MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d0834f66177eec7045cc1c2317f8b6da857181740249968a71f43a5b21964e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d0834f66177eec7045cc1c2317f8b6da857181740249968a71f43a5b21964e2
SHA3-384 hash: c67b617bacb77394d852935d2bcd221c6bb53523e8c839d0cf04118af3c7f44229a2cec19aea94e27ea12f3a6cc1e751
SHA1 hash: 48c6ba82e866bca5b6f6c4591476a734345d5005
MD5 hash: 93dbb6b1a06d7fc13835eb2b16446f6b
humanhash: item-whiskey-ink-kitten
File name:9d0834f66177eec7045cc1c2317f8b6da857181740249968a71f43a5b21964e2
Download: download sample
Signature AgentTesla
Create hunting rule
File size:655'360 bytes
First seen:2023-12-07 14:39:06 UTC
Last seen:2023-12-07 16:17:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:DnNuPLq5L2JpMjhtIBP/u3Yn6qD3jg/cqblUF5PTYIL1tJxh8M7:7YLKL2JOVtIBnRn6KR7/np8
TLSH T15DD41200A2BB1B49D8BE93F559766324437ADC531273D71EACEB61D8A73EB405B01B23
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
297
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463259/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6571d94418cffa73b1dd6db9/reports/ffa0064b-dafe-4c5a-8eb0-7a56d8afc819/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9d0834f66177eec7045cc1c2317f8b6da857181740249968a71f43a5b21964e2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8aeeb015-1d4e-4ba1-a16e-e247992b64da
Result
Threat name:
FormBook, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1355493
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1355493 Sample: ZgDPnNtvhR.exe Startdate: 07/12/2023 Architecture: WINDOWS Score: 100 30 www.taxhwangeub.com 2->30 32 www.ls7551.online 2->32 34 12 other IPs or domains 2->34 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 6 other signatures 2->48 10 ZgDPnNtvhR.exe 4 2->10         started        signatures3 process4 signatures5 58 Adds a directory exclusion to Windows Defender 10->58 60 Injects a PE file into a foreign processes 10->60 13 ZgDPnNtvhR.exe 10->13         started        16 powershell.exe 23 10->16         started        process6 signatures7 62 Maps a DLL or memory area into another process 13->62 18 LcgYdDKlEPWzPhN.exe 13->18 injected 20 conhost.exe 16->20         started        process8 process9 22 extrac32.exe 13 18->22         started        signatures10 50 Tries to steal Mail credentials (via file / registry access) 22->50 52 Tries to harvest and steal browser information (history, passwords, etc) 22->52 54 Writes to foreign memory regions 22->54 56 3 other signatures 22->56 25 LcgYdDKlEPWzPhN.exe 22->25 injected 28 firefox.exe 22->28         started        process11 dnsIp12 36 africa-connective.com 46.23.69.44, 49742, 49743, 49744 UK2NET-ASGB United Kingdom 25->36 38 parkingpage.namecheap.com 91.195.240.19, 49746, 49747, 49748 SEDO-ASDE Germany 25->38 40 7 other IPs or domains 25->40
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9d0834f66177eec7045cc1c2317f8b6da857181740249968a71f43a5b21964e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d0834f66177eec7045cc1c2317f8b6da857181740249968a71f43a5b21964e2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-15 10:44:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tuedj5tbo7xmobc4yhbdc74lnwufogaxiasjs2fhd5b2lmqzmtra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231207-r1wdwacb58/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
f1a5b3fe89471e71a17dfcecaf10866b7a4fed60562584d073f74b971f4a8752
MD5 hash:
802d05686e6e7b1b8395d754eabb279a
SHA1 hash:
2e683e1b71e267fe8ecbb0fec4c6eafd476d717c
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/63fdd044-1542-49a0-b4f0-7b3fd953d7a6/
Parent samples :
0449cc00b0d77cbe2c9e5271db00cb1ca7955d8265b7d664408baa76b09af2f0
b78ba2452dad088b1530134732a00370192386281eb368aba2aef6f9cc11ae97
8e8d8067a54fb765bdb79b9ea1f37dfcd08ea29d6c039dc93c31c8ce6c5f72eb
9d0834f66177eec7045cc1c2317f8b6da857181740249968a71f43a5b21964e2
SH256 hash:
4affe8eccb0183654f4aac08808d02460316b8283441609bb78bc14babdd6f7a
MD5 hash:
90e303cc3cf75bfed919c4b8c384f3a9
SHA1 hash:
54375c92aedacc97722bf91f1c762d3a08a09163
Link:
https://www.unpac.me/results/63fdd044-1542-49a0-b4f0-7b3fd953d7a6/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/63fdd044-1542-49a0-b4f0-7b3fd953d7a6/
SH256 hash:
76482f1dc9b0639dd6b2d762e09101875e207e8c60e146a43ca182a4c13d6afa
MD5 hash:
9561bc00330bfa400784c1b3b2075d0b
SHA1 hash:
b98f0014f428085dea5ea44108d64d9119e3d698
Link:
https://www.unpac.me/results/63fdd044-1542-49a0-b4f0-7b3fd953d7a6/
SH256 hash:
85f2f6b192913ed097dc3f54065cf0149ce911892a3ed856bb596f1bc4997b7e
MD5 hash:
0fcd57ed547a04fa1e71b64ee19cffcf
SHA1 hash:
5abb3c7cf050d3f7b6e15ae6f75fd15218240b04
Link:
https://www.unpac.me/results/63fdd044-1542-49a0-b4f0-7b3fd953d7a6/
SH256 hash:
4912e418d36435ae4890bd1c7d67ca316b00b324c8c8160ddf39527b25835282
MD5 hash:
833d0137650b39701cefbf1cd6569bf0
SHA1 hash:
e83da7c30974f0c2d2dff4262a4aebd8fe2fde7c
Link:
https://www.unpac.me/results/63fdd044-1542-49a0-b4f0-7b3fd953d7a6/
SH256 hash:
3358e9e1349e82f2256504cc3c460f5ef866e8ddc67b86eb8446536bff8ced4b
MD5 hash:
0b4b3382c93016fb5bcd90a97bc38a02
SHA1 hash:
b126dd31f0e1908a02822acd77df2987cbed03f3
Link:
https://www.unpac.me/results/63fdd044-1542-49a0-b4f0-7b3fd953d7a6/
SH256 hash:
6f3fde45cd0b51d1322f25845fd3f2add4d6cb784d6c2281c54ddf276dc8fc18
MD5 hash:
58e85f7d3c0a25dfa23d2f34b36c9246
SHA1 hash:
801d5fdfef7b3a932d4195060d1d96b255ff70ad
Link:
https://www.unpac.me/results/63fdd044-1542-49a0-b4f0-7b3fd953d7a6/
SH256 hash:
950f3830729f225c4443c65b8cc9c893c021f657b32c13ebdb13179a3a6fe466
MD5 hash:
fc97046ae02c842a797e8737695a6e88
SHA1 hash:
77b8abc2c4b329dce6380603f1c55e1fd7bedab4
Link:
https://www.unpac.me/results/63fdd044-1542-49a0-b4f0-7b3fd953d7a6/
SH256 hash:
479d24ddbc67c658a6da1b0a988fc4f78c571451ce1f0194535265de543fc813
MD5 hash:
9e758b59bfacbaf208f9689b31187c52
SHA1 hash:
65a6a9aabcfcce45d7e143f7525247b2bded9dd1
Link:
https://www.unpac.me/results/63fdd044-1542-49a0-b4f0-7b3fd953d7a6/
SH256 hash:
24eb0aa7829f97d66ab2f8b79fafca1dc08a6e44ba29eef41caca4e8397f8009
MD5 hash:
0dcb26062f55ea8afb5c44581ec653db
SHA1 hash:
5f7db9a8f070210e929da3ec6eb828dd62206cec
Link:
https://www.unpac.me/results/63fdd044-1542-49a0-b4f0-7b3fd953d7a6/
SH256 hash:
9d0834f66177eec7045cc1c2317f8b6da857181740249968a71f43a5b21964e2
MD5 hash:
93dbb6b1a06d7fc13835eb2b16446f6b
SHA1 hash:
48c6ba82e866bca5b6f6c4591476a734345d5005
Link:
https://www.unpac.me/results/63fdd044-1542-49a0-b4f0-7b3fd953d7a6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9d0834f66177/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d0834f66177eec7045cc1c2317f8b6da857181740249968a71f43a5b21964e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/463259/

Comments