MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ca9d6ddc8f9426428e4a47a74e5ba83a0fccdd5b4619dffe29dee524e6f53c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ca9d6ddc8f9426428e4a47a74e5ba83a0fccdd5b4619dffe29dee524e6f53c8
SHA3-384 hash: cc179f68bc07be931d54d7581c0b158b5065c068a950a72ab6451cd626e751a53c14bf5407580ecc73f54f7d56bfdd49
SHA1 hash: df93f8b8e48d36b6c3de751f54f0c4a087815468
MD5 hash: 3d0b5853a55bbeea47f1f6f82729e96f
humanhash: cold-robert-whiskey-lima
File name:centralimac2.1.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:385'871 bytes
First seen:2023-09-13 13:18:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:gYa6nWxLzgyWNxr8siH6ryR4ddBtuVR3Xz/7fMwykfYiCXzq:gY5WR0rzscNdBtuHT70w5Qi8q
Threatray 5'546 similar samples on MalwareBazaar
TLSH T19184121876A4D5ABE1651A710F78D4BA16A9FE04ADB1A24B37C5FF0F7B351408C1E322
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0aaaa2b0303aad0 (34 x Formbook, 21 x AveMariaRAT, 18 x AgentTesla)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
RFQ- ORDER #SMU68312.doc
Verdict:
Malicious activity
Analysis date:
2023-09-13 13:16:15 UTC
Tags:
exploit cve-2017-11882 loader stealer agenttesla
Link:
https://app.any.run/tasks/d9cf8540-dc20-4ae2-b266-ae0760db1770

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448396/
Detection(s):
SecuriteInfo.com.FileRepMalware.22986.26780.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
91%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6501b6c6829c3479a05e490a/reports/311d8f3e-ca7c-4ec2-aeac-d8f956941c61/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9ca9d6ddc8f9426428e4a47a74e5ba83a0fccdd5b4619dffe29dee524e6f53c8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e8afa0d-2ddc-4551-b7fb-aae07bc8fbed
Result
Threat name:
AgentTesla, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1308203
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9ca9d6ddc8f9426428e4a47a74e5ba83a0fccdd5b4619dffe29dee524e6f53c8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-13 13:04:46 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
15 of 23 (65.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsu5nxoi7fbgikheur5hjzn2qoqpztovwrqz377ctxxfettpkpea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19bff37c5b894b30a3522a73a35387fce64f890b94745399c5e72e5bf9c46138
AgentTesla
232084d6349c62484d691cc32cbf5b9ed8c70932d8c4578876043bda903c45de
AgentTesla
87c61e8ad5d2df24cc951473b77ec7ef6e2be9d37164ff829116c2cb73d2d8d7
AgentTesla
8ceceb731a2c09d552835ade18b92d47e10e24cb34cdb4954b1a97905fd10b29
AgentTesla
aeab54e0658f23f3d61b4e692644813cd778eaf5749006efe9115b020dff6b25
AgentTesla
b38b57a54529989adfedab2ef64d18b480154a208cb23d455de6c06668061a0b
AgentTesla
f6f14e614582f94e97f29dc96c69fa61767fd2f6bf5798ad96a7e3c34f189db7
AgentTesla
+ 5'536 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230913-qkg1wacb21/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
0250b13cdfbbb862f8b24ee0981dce3deeebc9e441690b434f3c7b5f11cd7bbb
MD5 hash:
1b0b9c224ff4eaf419170e2d08511904
SHA1 hash:
1d082dba6b878a17158e130cd705db947b79526e
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/542ac4b6-a2c2-47cc-ba53-a638a8da0f69/
SH256 hash:
245d4f23e0a1ab9efe2f787f18db7cc0d0ce7a4413e973ab4346be88bc00cfa7
MD5 hash:
e73908959b868994792cfbd89ab9aa5d
SHA1 hash:
13bc8735c2fe5e6a977eff49ffd9178f129094e3
Link:
https://www.unpac.me/results/542ac4b6-a2c2-47cc-ba53-a638a8da0f69/
SH256 hash:
7c64e41196e374524db67853c4519675c0705780ef7745b2306ee4978208fb81
MD5 hash:
ddb0558be4ac3d8957a4724957e54567
SHA1 hash:
bf035025d2794b7bdf7b33be8b33dab5ef1a449a
Link:
https://www.unpac.me/results/542ac4b6-a2c2-47cc-ba53-a638a8da0f69/
SH256 hash:
9ca9d6ddc8f9426428e4a47a74e5ba83a0fccdd5b4619dffe29dee524e6f53c8
MD5 hash:
3d0b5853a55bbeea47f1f6f82729e96f
SHA1 hash:
df93f8b8e48d36b6c3de751f54f0c4a087815468
Link:
https://www.unpac.me/results/542ac4b6-a2c2-47cc-ba53-a638a8da0f69/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9ca9d6ddc8f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ca9d6ddc8f9426428e4a47a74e5ba83a0fccdd5b4619dffe29dee524e6f53c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 9ca9d6ddc8f9426428e4a47a74e5ba83a0fccdd5b4619dffe29dee524e6f53c8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/448396/
  
URLhaus
https://urlhaus.abuse.ch/url/2711528/
  
Delivery method
Distributed via web download

Comments