MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9df06d72513716fcfd80d3864d47aa896ec146882ee4cd5a30d998fac7ee72cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	9df06d72513716fcfd80d3864d47aa896ec146882ee4cd5a30d998fac7ee72cc
SHA3-384 hash:	99331494b9127188aa97b721bf080f07e5d6656f5f176c8635cbf3400e8a381fff94e50924c43dcb5de42142d63d6f00
SHA1 hash:	4c4ac7f9f7ffaad913aaaff06d9fae20bcf38fd9
MD5 hash:	bc6fcc22da0dcc56e010f2c4c843dad5
humanhash:	zebra-alabama-eighteen-burger
File name:	INVOICE.EXE
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	445'440 bytes
First seen:	2020-11-30 12:15:25 UTC
Last seen:	2020-11-30 13:46:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f4763617a18a34da85e28d549a0ccbf9 (1 x AgentTesla, 1 x NanoCore)
ssdeep	12288:k8Z+bK/EhFy6eO/BV6IjMT6HtGsgKEjdkEzW:kY+qN6eOnTm6HEjdfzW
Threatray	1'615 similar samples on MalwareBazaar
TLSH	BB94F11136D29030E5B342B61968D761427EFC324F264E9F73D89A5D1B786C0B73ABA3
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

164

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/106029/

Detection(s):

SecuriteInfo.com.BackDoor.SiggenNET.5.4463.10510.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/550833

Signature

Detected unpacking (creates a PE file in dynamic memory)

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/9df06d72513716fcfd80d3864d47aa896ec146882ee4cd5a30d998fac7ee72cc/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-30 04:19:23 UTC

File Type:

PE (Exe)

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=txyg24srg4lpz7ma2ode2r5krfxmcruif3sm2wrq3gmpvr7oolga._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0d77a7855565f1f714311f0b3fddfa7a924e833f4723bdb0cb6a7d28e910844a

AgentTesla

18d3a183977a47e81f60e8ec7dfe404116b0f0f9a515696752710d6f5c005866

AgentTesla

53199d2d6d3d21f6a1549eb84faa73b98e68c3c0c4ca31889852a10277125e3a

AgentTesla

75264b6aba2081bf00b5744a1e78f0c2cc933ba030372ead5e70b1783e649e4a

AgentTesla

8d10af8f247bb74f1a3d0878785f3afa173c82d4c881f29dd5b60ea6ed5f6b90

AgentTesla

9b21a961dea4dd3f79e08cfc5bd13aca22c3ebfefc9d5c347713b4c492d66c1f

AgentTesla

b8b373ce2f5835b617f904b50e5e594232982967ea1a12b35bd085c83aa057bb

AgentTesla

c78e634f44b015861a2ff2b1ab448ca78016378cfdb15e9e482aa9606b416f8c

AgentTesla

ccf7cbe501b4e91d8f020fb061bbb24167316704bb9566aed6a6a5bc36df3d73

AgentTesla

+ 1'605 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201130-fl9asjttks/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

102c97314ef452f83c3f975add94950666c11eaf682e78e4a86edfa6d20aeda5

MD5 hash:

d1e94506c2ed32a286b65d505cc998b1

SHA1 hash:

b41779831dc26bfc5684367a58b40f1e379f6acb

Link:

https://www.unpac.me/results/ba62ad0b-96ee-49fe-891d-22ef6f3eaa64/

SH256 hash:

7a03eebfdb6aac934de4ef20f2e0364f5faa69d37abb6269636d1823f6a41bde

MD5 hash:

7ef52a95bfa07c73a4c788d21e26bd31

SHA1 hash:

065695ebf927b0bb32801ee0ae9820ddd019fba1

Link:

https://www.unpac.me/results/ba62ad0b-96ee-49fe-891d-22ef6f3eaa64/

SH256 hash:

9df06d72513716fcfd80d3864d47aa896ec146882ee4cd5a30d998fac7ee72cc

MD5 hash:

bc6fcc22da0dcc56e010f2c4c843dad5

SHA1 hash:

4c4ac7f9f7ffaad913aaaff06d9fae20bcf38fd9

Link:

https://www.unpac.me/results/ba62ad0b-96ee-49fe-891d-22ef6f3eaa64/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9df06d72513716fcfd80d3864d47aa896ec146882ee4cd5a30d998fac7ee72cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.