MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d8720d03350b0737e0a315bdf24d79a1344d87c1027a7f01b9971a3e000d01c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d8720d03350b0737e0a315bdf24d79a1344d87c1027a7f01b9971a3e000d01c
SHA3-384 hash: a52a421d390afa2e1b6b13bcc00cdc860c94c40b06fb6fb58722b92f0a1f1ed0c47f402350ea9364919ee1504a369a85
SHA1 hash: e261b7fb60e76fb2d08e9d14f679b83aad5123a3
MD5 hash: 20c9a9ac84644f8ba67da36960ae4a9f
humanhash: florida-oscar-moon-london
File name:PO W003126.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:793'600 bytes
First seen:2023-02-07 15:21:17 UTC
Last seen:2023-02-07 16:54:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Bpk+PAZcXnyXx6q16ahRZ5GryyLm8fxyhqIZywxR3s0MaImkh+/k8glHy5QOa:jAZ1NMS5Grvm1qIZycR3TMih8RlnO
Threatray 24'335 similar samples on MalwareBazaar
TLSH T15AF4224113A9D620CCBD99B6FB39A5D4433C63126466D76C0BFC61CEC9B0721EAA031F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8200828086860000 (9 x AgentTesla, 5 x SnakeKeylogger, 4 x Formbook)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Solicitud de estados de Pedidos.eml
Verdict:
Malicious activity
Analysis date:
2023-02-06 16:19:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/060dd534-c0b5-412d-9fa0-8895bfa95e3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/361416/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65377026.15420.15647.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63e26ca396add6d1cf49f05e/reports/1e2e04c3-3836-4e77-a149-588d473484c7/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9d8720d03350b0737e0a315bdf24d79a1344d87c1027a7f01b9971a3e000d01c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a81e84ff-4ca1-441b-a658-8692e46b80c2
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1167814
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d8720d03350b0737e0a315bdf24d79a1344d87c1027a7f01b9971a3e000d01c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-06 15:01:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=twdsbubtkcyhg7qkgfn56jgxtijujwd4cat2p4a3tfy2hyaa2aoa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
41857a1bfb1cda7337d39a4c6bcec253fb44532179f9cb12e919608f227e3dcb
AgentTesla
4795e398d5dce733ecb352580be08b33ae668684856a5cf34a8cc21fa303c60e
AgentTesla
5cc899a8dd9072ce72a49004c5b9f7cc074e4e7c4088fa89b25767182976e31e
AgentTesla
62a868ec8c1727bcddd3954bd37e482a5584bd40b7163132738885b7deffaa4f
AgentTesla
91f7c342ce163fe12c018a5068f921b5b78574cf05927bb85876be8484a2c237
AgentTesla
9205a59f5c11c1e77ca151d15e2c24bceb70bf15afd6a0d1351de8baa48016f8
AgentTesla
b1a5b664300ebe7d44ae27b9bae5b44c74faf5cf6b049a69127534ba55a43930
AgentTesla
bfb963f003ea24be47ad11eddee613145bb6a470df3cee4579a50921d0a40797
AgentTesla
d548bfcde55e09b8314b273b6fc1eff79563961b965cb83a763f4bb1b6c424ac
AgentTesla
f873aff34af07e0be6364498ef313f9e21454ba6fcab0a24c5da2a438de2770c
AgentTesla
+ 24'325 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230207-srw5gsfe8y/
Behaviour
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discordapp.com/api/webhooks/1067892361159512115/WDpV5bOytew3MVbkuWHuu_oV9ZcXt08gk2uDs5IEmYzSo-POdpCZ6VLRb5IWyC44qxVW
Unpacked files
SH256 hash:
6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef
MD5 hash:
f759d70f3bbee3865d9ba45b70c59bea
SHA1 hash:
f07ca29866cf8b0d92f18904860c40a284a5f550
Link:
https://www.unpac.me/results/ac773bda-fe63-46ae-b73d-c2d655b99089/
SH256 hash:
392c6726905a3619cf0036076c837144410d947a483c718a6a61467ec8e63061
MD5 hash:
960d404470febef35043db290b7fa874
SHA1 hash:
976487ffc6741724559095a8189d383b3a772f22
Link:
https://www.unpac.me/results/ac773bda-fe63-46ae-b73d-c2d655b99089/
SH256 hash:
8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7
MD5 hash:
7f225c69df031bf0560aed3847a1221a
SHA1 hash:
4d5f3ccdb2c6015d2b2a73326c0f32b173af2819
Link:
https://www.unpac.me/results/ac773bda-fe63-46ae-b73d-c2d655b99089/
SH256 hash:
1c825bebe376bb3391f480561b8291d99a49886ed617413e9c9e7cca134d0a38
MD5 hash:
ebb796d437c4596cfd17e541ac4b3545
SHA1 hash:
2d3cc2ff230db142777d5d42ca4e1af8eb71bc66
Link:
https://www.unpac.me/results/ac773bda-fe63-46ae-b73d-c2d655b99089/
SH256 hash:
85b0f98262dc419bc0e60aa4c8be0e304ce98de4c7be80fa74275b98c602b18b
MD5 hash:
deadb24f439a6b9e23f36eb6140bec1a
SHA1 hash:
1e4147c636324f12a918474c1ca93f4a0852c866
Link:
https://www.unpac.me/results/ac773bda-fe63-46ae-b73d-c2d655b99089/
SH256 hash:
9d8720d03350b0737e0a315bdf24d79a1344d87c1027a7f01b9971a3e000d01c
MD5 hash:
20c9a9ac84644f8ba67da36960ae4a9f
SHA1 hash:
e261b7fb60e76fb2d08e9d14f679b83aad5123a3
Link:
https://www.unpac.me/results/ac773bda-fe63-46ae-b73d-c2d655b99089/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9d8720d03350/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/9d8720d03350b0737e0a315bdf24d79a1344d87c1027a7f01b9971a3e000d01c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9d8720d03350b0737e0a315bdf24d79a1344d87c1027a7f01b9971a3e000d01c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/361416/

Comments