MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b97e64d40e81141d4cdae8e350c4d8b43addef9dfea1392fae691402d7bb94b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments

SHA256 hash: 9b97e64d40e81141d4cdae8e350c4d8b43addef9dfea1392fae691402d7bb94b
SHA3-384 hash: 6e80cebfad751b78cf81668de5f096c74a733b975d39938695f89914449cfeba3324b52525f50ac242b2f72ba831ecd1
SHA1 hash: 4e6e64903301366fc085d22e1d5b85c59b9dea46
MD5 hash: c2e51561442abb34d018bbf83df33b87
humanhash: hotel-single-louisiana-jersey
File name:SecuriteInfo.com.W32.AIDetectNet.01.1598.1585
Download: download sample
Signature AgentTesla
File size:626'176 bytes
First seen:2022-07-03 17:32:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (32'075 x AgentTesla, 11'216 x Formbook, 6'135 x SnakeKeylogger)
ssdeep 12288:4h73YEqUoWGbSCvQrCXNqXOVe4bSO8x5EX1RutX+f3ii+Zid2U9Q:RE8WJ6sCXN2OMUSO65E1OK38Zid2UQ
Threatray 18'384 similar samples on MalwareBazaar
TLSH T11BD40119BBE5CA11C2685677C1F2C1244370E44BE633E70FBA8D62560D537FA4ECA78A
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ccd2d2b2b4deb8a4 (3 x AgentTesla, 1 x a310Logger, 1 x MassLogger)
Reporter @SecuriteInfoCom
Tags:AgentTesla exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
264
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2022-07-03 15:59:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 40 (40.00%)
Threat level:
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
c5dd7802c676ef4b52947c2521c6bd335f82a2cd4099676400a24a359bcbc792
MD5 hash:
bf73e4db0d034ff2a170f91c191cd4c5
SHA1 hash:
582a9b2e35c21318806d6e36822b634daaf05d60
SH256 hash:
50294822b28a4adbb45ae584a1cdf6de5723a4d42297a9fdd0b9db9a1ed2d15a
MD5 hash:
c6bcf4a7d98b3b2d498a428c29c63594
SHA1 hash:
1009fb5934a9a3067f83ddd65826492f6ffc8e3a
SH256 hash:
4a9fed5196874f93a6d4a0aac4ab48a910e11a478d09e4f09629b48665433013
MD5 hash:
f087af255ffdcf4d5eb788e89ce2f196
SHA1 hash:
cdf833c70cb01132ba19a2a326cf99a1debf3ac8
SH256 hash:
d4d6ea36986da068f54150480371128f7f9e036b5a8d58b7da14f33c0c341d56
MD5 hash:
94ba2cdfa51e08e249c89d616161a9a0
SHA1 hash:
a2ed328d4a4ad604ca2ba524c0508280a13f1a1c
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
SH256 hash:
9b97e64d40e81141d4cdae8e350c4d8b43addef9dfea1392fae691402d7bb94b
MD5 hash:
c2e51561442abb34d018bbf83df33b87
SHA1 hash:
4e6e64903301366fc085d22e1d5b85c59b9dea46
Malware family:
AgentTesla.v3
Verdict:
Malicious

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments