MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cefc5f1d6bfd34ee5e77486266a02f077a276fb2cffd1eec3b9e19c79d823c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cefc5f1d6bfd34ee5e77486266a02f077a276fb2cffd1eec3b9e19c79d823c1
SHA3-384 hash: cc5c74376b3731e5dd812f5ec1a6907496ffafbb0c565ba9a3c2bfb9afaccd5cf5c57f4c199b109f2c867e03af7a7cd3
SHA1 hash: adc30572882ec442f1449e95fad448bfb7bd7e6a
MD5 hash: 3088bb32b972b7f9382cf484558ec84d
humanhash: princess-foxtrot-purple-fillet
File name:contract.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:626'688 bytes
First seen:2023-04-20 10:16:24 UTC
Last seen:2023-05-13 22:48:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:FPGKNniHsLoTDi30Am+NjMWJcY5rR245hrMaUyKRU6EIHcAeishJPY:FBiMoakGGWJcz45hrMaU7AIHcPL
Threatray 331 similar samples on MalwareBazaar
TLSH T1F4D4F129A170EEA2D6AE0776002436DCEB7152A73473C23C4ED774DAA76FB191CC4987
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
238
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
contract.exe
Verdict:
Malicious activity
Analysis date:
2023-04-20 10:49:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/df1e7340-8fa5-4703-88bb-699cfa27516e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383711/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/644111312efbb8b9c3f52a6d/reports/44a8bbb8-01ad-44eb-96ae-8912d409ff16/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9cefc5f1d6bfd34ee5e77486266a02f077a276fb2cffd1eec3b9e19c79d823c1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46160d9f-02d3-4b81-b579-d7f5d2ac30c9
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217906
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 850852 Sample: contract.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 6 other signatures 2->55 7 contract.exe 7 2->7         started        11 gvpOwlFr.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\gvpOwlFr.exe, PE32 7->31 dropped 33 C:\Users\...\gvpOwlFr.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp8C11.tmp, XML 7->35 dropped 37 C:\Users\user\AppData\...\contract.exe.log, ASCII 7->37 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 May check the online IP address of the machine 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 67 2 other signatures 7->67 13 contract.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 21 gvpOwlFr.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 masarengineering.com 68.66.248.44, 49700, 49703, 587 A2HOSTINGUS United States 13->39 41 mail.masarengineering.com 13->41 47 2 other IPs or domains 13->47 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 mail.masarengineering.com 21->43 45 api.ipify.org 21->45 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->69 71 Tries to steal Mail credentials (via file / registry access) 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cefc5f1d6bfd34ee5e77486266a02f077a276fb2cffd1eec3b9e19c79d823c1/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-04-18 09:56:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ttx4l4owx7ju5zphosdcm2qc6b32e5x3ft75d3wdxhqzy6oyepaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3c2b24a6f577cca56542f53c9c1960e034c8f9b9888d6c02f4b95b6be7f9e580
AgentTesla
40f520059151169261544437b55034ba75964151f2fb4e931b9c5f648672d70c
AgentTesla
5a592b895a2d661b84fe545722cd01c7eec0998b5c92e43cbcd582723e5d0d7b
AgentTesla
702cee46d4f13081bcca06cfe54412f0e9115a48035d440911fae79ea0100ae6
AgentTesla
8c3a54283aca092b244c89ebb641bb372808b3e51b752936dfbea95dc32eeb95
AgentTesla
c37e211564b4d5b3447fd8be8526724a4193ac8d9a99efddc3d599f7b5e6af51
AgentTesla
ce9f61e287166e270644981cb784c61066bcde3e9069691435b9f1524e03fbb1
AgentTesla
d298c16cc5f3bc92be81294b9d7b4b23d1be22742956b824dac7dc109dde7e35
AgentTesla
d54151c230934c4d85c69c1b0e9f8dacd60104fde0d2036a7752f49293d25c5b
AgentTesla
e140afebb983de95cb1dd97095f73929c26dd35d5773c170c95c94b7af5023bb
AgentTesla
+ 321 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230420-mbdqbahb79/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/52f6f322-fe3e-4401-9d2e-eb35ba7b2643/
SH256 hash:
c6aa7d9d0c1b7a8242babab6bc810f334a7923cea605bf0ada2aef49d8debabb
MD5 hash:
1dff6604b96dc194375221389dae0c33
SHA1 hash:
9ac912f81417544669129fd54b6daa2a8f264df8
Link:
https://www.unpac.me/results/52f6f322-fe3e-4401-9d2e-eb35ba7b2643/
SH256 hash:
dc2fcd2585513c7f136c9370d33b4f4f067169a42cd10df23e85b74c70657319
MD5 hash:
ee74143eccad830627307f91ab7838d2
SHA1 hash:
78d084acc4b8b244f9d296f02dd8d7baa2710868
Link:
https://www.unpac.me/results/52f6f322-fe3e-4401-9d2e-eb35ba7b2643/
SH256 hash:
f019cbfed9a48d21b57620e9e9fe44139a49d8f6ad72e1db96e13485a79684b3
MD5 hash:
9145a823fd2d38c9e827c932c0e1a688
SHA1 hash:
0fd71390162822b2571c34a0ed5289d9e09662d1
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/52f6f322-fe3e-4401-9d2e-eb35ba7b2643/
Parent samples :
02169571891ab7333002f983d3544b2a78a775d1d55f594c5ce49883b108f3ef
9cefc5f1d6bfd34ee5e77486266a02f077a276fb2cffd1eec3b9e19c79d823c1
4f106e71463410c0880736786b987b0329cb64a441481794230890d48661c9b2
326032825841da4be49637c2d5f0f15049c281f31d4178ac9246c543af96d1ec
SH256 hash:
698efbaf29ad1c5a3d1db7008beedcc08561ac27467188e2fd8c212085326c66
MD5 hash:
d5fbbb438371b82c274fc7e82828db8b
SHA1 hash:
032b764ef5b3eaed11fadcd726d27fc05264fca2
Link:
https://www.unpac.me/results/52f6f322-fe3e-4401-9d2e-eb35ba7b2643/
SH256 hash:
9cefc5f1d6bfd34ee5e77486266a02f077a276fb2cffd1eec3b9e19c79d823c1
MD5 hash:
3088bb32b972b7f9382cf484558ec84d
SHA1 hash:
adc30572882ec442f1449e95fad448bfb7bd7e6a
Link:
https://www.unpac.me/results/52f6f322-fe3e-4401-9d2e-eb35ba7b2643/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cefc5f1d6bfd34ee5e77486266a02f077a276fb2cffd1eec3b9e19c79d823c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9cefc5f1d6bfd34ee5e77486266a02f077a276fb2cffd1eec3b9e19c79d823c1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383711/

Comments