a9186d570aebf499d89294be290bfba0248fa4
SHA3-384 hash: cfd5c17b980b23e553f9812b4df45d153468c65917ee2531269414e470b6eb96a2ae019f88a02bc1d121f2214c933ee5
SHA1 hash: 3c1caa09abe1c23ac8e4ee426bee7ab4b76a6c31
MD5 hash: f744296570d39e6ddddbe45030d989f4
humanhash: double-july-angel-six
File name:f744296570d39e6ddddbe45030d989f4
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'156'096 bytes
First seen:2021-07-21 17:44:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:7mR5hdOBUEE1O72wfcYJy/5BX+OdeBKq8U+ahp:+UE1Oqw0t5BX+yeBK5UB
Threatray 7'155 similar samples on MalwareBazaar
TLSH T1E8355C91F1138999DC6AC6F36C2A953025A7BDDC7464830C5A99B7EA35B333120DFF0A
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice.xlsx
Verdict:
Malicious activity
Analysis date:
2021-07-21 14:42:39 UTC
Tags:
encrypted exploit CVE-2017-11882
Link:
https://app.any.run/tasks/2b3275b1-73d9-42fa-95ee-ad7fde2ed1f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173067/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/002b5e0c-43b5-4555-a7e1-9b9d64a93c4f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819652
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452063 Sample: YOrIYwlJNp Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 7 YOrIYwlJNp.exe 7 2->7         started        11 newfile.exe 5 2->11         started        13 newfile.exe 4 2->13         started        process3 file4 29 C:\Users\user\AppData\...\lUNThbzNxoZyoj.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmpEF09.tmp, XML 7->31 dropped 33 C:\Users\user\AppData\...\YOrIYwlJNp.exe.log, ASCII 7->33 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 7->53 15 YOrIYwlJNp.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        55 Multi AV Scanner detection for dropped file 11->55 57 Injects a PE file into a foreign processes 11->57 21 schtasks.exe 1 11->21         started        23 newfile.exe 2 11->23         started        signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\...\newfile.exe, PE32 15->35 dropped 37 C:\Users\user\...\newfile.exe:Zone.Identifier, ASCII 15->37 dropped 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->39 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9b0fd69ae3566f372e59db7964a9186d570aebf499d89294be290bfba0248fa4/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 17:40:52 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tmh5ngxdkzxtolsz3n4wjkiynvlqv27uthmjfff6fef7xiber6sa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05f834fefed4e4fa735bf5e231ab5563529102c0c59890439419085d3c395b9c
AgentTesla
113eabe35a49134e8f6b1ba27c748826ea959de70fda113a6e71f70b6740b2d0
AgentTesla
2c04fc54a89ec9b7e65a0ddbc30b50573eb98f1c83858678ee097b3940b4a028
AgentTesla
6b090efc032911140a9b027ae65b205eb4b6aef2ab0dec995e473470f6706240
AgentTesla
708833adb2ee812262f329d04431f369c1e5046aa5030362c521c828af756ec2
AgentTesla
840c19668e595e55bc29b253b69484b32b8f7c905185500d9415e0a35400b640
AgentTesla
8c1a778e7827034eb26331b4502ee7454b7650718a491a1d51e3e449c5295c93
AgentTesla
b093aa405373bf5f37eb5b10379ab1e10add9aaf66471e299162b60d32f98b1a
AgentTesla
f7bd786df639edd7ef050889027c751d321fc3bcf7670478da66a56cd6944c69
AgentTesla
+ 7'145 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210721-8gy2dxf1ne/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/779e95e3-e274-4e51-a702-60e668981fc7/
SH256 hash:
9b0fd69ae3566f372e59db7964a9186d570aebf499d89294be290bfba0248fa4
MD5 hash:
f744296570d39e6ddddbe45030d989f4
SHA1 hash:
3c1caa09abe1c23ac8e4ee426bee7ab4b76a6c31
Link:
https://www.unpac.me/results/779e95e3-e274-4e51-a702-60e668981fc7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b0fd69ae3566f372e59db7964a9186d570aebf499d89294be290bfba0248fa4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 9b0fd69ae3566f372e59db7964a9186d570aebf499d89294be290bfba0248fa4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173067/
  
URLhaus
https://urlhaus.abuse.ch/url/1471070/

Comments


Avatar
zbet commented on 2021-07-21 17:44:49 UTC

url : hxxp://198.12.81.125/hkcmd/vbc.exe