MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ce275ca89d6befb6d65d92b86251467f13292a858fb1325848141702e7df7b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	9ce275ca89d6befb6d65d92b86251467f13292a858fb1325848141702e7df7b6
SHA3-384 hash:	42e26cd76ddbfe4487c9847e0c0e9363e350634d626beb88434e46f311cc0d00bda285ab98ae266a5835bb7a38d48d40
SHA1 hash:	5217fd18aa499517afa1943cfc8303388a495df4
MD5 hash:	6d727d652ee5a5870ec5f5ecc3b08dae
humanhash:	tennessee-colorado-juliet-chicken
File name:	LisectAVT_2403002A_84.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	696'326 bytes
First seen:	2024-07-25 00:48:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:Yma5WqsWsf0XyPDx9VcBRpdFyQIA/tnCe1nyYZvM5BgCcmwpS4bF:YiqsWstPDqTbFQxebZqw
TLSH	T1D4E4F19D3B10B6EFC85BC9768AA46C64E520747B830BC303A09366AE9D5E4D7CF055F2
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	Anonymous
Tags:	AgentTesla exe

Anonymous

this malware sample is very nasty!

Intelligence

File Origin

# of uploads :

# of downloads :

269

Origin country :

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Connection attempt

Sending a custom TCP request

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

keylogger overlay packed vbnet

Link:

https://www.filescan.io/uploads/66a1a107dfa8b2fced4e399d/reports/df33b8c2-c24c-4885-a3e3-f56b0b865fbd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/828e3ee5-d869-4a36-8e06-dfa0c26f35d8

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1482151

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9ce275ca89d6befb6d65d92b86251467f13292a858fb1325848141702e7df7b6

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/9ce275ca89d6befb6d65d92b86251467f13292a858fb1325848141702e7df7b6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-07-25 00:49:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ttrhlsuj227pw3lf3evymjium7ytfevild5rgjmeqfaxalt5663a._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla credential_access discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/240725-a6f3ps1aph/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Credentials from Password Stores: Credentials from Web Browsers

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f0e390d8-9fe5-43b8-bd26-081ed2676593

Unpacked files

SH256 hash:

4149b5aa3b8e1e59f177098fdef0e0cd23fbffa42fc83599a5b3525ad48b3cdc

MD5 hash:

fbb2ddd9312aed1e0bea864d70c4b213

SHA1 hash:

ba55c9a082d7463557b04c668150efdf083f5623

Link:

https://www.unpac.me/results/1f58f490-4062-4ba9-9739-713e6247625c/

SH256 hash:

934493ffcf84233432ef4b4bacc7e1e282acd7366505bc3050f619e6e3767f4c

MD5 hash:

6458eafa0681114ad4f98d4014223d76

SHA1 hash:

a8f40dd46897496cb5c286889748760f62fd79dd

Link:

https://www.unpac.me/results/1f58f490-4062-4ba9-9739-713e6247625c/

SH256 hash:

a630303e60dc57fd79a17d0b68a41d3304239f42d3ffbc404a7894d96d01c75e

MD5 hash:

ffd3d339c0b137f2d372899b41d2984a

SHA1 hash:

32ad640fd026a4547eab30590fe369bcd7c88492

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/1f58f490-4062-4ba9-9739-713e6247625c/

Parent samples :

b6d91bc05bcc51b0a9e9f6e605493168b1a78ccd6f234030d05461e12544cffb
d1f0868ae3889a44d3a0f4e0650c8c9f0806cbae37dd5d8966376463b6bcf505
411217082847be5939620211887564a0eb9bce1ba6f5cc20fc73423448270762
1df0c341d46eedd47ce75ec705adfa348e67ed09695c36bf575a8e664c015369
9ce275ca89d6befb6d65d92b86251467f13292a858fb1325848141702e7df7b6

SH256 hash:

d9ae03e49f20bfdfb5af7e34241399ef448b83a923f81768ead36ae41c2dc7ce

MD5 hash:

128026ff4f068eca99d23432df9f854b

SHA1 hash:

2269d7b7357fd4feb8280e0e4b52eefca9a60f14

Link:

https://www.unpac.me/results/1f58f490-4062-4ba9-9739-713e6247625c/

SH256 hash:

9ce275ca89d6befb6d65d92b86251467f13292a858fb1325848141702e7df7b6

MD5 hash:

6d727d652ee5a5870ec5f5ecc3b08dae

SHA1 hash:

5217fd18aa499517afa1943cfc8303388a495df4

Link:

https://www.unpac.me/results/1f58f490-4062-4ba9-9739-713e6247625c/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9ce275ca89d6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 9ce275ca89d6befb6d65d92b86251467f13292a858fb1325848141702e7df7b6

(this sample)

Link

https://bbs.kafan.cn/forum-31-1.html

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample