MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e6673ec8013e61cf5d5f88cd7b5f937f00c586a1cd41029bb9f204be7f940ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e6673ec8013e61cf5d5f88cd7b5f937f00c586a1cd41029bb9f204be7f940ab
SHA3-384 hash: fe05c3b0a7878a543f72369314e75a8a96489de6b1bc27e216f785c6a90a5b934887d3812cdc1b13cf9d8216bc090623
SHA1 hash: c1471a7a20167040e6e8a6c63c3f61e1dcfdae9a
MD5 hash: 782b173b7512c3216f4d22bbfdcdebd2
humanhash: autumn-wisconsin-enemy-robert
File name:T.C.Ziraat Bankasi A.S_Ekstre_20191102_073809_405251-PDF.com
Download: download sample
Signature AgentTesla
Create hunting rule
File size:306'570 bytes
First seen:2023-02-13 10:37:19 UTC
Last seen:2023-02-13 12:55:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:PYa6v/IdTHphgqA2tZniPqxoCtl6JfHpNJNT+T83ryjmqjx:PYFAdgqfttUqxfti/JNyCq1
Threatray 25'987 similar samples on MalwareBazaar
TLSH T17D64137436E0C16BF5B387B60A7F245792D8103224A01B4B1BA07B19F7FA7456E7DB22
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
T.C.Ziraat Bankasi A.S_Ekstre_20191102_073809_405251-PDF.com
Verdict:
Malicious activity
Analysis date:
2023-02-13 10:37:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c51679a6-1822-44b4-bcec-2064bd3f6a0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/364980/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.16175.14247.25300.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Setting a keyboard event handler
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/68993/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
nemesis overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63ea130c19bdad8346358839/reports/2aebaa7d-45d3-4999-ba8a-70f05eabf5df/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9e6673ec8013e61cf5d5f88cd7b5f937f00c586a1cd41029bb9f204be7f940ab
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/45562fd4-41ea-4c24-a05f-2c79f1c6c6f5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1173245
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9e6673ec8013e61cf5d5f88cd7b5f937f00c586a1cd41029bb9f204be7f940ab/
Threat name:
Win32.Trojan.GenShell
Create hunting rule
Status:
Malicious
First seen:
2023-02-13 09:20:29 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tzthh3eacptbz5ov7cgnpnpzg7yaywdkdtkbakn3t4qexz7zicvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0892c1361c3771d9a3289589e8b0a9709e892970176943d649e87179044cb53f
AgentTesla
0ebf4340d56b8018e2d6655311da863e7d3351ac9bda8438f2a42f51139d98a6
AgentTesla
13ed10331157947caf6eac920f6b467c3170eaa5022b704d4596c0f397f8654c
AgentTesla
24902a43196fd02d2939443510181c165980bd71e889dcff559ca25153c76d81
AgentTesla
30c0d3fd2e08ec5373038ad0b90f1f1cb1a475661bafcc8a110e965bcc9d8f21
AgentTesla
c401c299ae6aaa43a559d44471448b3c177a9d74829832fed88edf3bd6e5e789
AgentTesla
e00c81eaf51d453c0a837df83d38b33cc4217bc40473a5a927c2434a1520a520
AgentTesla
edbe483f1204111a68f4942f898fcf1093ee26a4664bdea61a2b0f100cffb551
AgentTesla
f77bee7347c6139e6ee4f9410f5ff2305d6d5338f050926b678c22cfd90f19cd
AgentTesla
f8fa4a68488cfbb2c7130ee2637393f65e6a2585bf9171bcda0f0f7a7e4cffb6
AgentTesla
+ 25'977 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230213-mpdmgaca5y/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6290925213:AAFLMUFOuvJvoECd5R6d3y3YNrpOumh9MFw/
Unpacked files
SH256 hash:
da583e9618f4ace3f496c00e12f0b852ddcbf1c97d5f4e3ed0be44f69f4ce5d4
MD5 hash:
ca693d0d6fc6575aff40163d9b77446c
SHA1 hash:
e12ef555d53bc385d9cef477196845d177eae77e
Link:
https://www.unpac.me/results/007521ad-f45e-4865-a4a8-cac3911828e0/
SH256 hash:
3f43c9b7e1a28b36a2a387db19487199b062d0f46b72a70b7083e320602b4d0b
MD5 hash:
6bf1abd319f82e58e67a62d33a14663e
SHA1 hash:
20b0434882b94eee319ffb727184bff27416bee8
Link:
https://www.unpac.me/results/007521ad-f45e-4865-a4a8-cac3911828e0/
SH256 hash:
3bf627ef38e0bab5a9bae09fb3fcbf88b345348bb3a21e189e6d65b0b0110629
MD5 hash:
e9cea01240de37759a3067bbcda9051d
SHA1 hash:
97a0ced4b168df262bf6667857568d19a0d4e740
Link:
https://www.unpac.me/results/007521ad-f45e-4865-a4a8-cac3911828e0/
SH256 hash:
9e6673ec8013e61cf5d5f88cd7b5f937f00c586a1cd41029bb9f204be7f940ab
MD5 hash:
782b173b7512c3216f4d22bbfdcdebd2
SHA1 hash:
c1471a7a20167040e6e8a6c63c3f61e1dcfdae9a
Link:
https://www.unpac.me/results/007521ad-f45e-4865-a4a8-cac3911828e0/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9e6673ec8013/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e6673ec8013e61cf5d5f88cd7b5f937f00c586a1cd41029bb9f204be7f940ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9e6673ec8013e61cf5d5f88cd7b5f937f00c586a1cd41029bb9f204be7f940ab

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/364980/

Comments