MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bf192a23eeb844b6e8b01c41d085d1c2bfb576653732d99d7468571f1a28fb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	9bf192a23eeb844b6e8b01c41d085d1c2bfb576653732d99d7468571f1a28fb5
SHA3-384 hash:	56baec8767af11a65f132f3c9f6b017077ece8b4242874c749315caa611e40b4f100d3150d50118c56db32b9366eb5b9
SHA1 hash:	08b429e3c04ee8ab3dee4f767538e1d7402e9d83
MD5 hash:	9f47406520b38e4f56e23574dd77f25b
humanhash:	equal-lactose-lake-aspen
File name:	po.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'217'024 bytes
First seen:	2022-11-23 16:58:28 UTC
Last seen:	2022-11-23 18:43:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:/ZwVYsZ1DX/VDJtV7WtfpC2wsRaq5ldSupauq7ovqVxRAmszPE/aHLwLKWF/JeDD:/SVYkEgsRaqHcHUELGPyYL8KK6je
TLSH	T141453ABB1BE30D84FB1E35B0188FD7441ED33C6144B08CA6EA6176E719225BAD6512EF
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	34ecc4d0d4e8e8c4 (2 x AgentTesla)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

226

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

po.exe

Verdict:

Malicious activity

Analysis date:

2022-11-23 17:01:36 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/46dc95dd-4114-4991-8c83-4eb6d36b9091

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/337744/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1617.17728.7285.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/637e515700c584752ee19ec7/reports/94945904-6e40-4d77-89c3-d5066cd99953/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4c412861-e113-4157-a2db-e0cb96fec46d

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1119919

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9bf192a23eeb844b6e8b01c41d085d1c2bfb576653732d99d7468571f1a28fb5/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-23 15:57:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tpyzfir65ocew3ulahcb2cc5dqv7wv3gknzs3goxi2cxd4ncr62q._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221123-vhdmwsca3w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla payload

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument

Unpacked files

SH256 hash:

418fa64e0bbab77d310c0bab708247de7f78d1188e9a405bcae84b5ef89958df

MD5 hash:

fc56a7c5245e733081a0c782b0a6ef8d

SHA1 hash:

dedd6fef4ded7f8422bc0464f76d6107ef994cfe

Link:

https://www.unpac.me/results/8e1a6a98-420d-4778-85b3-9b70f8204d27/

SH256 hash:

b844a1c1fe6f4bb180ee03beb0a150e8621646822357c9f8ffb36bb0e27e342a

MD5 hash:

441f3ed76faa64115527ea1e7ab39519

SHA1 hash:

cef6ff0db32ee429ae764372ae50de4113dee594

Link:

https://www.unpac.me/results/8e1a6a98-420d-4778-85b3-9b70f8204d27/

SH256 hash:

c78401563e8d5557050f906f12a71b10d5f0a6650d012ba6c8fbe99a11f80668

MD5 hash:

55b76ea1ac804d6fed4f499ba47a070c

SHA1 hash:

8aed16136be9eec31bc1d0c38513008acd286d9a

Detections:

AgentTesla

Link:

https://www.unpac.me/results/8e1a6a98-420d-4778-85b3-9b70f8204d27/

Parent samples :

ee786b17c0debabc35aaa386da758c13cc9e0952b0d2d4e265756f493f82c2ed
9bf192a23eeb844b6e8b01c41d085d1c2bfb576653732d99d7468571f1a28fb5
53643684e723ff5fe2cfef8ab65cd8395120f618223e4fa44c2fad60e0b0e29a
9196273424391332296b033958a8271b9937e8688e3a3c36bd04d5dd62f164cc

SH256 hash:

cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4

MD5 hash:

aabd0bdc81026ade6c57383f21d5c227

SHA1 hash:

4b26936bb8c03be6d7963184215a5ab594ecb765

Link:

https://www.unpac.me/results/8e1a6a98-420d-4778-85b3-9b70f8204d27/

SH256 hash:

7427f8d2f6a0a2693a893119c4fd0a765b179bf29d7e9562e356f0222ce32074

MD5 hash:

5ee9630b14cec3bb093fd44fb00a0672

SHA1 hash:

01e512ff55929d97fef0c1f0f1b68814a1d261eb

Link:

https://www.unpac.me/results/8e1a6a98-420d-4778-85b3-9b70f8204d27/

SH256 hash:

9bf192a23eeb844b6e8b01c41d085d1c2bfb576653732d99d7468571f1a28fb5

MD5 hash:

9f47406520b38e4f56e23574dd77f25b

SHA1 hash:

08b429e3c04ee8ab3dee4f767538e1d7402e9d83

Link:

https://www.unpac.me/results/8e1a6a98-420d-4778-85b3-9b70f8204d27/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9bf192a23eeb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/9bf192a23eeb844b6e8b01c41d085d1c2bfb576653732d99d7468571f1a28fb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/337744/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample