MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c98d6fbc6bbe6354c1dc7fa3791df167c648f30f6397a584f1c1d45839ef2e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c98d6fbc6bbe6354c1dc7fa3791df167c648f30f6397a584f1c1d45839ef2e2
SHA3-384 hash: b2acd9f6d988e5210e5e2dac5dd7bb95075db037ed3744e1e078ec31c474e7d46fec7ce126281df204b1ea5645384325
SHA1 hash: 494cb46d10652ec50c256cf527a407ffb4284c73
MD5 hash: d54dfdfeb14635392de249e798b2ef09
humanhash: may-alaska-florida-apart
File name:New Order 001TTG4.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:71'680 bytes
First seen:2024-02-29 14:22:50 UTC
Last seen:2024-07-24 19:37:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 768:7ILbBJBl65ncEedAao+V12msY0K56cP4OZuBS/e7KHA+Y863hrqYeRl8kKZD5+bN:ypzYglmRrbVXZDRHhMN3RmN35eyjS
Threatray 54 similar samples on MalwareBazaar
TLSH T1B1638483F6989301E92564B1C4EF193003E26EEB6B33E2993F5CA79D0D51363DD92B49
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
337
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.447.9927.11356.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade net_reactor packed
Link:
https://www.filescan.io/uploads/65e0934a5382d6240abb6b81/reports/91794bf6-614c-4845-a45e-6449a203f7de/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9c98d6fbc6bbe6354c1dc7fa3791df167c648f30f6397a584f1c1d45839ef2e2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/742e5ed0-c4d8-42f7-8d1c-ed4774457f42
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1400936
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension File Execution
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1400936 Sample: New Order 001TTG4.pdf.exe Startdate: 29/02/2024 Architecture: WINDOWS Score: 100 19 mail.ronaldsmith.loan 2->19 21 transfer.sh 2->21 23 ronaldsmith.loan 2->23 29 Snort IDS alert for network traffic 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 10 other signatures 2->35 7 New Order 001TTG4.pdf.exe 15 3 2->7         started        signatures3 process4 dnsIp5 25 transfer.sh 144.76.136.153, 443, 49705, 49706 HETZNER-ASDE Germany 7->25 37 Writes to foreign memory regions 7->37 39 Allocates memory in foreign processes 7->39 41 Injects a PE file into a foreign processes 7->41 11 CasPol.exe 4 7->11         started        15 CasPol.exe 7->15         started        17 CasPol.exe 7->17         started        signatures6 process7 dnsIp8 27 ronaldsmith.loan 31.210.50.51, 49707, 587 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 11->27 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file / registry access) 11->45 47 Tries to harvest and steal browser information (history, passwords, etc) 11->47 49 Installs a global keyboard hook 11->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->51 53 Contains functionality to register a low level keyboard hook 15->53 signatures9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9c98d6fbc6bbe6354c1dc7fa3791df167c648f30f6397a584f1c1d45839ef2e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c98d6fbc6bbe6354c1dc7fa3791df167c648f30f6397a584f1c1d45839ef2e2/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-29 08:11:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsmnn66gxptdkta5y75dpeo7cz6gjdzq6y4xuwcpdqoula466lra._file
Verdict:
malicious
Similar samples:
08d40f912315a3b900bff66c2b47c3c85950bcf35ef60b651cb9bf63a116777a
AgentTesla
b3d2974e884a55f91e356067b1b03ee2f3772254df4cba83e64b84570ba7bfe0
AgentTesla
bbbea2ab5d8c908df9c8446f86f5bdda283f4f4d01fff24f3f49cebb494f44da
AgentTesla
c1b3cd05986ff0defa0b80c9ff8982b21cf236bc41504c3ab6495cfbdde414fe
AgentTesla
e70e1bd882581b134cb393096ef6121439018a1cbcac26010527ae5093d3d4ed
AgentTesla
+ 44 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240229-rp47mscc27/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla
Unpacked files
SH256 hash:
9c98d6fbc6bbe6354c1dc7fa3791df167c648f30f6397a584f1c1d45839ef2e2
MD5 hash:
d54dfdfeb14635392de249e798b2ef09
SHA1 hash:
494cb46d10652ec50c256cf527a407ffb4284c73
Link:
https://www.unpac.me/results/edd923e4-c954-4ed3-abc5-6aa2bebf5619/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c98d6fbc6bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c98d6fbc6bbe6354c1dc7fa3791df167c648f30f6397a584f1c1d45839ef2e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:Harish Kumar P
Description:Yara Rule to Detect AgentTesla
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments