MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dae0685d3f0af089704c4b032d79696500de70d2ea1e2cbcecbc54e2c5f956c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dae0685d3f0af089704c4b032d79696500de70d2ea1e2cbcecbc54e2c5f956c
SHA3-384 hash: cd165103f69b4e7da6821d269d74aca48e648c39c290844b6a116f76f6457e57886c280f0d2dcd8b45e23a4fe6067c23
SHA1 hash: 5d4d280333b636ba6f08bd80b0601fe0ce2c4b2b
MD5 hash: 63890a467e3ce20b05c5245cf30926d2
humanhash: don-alanine-bakerloo-alpha
File name:trucking instruction.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:716'800 bytes
First seen:2023-04-18 06:07:52 UTC
Last seen:2023-04-20 04:17:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:BI/niJO0BLWwL/G7X1kBmjXMGYwtz07wj+N0R19MSo6hTgcdHA6uld4y:BI6I04Y0XmmjXMGYwKv0hZo4Jd9ulX
Threatray 2'101 similar samples on MalwareBazaar
TLSH T115E49C3D399F0262E07AC7739EA7F060A3FDE42BB21DF92928D3114446C798B64D526D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
249
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
trucking instruction.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 06:09:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e4ba770f-40f4-4a51-b5d8-6506b8ef0a2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382935/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.2035.11648.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/643e33c5000396b4e9991dae/reports/9a829cb6-26bd-4099-ae8c-a7b1f9770a01/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9dae0685d3f0af089704c4b032d79696500de70d2ea1e2cbcecbc54e2c5f956c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7790b861-5eb3-425f-a52d-2dabc221a185
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215660
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 848588 Sample: trucking_instruction.exe Startdate: 18/04/2023 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Sigma detected: Scheduled temp file as task from temp location 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 4 other signatures 2->44 7 trucking_instruction.exe 6 2->7         started        11 ksNfUOx.exe 5 2->11         started        process3 dnsIp4 28 C:\Users\user\AppData\Roaming\ksNfUOx.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\Local\...\tmp273B.tmp, XML 7->30 dropped 32 C:\Users\...\trucking_instruction.exe.log, ASCII 7->32 dropped 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Injects a PE file into a foreign processes 7->50 14 trucking_instruction.exe 2 7->14         started        18 schtasks.exe 1 7->18         started        34 192.168.2.1 unknown unknown 11->34 52 Multi AV Scanner detection for dropped file 11->52 54 Machine Learning detection for dropped file 11->54 20 ksNfUOx.exe 2 11->20         started        22 schtasks.exe 1 11->22         started        file5 signatures6 process7 dnsIp8 36 mail.focuzpartsmart.com 162.240.214.202, 49700, 49702, 587 UNIFIEDLAYER-AS-1US United States 14->36 24 conhost.exe 18->24         started        56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->56 58 Tries to steal Mail credentials (via file / registry access) 20->58 60 Tries to harvest and steal browser information (history, passwords, etc) 20->60 26 conhost.exe 22->26         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9dae0685d3f0af089704c4b032d79696500de70d2ea1e2cbcecbc54e2c5f956c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=twxanbot6cxqrfyeysydfv4wszia3zynf2q6fs6ozpcu4lc7svwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10378a656282ac8e5d676229bc2151b553e50906495bf0bfe6ec4c93373dc2a8
AgentTesla
2c5117280800871fbceb13a571a8d602c17f3c08247c8ccf546bb9dc8adda73e
AgentTesla
493781dc1d845e09f96742dfdc2edaef673ac5d4b2139875929166f2627dc161
AgentTesla
7e610ca4df62011ac3bd3775eb00497f57c45b495300c41780f50cf760c7aeb9
AgentTesla
8177d356dbb28563c3c9053309e923f92249f4700706d402456f93e780e016f6
AgentTesla
aad777a2d2f4c889859ca2fbdc9d2bc782cf989c31d95be12abda966f4cbaf19
AgentTesla
b1e8520d2605065d4e339317a7e1a532e30969823343bf2ef245c922dfbb2da8
AgentTesla
f3341ea77e5c8f5e57ee22b1842656ff8225d0fef647bef19d0b0fcc6b87200d
AgentTesla
f4e535a66881a91014aa12b837175eb110849a0d387a925444576387aafd633b
AgentTesla
+ 2'091 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230418-gvwscahh83/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d
MD5 hash:
27f5124bf8f451bca8d8a15c73c4f521
SHA1 hash:
5fd557e109b8fd1c3b362b64f0ba9f1600c07211
Link:
https://www.unpac.me/results/f12e1f7d-4a1b-484d-b8fb-5daee5876a0f/
SH256 hash:
0600493ba6ab2f81f2b6e7d2828e07626df190f953068637c8ce82236222c0e8
MD5 hash:
82f10e879999652cdfe5f37f87993523
SHA1 hash:
0847ba136ab8971cc9b10ed7ca1d1eb099872469
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/f12e1f7d-4a1b-484d-b8fb-5daee5876a0f/
Parent samples :
9dae0685d3f0af089704c4b032d79696500de70d2ea1e2cbcecbc54e2c5f956c
a15153863ec4bed33ce7f014da9861ef349b152b46a5978d5c03b5fe75544aea
911726d8a917e91553bc20985c0b4562768ba02202b5555be7a0e6ff6e0797c3
98d4406e8ee40991fc7008774e833e0b6cf758ffedd7e06023a926a06646591d
028ea05169306fbb55d4243ddba1ab8ef6de4d044dc3b41eb5c4274131388bb1
89615850a0b6561bbf1c4402fe8ca95b4052f49ebd4a20f0e3ac8a176859ec58
5dab41ad35ad1c7557d6c8c6ff066f1fefed902d422877d0997d20d715a4a57b
a0fbf510a0ad55765026894b11a642401ba689147ac093aac30ddcb8d3f2988e
SH256 hash:
241267710b74c19d626be9ab89b38625553386fe07436c495e48ea829e970e2f
MD5 hash:
67465376a5a4de488ccf35d340d2f539
SHA1 hash:
040d884026225e1b526cb8861c031d4430752d15
Link:
https://www.unpac.me/results/f12e1f7d-4a1b-484d-b8fb-5daee5876a0f/
SH256 hash:
9dae0685d3f0af089704c4b032d79696500de70d2ea1e2cbcecbc54e2c5f956c
MD5 hash:
63890a467e3ce20b05c5245cf30926d2
SHA1 hash:
5d4d280333b636ba6f08bd80b0601fe0ce2c4b2b
Link:
https://www.unpac.me/results/f12e1f7d-4a1b-484d-b8fb-5daee5876a0f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9dae0685d3f0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/9dae0685d3f0af089704c4b032d79696500de70d2ea1e2cbcecbc54e2c5f956c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9dae0685d3f0af089704c4b032d79696500de70d2ea1e2cbcecbc54e2c5f956c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382935/

Comments