MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e434a3d560944475e76627bd7476dd0cea2104d9c14224d154ec303c0e2fccf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	9e434a3d560944475e76627bd7476dd0cea2104d9c14224d154ec303c0e2fccf
SHA3-384 hash:	72012220b256b087e2756ba647b96fc445842adc02c3eef23ac446e2ee6ac05ea02667f0e32cf4845c9e1dd5a9b84a02
SHA1 hash:	7576da5de573c7f361b17feb0bc6a3f53d477de9
MD5 hash:	6f34012b079006f17de8f1f28ce77ea6
humanhash:	winner-burger-summer-mike
File name:	UPDATED SOA.exe
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	352'353 bytes
First seen:	2023-12-18 17:29:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b1a57b635b23ffd553b3fd1e0960b2bd (39 x Formbook, 29 x Loki, 27 x AgentTesla)
ssdeep	6144:bhjmb0T5z3qHmiotZUIoXDer06wd4RLBBjX99okpr0R4rna6fRPFsqf0oTaCof:c0T5z3Hiot+oW4RLDjXlr1rTfRtsqcoM
TLSH	T1A274122672E54DF7C292477019B35B72C2A6A76060313FAB53985FBDECA03C74B526C2
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

317

Origin country :

DE

Vendor Threat Intelligence

CAPE Sandbox AgentTesla

Detection:

AgentTesla

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/468323/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.24593.20641.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Reading critical registry keys

Sending an HTTP GET request

Setting a keyboard event handler

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/6580819cf4b6e5e1634f26b7/reports/0c8372f3-8c14-4904-aab7-d217c4b583ee/overview

Hybrid Analysis Dropper.Trojan.Generic

Verdict:

Malicious

Labled as:

Dropper.Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/9e434a3d560944475e76627bd7476dd0cea2104d9c14224d154ec303c0e2fccf

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Agent Tesla

Malware family:

Agent Tesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/de336cb7-6271-470c-98ca-7ad442a340a0

Joe Sandbox AgentTesla, NSISDropper

Result

Threat name:

AgentTesla, NSISDropper

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1364069

Signature

Contains functionality to log keystrokes (.Net Source)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

99%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/9e434a3d560944475e76627bd7476dd0cea2104d9c14224d154ec303c0e2fccf

CERT.PL MWDB agenttesla

Detection:

agenttesla

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/9e434a3d560944475e76627bd7476dd0cea2104d9c14224d154ec303c0e2fccf/

ReversingLabs TitaniumCloud Win32.Trojan.Znyonm

Threat name:

Win32.Trojan.Znyonm

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-17 23:44:21 UTC

File Type:

PE (Exe)

Extracted files:

3

AV detection:

19 of 37 (51.35%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tzbuupkwbfceoxtwmj55or3n2dhkeecntqkcetivj3bqhqhc7thq._file

Threatray agenttesla_v4 agenttesla

Verdict:

malicious

Label(s):

agenttesla_v4

Alert

Create hunting rule

agenttesla

Alert

Create hunting rule

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/231218-v25kqadea2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

UnpacMe 2

Unpacked files

SH256 hash:

975a0831f4a98e37833cb7b778e22f45a6c9ddd60e5291ec1f9b5c2c07ddae4b

MD5 hash:

611e4e34401c603b121b903174552dce

SHA1 hash:

c01fd901268b16592b038748fea9476bc517e1a1

Link:

https://www.unpac.me/results/d35e8b8e-edd2-4932-b302-c5c7ab112dc6/

SH256 hash:

9e434a3d560944475e76627bd7476dd0cea2104d9c14224d154ec303c0e2fccf

MD5 hash:

6f34012b079006f17de8f1f28ce77ea6

SHA1 hash:

7576da5de573c7f361b17feb0bc6a3f53d477de9

Link:

https://www.unpac.me/results/d35e8b8e-edd2-4932-b302-c5c7ab112dc6/

VMRay AgentTesla

Malware family:

AgentTesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9e434a3d5609/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9e434a3d560944475e76627bd7476dd0cea2104d9c14224d154ec303c0e2fccf

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 9e434a3d560944475e76627bd7476dd0cea2104d9c14224d154ec303c0e2fccf

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/468323/