MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ce715356f2ec1c2cee6f0f1f7e1f8533b3a6be2485c85fc802d3ff95fb447e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ce715356f2ec1c2cee6f0f1f7e1f8533b3a6be2485c85fc802d3ff95fb447e1
SHA3-384 hash: b0299de2dee81b64b9a675944ce390769939fc442aca65794d9018b6354c30c8b70e76d309be3c8647c22686627eaebb
SHA1 hash: d1bc7c19b359d0a46baf7b1661af4f9b849e6d30
MD5 hash: d3cb74f54e234ecdabc5793ae5b867b7
humanhash: bluebird-mountain-uncle-chicken
File name:PI Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:421'376 bytes
First seen:2021-08-31 03:16:52 UTC
Last seen:2021-09-05 05:36:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep 12288:IXe9PPlowWX0t6mOQwg1Qd15CcYk0We1Krx:FhloDX0XOf4Erx
Threatray 10'288 similar samples on MalwareBazaar
TLSH T1C394CF90E94CBCD9E59A5173713AC42C1952ABD986F402AF72AB7E3455F3BC230B3D06
dhash icon e4a4a48c96b2f074 (22 x AgentTesla, 8 x Formbook, 5 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI Copy.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-31 03:17:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fee51ac2-9d66-4365-9e9e-3fc47477a3d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183932/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Launching a process
Sending a UDP request
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e15b5ec-ff10-4bf5-ac28-a213f058f734
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842228
Signature
AutoIt script contains suspicious strings
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ce715356f2ec1c2cee6f0f1f7e1f8533b3a6be2485c85fc802d3ff95fb447e1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 01:26:45 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tttrknlpf3a4ftxg6dy7pypykm5tu27cjboil7eafu77sx5ui7qq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05d05d17c53c46ee4047204c1b79ad05544c38bc26e513893a883aceb00ca737
AgentTesla
27c7757a5432815c4867ebeeaa23152703af16520d73117a372e6371061fc1ee
AgentTesla
29a8a708880ca187202112de47bed915bf9fd0e64cab0d08a839b7ede6c16506
AgentTesla
8344690f025846a5a0dcf5d6012a94cddcfe48ffcc06fa6d566bb4ef149e6716
AgentTesla
b09fdc39338aacafb7eb0163757d2b9863f78e5467af017ff4ad2f09e0e266a2
AgentTesla
b528aab1cf14c985fecd7f6f2fd0a31101cd952abedbd10cf7357708057d91b9
AgentTesla
e9714695528eb1f8786fe8a7250f952f23b3205a4e2a60073668717eb2f5dc2b
AgentTesla
f8efe3e66289ce15fd9b0f85a3e0d90660cae9f12385f69e81cfb6f2e3ece3c7
AgentTesla
+ 10'278 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210831-vhrpqksj9e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
2ea58df9824cf949e42fef555447c4e1ca56ef3a5492e04573830be62b00bc38
MD5 hash:
73aff63f55082942dbd88293dba2dcea
SHA1 hash:
d7df1b7a165f2c44b95d1b638cf30f982b8c9504
Link:
https://www.unpac.me/results/fa5536be-6760-47f6-95d3-a94cae592b04/
SH256 hash:
9ce715356f2ec1c2cee6f0f1f7e1f8533b3a6be2485c85fc802d3ff95fb447e1
MD5 hash:
d3cb74f54e234ecdabc5793ae5b867b7
SHA1 hash:
d1bc7c19b359d0a46baf7b1661af4f9b849e6d30
Link:
https://www.unpac.me/results/fa5536be-6760-47f6-95d3-a94cae592b04/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9ce715356f2e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/9ce715356f2ec1c2cee6f0f1f7e1f8533b3a6be2485c85fc802d3ff95fb447e1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9ce715356f2ec1c2cee6f0f1f7e1f8533b3a6be2485c85fc802d3ff95fb447e1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/183932/

Comments