MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b74576bc83aa22f65c9b435e033c44c34ce65eca5e06ebfeeec399d2f8244a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	9b74576bc83aa22f65c9b435e033c44c34ce65eca5e06ebfeeec399d2f8244a2
SHA3-384 hash:	0b3ba50523b97d389bdd87a9cefb6b0b90f6a91d788a8c965c125bbda2f733f8ecad71abb0e4c62de65e68328feac267
SHA1 hash:	400b2692fc7855dd7e2e1d981df26d76093da2ac
MD5 hash:	3b00c2acb4f5cf9afaf9e66300c29092
humanhash:	paris-lamp-uniform-victor
File name:	Offer n. 123 - our ref.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	591'360 bytes
First seen:	2021-05-07 15:10:46 UTC
Last seen:	2021-05-07 16:15:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:yvMPm/dWDy4ioAuCy5mbEvthGU/P4I8hNUqHv7mQjllWh5U9kSM:DGay4ioAi84lfN8hNlHv7JZ4h+9D
Threatray	4'611 similar samples on MalwareBazaar
TLSH	8FC401543384AF69E97E5BBE44B0960423F1F1019F93D31EAE94A4AD2D337C4CA69393
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/719501

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/9b74576bc83aa22f65c9b435e033c44c34ce65eca5e06ebfeeec399d2f8244a2/

Threat name:

ByteCode-MSIL.Infostealer.Coins

Status:

Malicious

First seen:

2021-05-07 15:11:18 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tn2fo26ihkrc6zojwq26am6ejq2m4zpmuxqg5p7o5q4z2l4cisra._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

23f395feba9af97086e3c3dee7cde812ad67a31cc151d9285b2fc7b2f926bc4d

AgentTesla

30364fae6ffb039cc1e6961f3b50f82ff4492640fc11b14f588153e3ab9135a2

AgentTesla

3455716f81e993173ef1e17b90f9233f70e6ce36a735ca19c40dcf816fc389ce

AgentTesla

3e7063017d638a0ae77d3576ffe9fc6c2c8e48235e010b35b697eb944c79cad1

AgentTesla

6e1a37cc8b4d9d0588132c3f315a4e1f7873ddae440c7be61381b12edf74e723

AgentTesla

831b826d99eb3e6d44dca2591d239dcb844291ad71a1b7f4cdfe79f29745ea1a

AgentTesla

8c2718d518773113b005fd5a463e59eed158bdcb3e8631030beb0e3e8b3c121b

AgentTesla

dc6a499c7c08de87d5d986fbaf33a59debbc355d00b04d69f340d6d7c346e98d

AgentTesla

fa816fa2565bb49b65dbb51bb3a70f87b82437e19c0e7680a6a112fe177f880b

AgentTesla

+ 4'601 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210507-6mxs8lvgre/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87

MD5 hash:

826b29e2a141b055a5491c9d7dc6eea7

SHA1 hash:

af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9

Link:

https://www.unpac.me/results/f4207067-8212-49a3-8dc4-f8c0cb42fe61/

SH256 hash:

9b74576bc83aa22f65c9b435e033c44c34ce65eca5e06ebfeeec399d2f8244a2

MD5 hash:

3b00c2acb4f5cf9afaf9e66300c29092

SHA1 hash:

400b2692fc7855dd7e2e1d981df26d76093da2ac

Link:

https://www.unpac.me/results/f4207067-8212-49a3-8dc4-f8c0cb42fe61/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9b74576bc83aa22f65c9b435e033c44c34ce65eca5e06ebfeeec399d2f8244a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample