MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b907ae3d2d9f776c068a4b2371d1bfc04e0ed359fc68b8863660301c5a644b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b907ae3d2d9f776c068a4b2371d1bfc04e0ed359fc68b8863660301c5a644b9
SHA3-384 hash: 1eba0adbe37e0637f52d641dc9389e8a279b3170ba252604fa4cdd809f4ec6a86079bbba05af6f6b3aab817d3da27a81
SHA1 hash: 4e50012a8102409f570ee4b36785d7baa5dca364
MD5 hash: f72277eebaf6b7e2891b7ba24188ebda
humanhash: blue-kitten-iowa-network
File name:f72277eebaf6b7e2891b7ba24188ebda
Download: download sample
Signature AgentTesla
Create hunting rule
File size:144'168 bytes
First seen:2021-06-16 10:15:14 UTC
Last seen:2021-06-16 10:56:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:Xyw+Fl90LoD0ZCAz15f22kDM7bOjaH4ZinJ0iQjx:XyhFDhD0gOqQQjx
Threatray 196 similar samples on MalwareBazaar
TLSH C6E3BFECD6B8BCEBD41AA1F5DC75F6E5191BEA285468092A382A710314723933CF5C1F
Reporter zbetcheckin
Tags:32 AgentTesla exe signed

Code Signing Certificate

Organisation:mf9MjfPfadfL108fd9e0g7
Issuer:mf9MjfPfadfL108fd9e0g7
Algorithm:sha256WithRSAEncryption
Valid from:2021-06-16T02:15:33Z
Valid to:2022-06-16T02:15:33Z
Serial number: 77270cc1c69a6c6d6c113add292dcc25
Thumbprint Algorithm:SHA256
Thumbprint: db05b9771b641776faba49055a48efc5ceb117cb51cdcb93a179c68fff08773b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f72277eebaf6b7e2891b7ba24188ebda
Verdict:
Malicious activity
Analysis date:
2021-06-16 10:18:55 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/f7f4e758-233b-4fd1-9330-c093beaec657

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.57226.18469.7582.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a file
Moving a recently created file
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Creating a window
Unauthorized injection to a recently created process
Setting a single autorun event
Blocking the User Account Control
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f83545ae-3c96-4f2f-8f73-2e2a4ddad475
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802918
Signature
Adds a directory exclusion to Windows Defender
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell adding suspicious path to exclusion list
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 435326 Sample: O532dms5LV Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 53 apdocroto.gq 2->53 61 Multi AV Scanner detection for dropped file 2->61 63 Sigma detected: Powershell adding suspicious path to exclusion list 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 3 other signatures 2->67 8 O532dms5LV.exe 20 18 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 6 other processes 2->17 signatures3 process4 dnsIp5 57 apdocroto.gq 172.67.158.27, 49735, 49750, 49752 CLOUDFLARENETUS United States 8->57 45 C:\Windows\Resources\Themes\...\svchost.exe, PE32 8->45 dropped 47 C:\...\e888z168ybTRefC409a4S5mn41ofdd.exe, PE32 8->47 dropped 49 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->49 dropped 51 4 other malicious files 8->51 dropped 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->75 77 Drops PE files to the startup folder 8->77 83 4 other signatures 8->83 19 powershell.exe 8->19         started        22 e888z168ybTRefC409a4S5mn41ofdd.exe 14 8 8->22         started        25 powershell.exe 8 8->25         started        31 7 other processes 8->31 79 System process connects to network (likely due to code injection or exploit) 13->79 81 Multi AV Scanner detection for dropped file 13->81 59 192.168.2.1 unknown unknown 17->59 27 WerFault.exe 17->27         started        29 WerFault.exe 17->29         started        file6 signatures7 process8 dnsIp9 69 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->69 33 conhost.exe 19->33         started        55 apdocroto.gq 22->55 35 conhost.exe 25->35         started        71 Tries to evade analysis by execution special instruction which cause usermode exception 27->71 37 conhost.exe 31->37         started        39 conhost.exe 31->39         started        41 conhost.exe 31->41         started        43 2 other processes 31->43 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9b907ae3d2d9f776c068a4b2371d1bfc04e0ed359fc68b8863660301c5a644b9/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 06:15:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=toihvy6s3h3xnqdiuszdohi37qcob3jvt7dixcddmybqdrngis4q._file
Verdict:
unknown
Similar samples:
3492e7a8834c1397d51e0178ec31a2fae9c115aa7a9439e726cfb7d043773b81
AgentTesla
3fb05be6f9437b4193be86c5c498d812e96b0cfd8682f8fffee9a4f8adaedfe5
AgentTesla
708085716192c45d0ec7d12bb8a80c617c308eebc6fad09de93b540c41774b4b
AgentTesla
755d1705b3e251b03d2dede382eab3891eeab12db5550846a63dac632cdf04a7
AgentTesla
aafe9e6368558fe7cf16b19ba3579678cb4fbed684f7ef62fa63f61cbff3b896
AgentTesla
b33111055e431055136563c9ad41270cf91919077fcf9b7365dee85d977eb9a5
AgentTesla
c9ec17f5213d4df014017213ada7988cdb613767f3e9840e72d74c57da9499d6
AgentTesla
ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf8cf9155e67e7a460c2c
AgentTesla
d43a9c39eb83b58fabc2a3d58ad0b47dc3f6642b3aa68dd4922905a66a4c4cb5
AgentTesla
fd80116dffb4a52d6a31d33d06f3ff943c38f6ada8fd3d9e9ffaeb0422a010a9
AgentTesla
+ 186 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210616-xcxq4axts2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
AgentTesla Payload
AgentTesla
Windows security bypass
Unpacked files
SH256 hash:
9b907ae3d2d9f776c068a4b2371d1bfc04e0ed359fc68b8863660301c5a644b9
MD5 hash:
f72277eebaf6b7e2891b7ba24188ebda
SHA1 hash:
4e50012a8102409f570ee4b36785d7baa5dca364
Link:
https://www.unpac.me/results/a5a2c314-072b-4842-9241-7a928f2d96e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9b907ae3d2d9f776c068a4b2371d1bfc04e0ed359fc68b8863660301c5a644b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 9b907ae3d2d9f776c068a4b2371d1bfc04e0ed359fc68b8863660301c5a644b9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1371437/

Comments