MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bf21ab8b013ba06fcf025838cd0ac89278f7757d04c8713f3ca4223d75cbd3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bf21ab8b013ba06fcf025838cd0ac89278f7757d04c8713f3ca4223d75cbd3d
SHA3-384 hash: 6b67265081294b19347f0ade4b611735ba89c4ed1655109b145c1e84af10ce5b1b801144682393b94639cabb3eaa75ef
SHA1 hash: 8ddbf1662cf2d2284f84104b7a15d8173afd0078
MD5 hash: c4d834819273c01a996610613cb02a38
humanhash: steak-stairway-magnesium-georgia
File name:9bf21ab8b013ba06fcf025838cd0ac89278f7757d04c8713f3ca4223d75cbd3d.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'641'984 bytes
First seen:2025-02-18 01:20:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:VP4nzc040H0v2ZOnYFF4bzFDWM6TbpKVps+RDe8tAgxi+AFTnhJ00H9VdD9l6Rzi:VP4nzc040H0v2ZOnYFF4bzFDWM6TbpKx
Threatray 4'313 similar samples on MalwareBazaar
TLSH T1E5756F4A6A1B66AFDBF58630C21BB4C442B99DD7676E87666C38015FC00520DBCF3CB6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 62c292b2b28a8ea2 (3 x AgentTesla, 1 x PureLogsStealer, 1 x PureCrypter)
Reporter BastianHein
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
850
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
9bf21ab8b013ba06fcf025838cd0ac89278f7757d04c8713f3ca4223d75cbd3d.exe
Verdict:
Malicious activity
Analysis date:
2025-02-18 01:22:01 UTC
Tags:
purecrypter netreactor evasion stealer telegram exfiltration agenttesla ims-api generic
Link:
https://app.any.run/tasks/cd777721-f6f4-4819-9c47-ed1d34bef825

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b3e18ba0fd713c335b858a
Tags:
virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt to an infection source
DNS request
Connection attempt
Sending an HTTP GET request
Launching a process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
Creating a window
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
net_reactor obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/67b3e084633d73336289620b/reports/39dd5725-0897-41f8-a464-191a23b2bbba/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9bf21ab8b013ba06fcf025838cd0ac89278f7757d04c8713f3ca4223d75cbd3d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b46f5126-a956-460e-9301-a0f114c2ce1f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1617588
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9bf21ab8b013ba06fcf025838cd0ac89278f7757d04c8713f3ca4223d75cbd3d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bf21ab8b013ba06fcf025838cd0ac89278f7757d04c8713f3ca4223d75cbd3d/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2025-02-17 15:36:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 37 (51.35%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tpzbvofqco5an7hqewbyzufmrety652x2bgioe7tzjbchv24xu6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
143c6e7ae3ffbbb27ff67f0cae5b680b3851faa0c8879c1e892c6b7831675496
AgentTesla
42bb4ea726a68142140dbe3953e6027f5176aeb359d06ca71652bfd61a3a4898
AgentTesla
95c2a042a467f97460c93273fcf64bd426ba85de05c8d92f568c9c3bf1b54a91
AgentTesla
9ab373c6892a6232262c29c5522cb142432566aa09f86898a18282c9be074bb4
AgentTesla
9bf21ab8b013ba06fcf025838cd0ac89278f7757d04c8713f3ca4223d75cbd3d
AgentTesla
b384eaadc17e9417f7c4055d35475941c08f0c78bb86eba4b21e6883fcaf43fc
AgentTesla
error
AgentTesla
+ 4'303 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250218-bqrd6swqz2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Agenttesla family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://api.telegram.org/bot6977726739:AAGp2Z0CUd3iibdR5N0ybehkFND76B7HIFU/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f005d1a8-ad3e-45fe-b197-6a20c745d307
Unpacked files
SH256 hash:
9bf21ab8b013ba06fcf025838cd0ac89278f7757d04c8713f3ca4223d75cbd3d
MD5 hash:
c4d834819273c01a996610613cb02a38
SHA1 hash:
8ddbf1662cf2d2284f84104b7a15d8173afd0078
Link:
https://www.unpac.me/results/3a0fe80b-a69b-4100-b8ab-16222163e696/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9bf21ab8b013/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bf21ab8b013ba06fcf025838cd0ac89278f7757d04c8713f3ca4223d75cbd3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:svg_attached_js_code
Create hunting rule
Author:Anish Bogati
Description:Detects suspicious SVG files with JS code and base 64 encoding
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments