MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c126d87c5f7e379306e67c3f26c8f1019ef99b9d605618c77c4083f8c8c8ac7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	9c126d87c5f7e379306e67c3f26c8f1019ef99b9d605618c77c4083f8c8c8ac7
SHA3-384 hash:	dda4520c86c9d08bf61e2b62d6ba4d8172d505b7920c1ad6cdcd230343350da52301e39cc7d7a09409a4b6fc12e8aecd
SHA1 hash:	5c09c3bacae03df7a651ecd8c44747b915d20e12
MD5 hash:	af8a91a957aa58e6ffe9eeb1c4a6723b
humanhash:	social-xray-uranus-sixteen
File name:	EidlNArnbdWLtfL.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'846'784 bytes
First seen:	2021-06-02 19:35:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:zEa+DO+6CGltF6CygoA52Mirl24f8st7xD3jXslU1DTedy5JL8Zd5LKWtz/mgoyL:IslH6JgrYV2DsjjclAOoDwZHlxm0B9
Threatray	5'558 similar samples on MalwareBazaar
TLSH	6A859D121B050F5DF43DABBDB43A500A87F87D45F3E0EE5DB85939E827BAB028D46252
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

EidlNArnbdWLtfL.exe

Verdict:

Suspicious activity

Analysis date:

2021-06-02 19:41:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/35d6b029-8c89-4426-9610-40d653eda79e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/164202/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/796239

Signature

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/9c126d87c5f7e379306e67c3f26c8f1019ef99b9d605618c77c4083f8c8c8ac7/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-13 10:42:37 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tqjg3b6f67rxsmdom7b7e3epcam67gnz2ycwdddxyqed7demrldq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

674ab7cd2376e31a811469d50be263894d78b14c826b02a61b7da6069481522a

AgentTesla

7bcd067c0a67a7a6e2c3f3079b626afb4f9ab1b8643b50dce1a69cd94fdab4ee

AgentTesla

9057936347c73028c880c06c0f41c373e3db3b75085f5b8da60966025c545d4b

AgentTesla

9565ebcbb8cc07c12a28b5492741c237c0574758c6d033216bb10dc83bf21335

AgentTesla

b1617ffb1927fe6176fbffc4ebb242635c19bb656811967cba47493a4a43a580

AgentTesla

cd33314417e59031e5fb210cd40ce59202160d1a711c9e55fe1c3b04dc7431a5

AgentTesla

d6ff339c056def1d5e03ecbfea9e55dbd8f556885b2fdcce27ddff7e040152c8

AgentTesla

dc688750bac89efbc67a9953b71351ab3b59551e0d293602ca3baaf75f8c5d71

AgentTesla

dce8c2e5bfa677c2971dd88a020fb27193c11fc9759fbe9ed52704fa7ec9f7f2

AgentTesla

+ 5'548 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210602-fwzbhpg3qj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9c126d87c5f7e379306e67c3f26c8f1019ef99b9d605618c77c4083f8c8c8ac7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	hancitor_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/164202/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample