MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ed469c0100e0d6435a740bf4eed345bc7803a5e7c957473277acd5c782179c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ed469c0100e0d6435a740bf4eed345bc7803a5e7c957473277acd5c782179c0
SHA3-384 hash: b84d97b0952405ffe5cd9b1faca77715a663a8ff7620436fc2ffac7f5ba3c387004059dbc389843d5faec19fbe32b0f9
SHA1 hash: 87a5b5bd8883729612ebdb3e7e89d65d8b9f4f1b
MD5 hash: 3b1bab0433f3dbd407d1d01552d903de
humanhash: mountain-october-sodium-connecticut
File name:SOA 983580623-23.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:717'824 bytes
First seen:2023-07-27 06:51:02 UTC
Last seen:2023-07-27 06:57:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:X83Qrd92iNtOWe0Kwsewo1pS0CdyZq3Ly9NXfzIJf9hFq+6QR:M3Qrd91XKwsZo1g6YufU7S+6
Threatray 982 similar samples on MalwareBazaar
TLSH T1FBE4F190B1BD4FAAD57BA3FB1165A61053F6A9AF662DF34D0EC230DB21A1F400A04F57
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
259
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SOA 983580623-23.exe
Verdict:
Malicious activity
Analysis date:
2023-07-27 06:58:05 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/80dbb801-c5b9-4f02-861d-16cbe7e2d9fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/434668/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64c213dc1b48787a496f3669/reports/71ee0e9a-79c2-441b-90a0-5cf7ed6cc5cf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9ed469c0100e0d6435a740bf4eed345bc7803a5e7c957473277acd5c782179c0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f52f264-1cd3-4a34-bd82-c2a0e9803a22
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1280885
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1280885 Sample: SOA_983580623-23.exe Startdate: 27/07/2023 Architecture: WINDOWS Score: 100 62 Found malware configuration 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 66 Sigma detected: Scheduled temp file as task from temp location 2->66 68 5 other signatures 2->68 7 SOA_983580623-23.exe 7 2->7         started        11 OSzIxrRt.exe 5 2->11         started        13 ljwWqDx.exe 2 2->13         started        15 ljwWqDx.exe 2->15         started        process3 file4 44 C:\Users\user\AppData\Roaming\OSzIxrRt.exe, PE32 7->44 dropped 46 C:\Users\...\OSzIxrRt.exe:Zone.Identifier, ASCII 7->46 dropped 48 C:\Users\user\AppData\Local\...\tmp79F1.tmp, XML 7->48 dropped 50 C:\Users\user\...\SOA_983580623-23.exe.log, ASCII 7->50 dropped 82 Uses schtasks.exe or at.exe to add and modify task schedules 7->82 84 Writes to foreign memory regions 7->84 86 Allocates memory in foreign processes 7->86 94 2 other signatures 7->94 17 RegSvcs.exe 17 4 7->17         started        22 RegSvcs.exe 7->22         started        24 powershell.exe 17 7->24         started        26 schtasks.exe 1 7->26         started        88 Antivirus detection for dropped file 11->88 90 Multi AV Scanner detection for dropped file 11->90 92 Machine Learning detection for dropped file 11->92 28 RegSvcs.exe 11->28         started        30 schtasks.exe 11->30         started        32 conhost.exe 13->32         started        34 conhost.exe 15->34         started        signatures5 process6 dnsIp7 52 mail.sindbadclub.com 91.121.255.161, 49706, 49709, 587 OVHFR France 17->52 54 api4.ipify.org 64.185.227.156, 443, 49705 WEBNXUS United States 17->54 60 2 other IPs or domains 17->60 42 C:\Users\user\AppData\Roaming\...\ljwWqDx.exe, PE32 17->42 dropped 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->72 74 May check the online IP address of the machine 22->74 36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        56 104.237.62.211, 443, 49707 WEBNXUS United States 28->56 58 api.ipify.org 28->58 76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->76 78 Tries to steal Mail credentials (via file / registry access) 28->78 80 Tries to harvest and steal browser information (history, passwords, etc) 28->80 40 conhost.exe 30->40         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ed469c0100e0d6435a740bf4eed345bc7803a5e7c957473277acd5c782179c0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-27 03:28:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t3kgtqaqbygwinnhic7u53julpdyaos6pskxi4zhplgvy6bbphaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2f7236c222fa634974037a2469d83098ee0a9aa28176106fd88f10c5beae35c4
AgentTesla
7575a4e559fb7df7dc4781137aa09a0e9bf542b3127b5e34850d5829e59ac58f
AgentTesla
8c929903e4e19929cb2c3a77560fe295684b67434763be0372cbdbcef7d44191
AgentTesla
9b41e719470475dfacf64f42d8d8001d90cf442213fdf0e19ad5cd86d9742810
AgentTesla
a1b695b94ceabf5c9f17d0fe34d6242a62e277e4f269b83a0f0a8f26025dcfd2
AgentTesla
a50ff27364591ebbe3589623d88752369ff33f67df2994f70d79177144376cc5
AgentTesla
aba16ed8d742b8ebeb80e736ec3ad99e4480eeb977a1aeb3ec124dc7d7b3e546
AgentTesla
aea4ac1c910d807878e375aacde942a685bfc7b97844f7dc4e5102a933471267
AgentTesla
d95620daeaadaeaf64a5524ce23f6a73d286f9d5ece92f094c5ca081cbd219db
AgentTesla
f965288f8e286199df63e46663fb0d547f1b833fa7f53d227c622807b0cb122f
AgentTesla
+ 972 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence
Link:
https://tria.ge/reports/230727-hmg5naba41/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Unpacked files
SH256 hash:
bf3e09a922fe201b9a89bc7eb51e68484d34df5eb1814ef367ed7fe33168f4d7
MD5 hash:
86b0f7019da436553da6d3025bb9e5c2
SHA1 hash:
fdd09de13a13cede11745c52015e4ae02a7098f6
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/78148481-6a02-4427-ac04-61afe0f829e9/
Parent samples :
b226a85b8821593522c97ef77d924a2a2fd57fafdf2b251e19fd603853b835f9
cf5b1fe7a9600b5f132475ef3586dccd40e8559e9637d3f9b20e73f55d77961d
9ed469c0100e0d6435a740bf4eed345bc7803a5e7c957473277acd5c782179c0
81f212a2fc589aaec29e362c17af8209bb0ebfc4e92b1c8b0a2da3a3e62c65a9
SH256 hash:
fdc236e7660ba42c43a07021cb300b2d81cde14489c51432ad40aa2c7650d8e3
MD5 hash:
552cc2842c614a8c21b9bdcf6d77f632
SHA1 hash:
cc14ae8425bb3c2e49782be0639776ef2780b463
Link:
https://www.unpac.me/results/78148481-6a02-4427-ac04-61afe0f829e9/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/78148481-6a02-4427-ac04-61afe0f829e9/
SH256 hash:
621757765e78c947e0c988bf54b5cf6b82011ec257e7726d06c6122853f31d44
MD5 hash:
1af9851123292534c0ea805232559707
SHA1 hash:
28ea17f3f68944f589f34e9917cee33ed05fbc55
Link:
https://www.unpac.me/results/78148481-6a02-4427-ac04-61afe0f829e9/
SH256 hash:
9ed469c0100e0d6435a740bf4eed345bc7803a5e7c957473277acd5c782179c0
MD5 hash:
3b1bab0433f3dbd407d1d01552d903de
SHA1 hash:
87a5b5bd8883729612ebdb3e7e89d65d8b9f4f1b
Link:
https://www.unpac.me/results/78148481-6a02-4427-ac04-61afe0f829e9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9ed469c0100e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a1fe7af13e121d38dceb8ec99f54da9a86bb4021ea512c6cefa0827b480402bd

AgentTesla

Executable exe 9ed469c0100e0d6435a740bf4eed345bc7803a5e7c957473277acd5c782179c0

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a1fe7af13e121d38dceb8ec99f54da9a86bb4021ea512c6cefa0827b480402bd
  
Dropped by
SHA256 c80021a91012f1541ba0f5ae164c916ad601955d38e36d702391c5f6b69e579a
Cape
Cape
https://www.capesandbox.com/analysis/434668/
  
Dropped by
MD5 abad84b98bfaedff40e93d78c597e198
  
Dropped by
MD5 4cf0fd8f79e0aad3fac2382294e3c4fc

Comments