MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b28e086223a3a91a2888e62924e0d7d93bff6e333ae07167fad3aad15c45fb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b28e086223a3a91a2888e62924e0d7d93bff6e333ae07167fad3aad15c45fb6
SHA3-384 hash: e765cf2b180d50e5e4956d0cb35a14e633295c8a8d533b6d14b095c4d5e8283cfda7ff5547b76704547d68bf625c4903
SHA1 hash: a917013e5c0bd4a0facf6ebac205a64eb885f2cd
MD5 hash: 1d693b7a49429beef44735fb5e3d3d01
humanhash: iowa-jig-quebec-louisiana
File name:PO-0561.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:669'184 bytes
First seen:2021-03-30 05:42:13 UTC
Last seen:2021-03-30 13:14:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 12288:/SFZcyqeNqUyHZty2UmIIzMX7oaig8PKWiJKE6k5:0Zcy9qHby2UpIzMX0ax0YsLo
Threatray 3'556 similar samples on MalwareBazaar
TLSH CCE4B1A870AE005DEEB46674F5B655821FC925321F62FF3F28E617005CA37B9FA4E910
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-0561.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-30 05:45:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/00d5f9ba-906f-478c-88ef-ce9152d22895

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127889/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c93146f-509d-42f2-be99-f2628475c2c5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/657971
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9b28e086223a3a91a2888e62924e0d7d93bff6e333ae07167fad3aad15c45fb6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-30 03:18:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
9 of 48 (18.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tmuobbrchi5jdiuirzrjetqnpwj375xdgoxaoft7vu5k2foel63a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a3044af336b6c7268fe3d1f2fb8ecda2353552bee8455a6285be0a7e55e2d44
AgentTesla
29b33dfc23c9d0fb7375b09cebd89658ed6b5cc66027512f1f697512209fc50a
AgentTesla
29e43219dc1b9239dab0ec49bc6e8c5d8790e4b049818f3abe6cf26bf3538e85
AgentTesla
7083d07e76ede7df53ab72e7b1b3b7147ce97b81d89152838b15833c68fb5de3
AgentTesla
8bad16db1bd40fbc6e6fa8a9a9efd9f3bf8e95dd83af238625ee3f1f1ff1950c
AgentTesla
8ffd510513cafe4d5b4812ef693f06dcff7dc4097cccacd1be4ca0d308f3494d
AgentTesla
a8c94f8fc9b5c2a0cd3da68122fc36b28a7b990ace2f238961742245ece50ed5
AgentTesla
b019e8d729a835b9834889650eb87183538da0a1ff600e138db6065efea24a57
AgentTesla
d114ed04fed2c6a8df9fd9928029c0ea86fa55186ab35bb78006d637daf6cca2
AgentTesla
f86da0984972a912636cd654ce3650c36b600e2b69ed6276b5b898519bec6f48
AgentTesla
+ 3'546 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210330-lc12x5w9ya/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
d436034270fb2d5380e4fcecc1ee6c821a1701aed96045fa13f597da16be08fb
MD5 hash:
00cbf73d8b9f03417a3a32957ec64ed4
SHA1 hash:
b862eff1cf240a5ad5325fd258892e534484a6e8
Link:
https://www.unpac.me/results/5bd39dce-ccad-4fb7-8db0-db5e69e6e46a/
SH256 hash:
9b28e086223a3a91a2888e62924e0d7d93bff6e333ae07167fad3aad15c45fb6
MD5 hash:
1d693b7a49429beef44735fb5e3d3d01
SHA1 hash:
a917013e5c0bd4a0facf6ebac205a64eb885f2cd
Link:
https://www.unpac.me/results/5bd39dce-ccad-4fb7-8db0-db5e69e6e46a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/9b28e086223a3a91a2888e62924e0d7d93bff6e333ae07167fad3aad15c45fb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

xz 8824a401cf41d728889264ba415754fe55033325e9e0d8e056e1166fd2f2372b

AgentTesla

Executable exe 9b28e086223a3a91a2888e62924e0d7d93bff6e333ae07167fad3aad15c45fb6

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 8824a401cf41d728889264ba415754fe55033325e9e0d8e056e1166fd2f2372b
Cape
Cape
https://www.capesandbox.com/analysis/127889/

Comments