MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 9b97e64d40e81141d4cdae8e350c4d8b43addef9dfea1392fae691402d7bb94b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 9
| SHA256 hash: | 9b97e64d40e81141d4cdae8e350c4d8b43addef9dfea1392fae691402d7bb94b |
|---|---|
| SHA3-384 hash: | 6e80cebfad751b78cf81668de5f096c74a733b975d39938695f89914449cfeba3324b52525f50ac242b2f72ba831ecd1 |
| SHA1 hash: | 4e6e64903301366fc085d22e1d5b85c59b9dea46 |
| MD5 hash: | c2e51561442abb34d018bbf83df33b87 |
| humanhash: | hotel-single-louisiana-jersey |
| File name: | SecuriteInfo.com.W32.AIDetectNet.01.1598.1585 |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 626'176 bytes |
| First seen: | 2022-07-03 17:32:20 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 12288:4h73YEqUoWGbSCvQrCXNqXOVe4bSO8x5EX1RutX+f3ii+Zid2U9Q:RE8WJ6sCXN2OMUSO65E1OK38Zid2UQ |
| Threatray | 18'384 similar samples on MalwareBazaar |
| TLSH | T11BD40119BBE5CA11C2685677C1F2C1244370E44BE633E70FBA8D62560D537FA4ECA78A |
| TrID | 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | ccd2d2b2b4deb8a4 (3 x AgentTesla, 1 x a310Logger, 1 x MassLogger) |
| Reporter |  SecuriteInfoCom |
| Tags: | AgentTesla exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Result
Verdict:
Clean
Maliciousness:
Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Verdict:
Malicious
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2022-07-03 15:59:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 40 (40.00%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 18'374 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
c5dd7802c676ef4b52947c2521c6bd335f82a2cd4099676400a24a359bcbc792
MD5 hash:
bf73e4db0d034ff2a170f91c191cd4c5
SHA1 hash:
582a9b2e35c21318806d6e36822b634daaf05d60
SH256 hash:
50294822b28a4adbb45ae584a1cdf6de5723a4d42297a9fdd0b9db9a1ed2d15a
MD5 hash:
c6bcf4a7d98b3b2d498a428c29c63594
SHA1 hash:
1009fb5934a9a3067f83ddd65826492f6ffc8e3a
SH256 hash:
4a9fed5196874f93a6d4a0aac4ab48a910e11a478d09e4f09629b48665433013
MD5 hash:
f087af255ffdcf4d5eb788e89ce2f196
SHA1 hash:
cdf833c70cb01132ba19a2a326cf99a1debf3ac8
SH256 hash:
d4d6ea36986da068f54150480371128f7f9e036b5a8d58b7da14f33c0c341d56
MD5 hash:
94ba2cdfa51e08e249c89d616161a9a0
SHA1 hash:
a2ed328d4a4ad604ca2ba524c0508280a13f1a1c
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
SH256 hash:
9b97e64d40e81141d4cdae8e350c4d8b43addef9dfea1392fae691402d7bb94b
MD5 hash:
c2e51561442abb34d018bbf83df33b87
SHA1 hash:
4e6e64903301366fc085d22e1d5b85c59b9dea46
Malware family:
AgentTesla.v3
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.