MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c071afc054e8a65329317a6b449e9f4119a5546c2b3a5c2ce9bf2cb1a04a46e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c071afc054e8a65329317a6b449e9f4119a5546c2b3a5c2ce9bf2cb1a04a46e
SHA3-384 hash: 3c3ba0bdd5ad6fb4114285e24f538804996bd90b0f3ad690b465d04433165d2588e3546c837f6fcc5252f2a111d2dd40
SHA1 hash: 02ce76e7fcedabd270b8bb58def53a1801fc25f2
MD5 hash: f8a3aff75d063652e4fe43b2408cb2d6
humanhash: tango-virginia-missouri-red
File name:doc2022051101001.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:686'080 bytes
First seen:2022-05-11 07:22:21 UTC
Last seen:2022-05-11 07:42:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:cpCpe2ZT5/TNH0do3hdF0LCCh+Sp2QJYksLd4zc2Y9QUzudRYFp:cYZZT5/Bwo3hd2lh+rWYksLS4p4TYF
Threatray 17'022 similar samples on MalwareBazaar
TLSH T175E41204A2E8D965D5AF2F70607D60186F75B95BB936E31E4FC4988E2C53BD20C60BB3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0d2e25945ba9cf0 (15 x AgentTesla, 9 x Formbook, 7 x Loki)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269621/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.15289.19698.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/627b64702412b4e5a46359c4/reports/9eb3df73-957f-4d6d-a9bb-6b7292afd387/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ceec8ef-c8fa-4876-bf65-21fb280a4918
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991662
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624158 Sample: doc2022051101001.pdf.exe Startdate: 11/05/2022 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 8 other signatures 2->41 7 doc2022051101001.pdf.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\CuqCgthQbkpdO.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmp347B.tmp, XML 7->25 dropped 27 C:\Users\...\doc2022051101001.pdf.exe.log, ASCII 7->27 dropped 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->43 45 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 2 other signatures 7->49 11 doc2022051101001.pdf.exe 2 7->11         started        15 powershell.exe 24 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 29 isnova.com.tr 109.232.217.109, 49770, 587 AEROTEK-ASTR Turkey 11->29 31 mail.isnova.com.tr 11->31 33 192.168.2.1 unknown unknown 11->33 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->51 53 Tries to steal Mail credentials (via file / registry access) 11->53 55 Tries to harvest and steal ftp login credentials 11->55 57 2 other signatures 11->57 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9c071afc054e8a65329317a6b449e9f4119a5546c2b3a5c2ce9bf2cb1a04a46e/
Threat name:
ByteCode-MSIL.Trojan.AveMariaRAT
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 05:02:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqdrv7afj2fgkmutc6tlispj6qizuvkgykz2lqwotpzmwgqeurxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
294f474790e387c27574d3786346002d696aa7770f957afc9dce9ab3383a2298
AgentTesla
53276d0a0acc73fb550b5b29cc686c0e646ee69333e803496cac726b337b5515
AgentTesla
58d325351b79f84d68ef5586de43ec3708fc0e142a83007fddbd7a05c20021ce
AgentTesla
8d133af231eb501946982af0b75fead80104cf1c12b2eb16ded3f8cdbc066053
AgentTesla
ba40d672744d9fea782381b7b609bc2cb381437d94afdaf458e17e8be0271fc2
AgentTesla
da58a512dade08a3539fc4580884e30c389a4f8127f155ddc43389a38b9abee1
AgentTesla
dd3d5e3e01b86223fd3a517b9d153fa85a842d4b816b18f747d85df181e1a38b
AgentTesla
eba97a314b1c02ecdd75fe691c6883b214dc0b239d0ba39b7d578162b5218ad0
AgentTesla
+ 17'012 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220511-h7srwsfhd5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
2ee4ec3aace823212164b15ec9c9d645a4744eb51bc0a2beee76d47685440cc4
MD5 hash:
b4b82af31f9d5861f9706b4fdc8db6c8
SHA1 hash:
e400aa2708b6acb36a243430e3292e07f1fbee83
Link:
https://www.unpac.me/results/7a69c3e4-9b9e-4e51-8b73-19395fbae865/
SH256 hash:
50268ec584054a006161b5228dd40f39cdb5b57417f6a259929aff952c2f0f27
MD5 hash:
c923edab1d69c833857769f7665ffb1f
SHA1 hash:
70cc8ac6d393c917ff7e5516108c686fa5d4b54e
Link:
https://www.unpac.me/results/7a69c3e4-9b9e-4e51-8b73-19395fbae865/
SH256 hash:
c206122a7336385be557580c114ac0923192f61bc8f77aa58c898135438399f9
MD5 hash:
6c9e813248a01432890c476813d210b8
SHA1 hash:
fd54aa3af58fc3a88cb3fd6753d773cd6c51b7f8
Link:
https://www.unpac.me/results/7a69c3e4-9b9e-4e51-8b73-19395fbae865/
SH256 hash:
45c0a342d504d1457d100e85bd67b386b52ac50e940e2365a50d81da298e2b72
MD5 hash:
55ca08ac0b11312afed577536684476b
SHA1 hash:
64f8efbe89c882ed398dcec46ee702de0b4ea7bc
Link:
https://www.unpac.me/results/7a69c3e4-9b9e-4e51-8b73-19395fbae865/
SH256 hash:
9c071afc054e8a65329317a6b449e9f4119a5546c2b3a5c2ce9bf2cb1a04a46e
MD5 hash:
f8a3aff75d063652e4fe43b2408cb2d6
SHA1 hash:
02ce76e7fcedabd270b8bb58def53a1801fc25f2
Link:
https://www.unpac.me/results/7a69c3e4-9b9e-4e51-8b73-19395fbae865/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c071afc054e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c071afc054e8a65329317a6b449e9f4119a5546c2b3a5c2ce9bf2cb1a04a46e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9c071afc054e8a65329317a6b449e9f4119a5546c2b3a5c2ce9bf2cb1a04a46e

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/269621/

Comments