MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d4101435d5c761e583b31dd48ddcd5bce7081ae2e290f04330e6c4dbf954c92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d4101435d5c761e583b31dd48ddcd5bce7081ae2e290f04330e6c4dbf954c92
SHA3-384 hash: 6c1557c83805e5960cf5236f8311bd6f4720501e90a9dcaa43d32c5fc763ba8bbc7a4db97b287343cd4a5e0655bb3eeb
SHA1 hash: 6e9e6bc3d3a31b2579bfd5c2a6838683b4b070a5
MD5 hash: 83eef57c4bd5e6edafd6a369bc21ca7c
humanhash: winter-mirror-nitrogen-uranus
File name:MATERIALS NEEDED.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:485'888 bytes
First seen:2020-12-03 08:32:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:6UtyQo1XFTCmV3LruG1uIJTyPrihnmnrE0tZFEn:lyQqBmGMihnpGi
Threatray 1'635 similar samples on MalwareBazaar
TLSH 68A4F132325976AAF9BA0FB0646435840DB9793B6724E2CDBC44115E68F3B02DF50EB7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: wfpu1.de
Sending IP: 212.72.182.79
From: kontakt@beschattungen-muenchen.de
Subject: MATERIALS NEEDED
Attachment: MATERIALS NEEDED.zip (contains "MATERIALS NEEDED.exe")

AgentTesla SMTP exfil server:
smtp.sadafqatar.com:587

AgentTesla SMTP exfil email address:
ayousif@sadafqatar.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106544/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6091.22779.27574.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/554427
Signature
.NET source code contains potential unpacker
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326312 Sample: MATERIALS NEEDED.exe Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 8 other signatures 2->49 6 MATERIALS NEEDED.exe 3 2->6         started        9 wPRPI.exe 3 2->9         started        12 wPRPI.exe 2 2->12         started        process3 file4 25 C:\Users\user\...\MATERIALS NEEDED.exe.log, ASCII 6->25 dropped 14 MATERIALS NEEDED.exe 2 9 6->14         started        51 Multi AV Scanner detection for dropped file 9->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->53 55 Machine Learning detection for dropped file 9->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->57 19 wPRPI.exe 2 9->19         started        21 wPRPI.exe 9->21         started        59 Injects a PE file into a foreign processes 12->59 23 wPRPI.exe 2 12->23         started        signatures5 process6 dnsIp7 31 mail.sadafqatar.com 162.241.24.95, 49733, 49734, 587 UNIFIEDLAYER-AS-1US United States 14->31 33 smtp.sadafqatar.com 14->33 27 C:\Users\user\AppData\Roaming\...\wPRPI.exe, PE32 14->27 dropped 29 C:\Users\user\...\wPRPI.exe:Zone.Identifier, ASCII 14->29 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 Tries to harvest and steal ftp login credentials 14->39 41 3 other signatures 14->41 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9d4101435d5c761e583b31dd48ddcd5bce7081ae2e290f04330e6c4dbf954c92/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 08:02:28 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tvaqcq25lr3b4wb3ghourxonlphhbanofyuq6bbtbzwe3p4vjsja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08ae3a735881e41099740e2e79fcd4107d5e94fe9267e28d6bf8bd9fd80a7ce6
AgentTesla
09b7bf15736eeb15efdae06322e1aa1e8f960d3264aa380ab0ba05a348aadca6
AgentTesla
0f20eb4400b00c0698e5f24ca1541203eab68f6104aa15e8002bf845b0326076
AgentTesla
52d815927044f076244cd3c57b5ac83b3354750b9e4a062471c9e6ed87e2adcc
AgentTesla
55948fede55c398fce76d97b8316d5da6f958b08746a33f0cdaf4e016f0a1e15
AgentTesla
623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100
AgentTesla
656b086e8dca8fc10f4527b417be09a34cce186fe1ade61c38fe56775cc86e5b
AgentTesla
9b21045796c15c4348f79483c825882c491de047a0ca577e0eb6ba770c60e9f6
AgentTesla
ac4bc198b74ee90e9ae296353856fe12fc688a42bdeb2b8b9b4f6c2923cd668a
AgentTesla
feac2864dd0dde4d9fa58c93930c21c8a0786de9f1260e742b61447c826f7fb9
AgentTesla
+ 1'625 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201203-ghdgvkvg56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4e7a3460a06d1912818b8231b2cf1716f446cd037b9ed9d0288f7d4e790462c2
MD5 hash:
95bbcf9a124d359b3195c92bb6934401
SHA1 hash:
2c41ddd3e558b0521a81a422faf035723e2f7e0d
Link:
https://www.unpac.me/results/70c0dc68-fbf7-4e1e-bc78-565e9ac4114d/
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/70c0dc68-fbf7-4e1e-bc78-565e9ac4114d/
SH256 hash:
3cbbd5fd803c3623b7c92410d11444ded567b192537351c480c5ea084dfcb2c1
MD5 hash:
bfaeaf081ca95383cfab05b2afcd7b0c
SHA1 hash:
d376a6b5b61b18ab3a86d9b13af5d298ce2b0adf
Link:
https://www.unpac.me/results/70c0dc68-fbf7-4e1e-bc78-565e9ac4114d/
SH256 hash:
9d4101435d5c761e583b31dd48ddcd5bce7081ae2e290f04330e6c4dbf954c92
MD5 hash:
83eef57c4bd5e6edafd6a369bc21ca7c
SHA1 hash:
6e9e6bc3d3a31b2579bfd5c2a6838683b4b070a5
Link:
https://www.unpac.me/results/70c0dc68-fbf7-4e1e-bc78-565e9ac4114d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d4101435d5c761e583b31dd48ddcd5bce7081ae2e290f04330e6c4dbf954c92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 88e52f30c8f16cf3ca64baf56129a9bbdded14e9aab955265ca923f1dd634418

AgentTesla

Executable exe 9d4101435d5c761e583b31dd48ddcd5bce7081ae2e290f04330e6c4dbf954c92

(this sample)

  
Dropped by
MD5 316c55159a7836dd007c9258129a3145
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 88e52f30c8f16cf3ca64baf56129a9bbdded14e9aab955265ca923f1dd634418
Cape
Cape
https://www.capesandbox.com/analysis/106544/

Comments