MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ed750b07b16001b5f78dd725fb6ada74d583075fd25dd66aaa65f80be26e541. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	9ed750b07b16001b5f78dd725fb6ada74d583075fd25dd66aaa65f80be26e541
SHA3-384 hash:	b3f35446cf21c9d134354757de905c8849caab418e39035b0c7ba7cfaffeb4afe2f08da4bab16741c360afc0ef822c8e
SHA1 hash:	f8935021d9fc11aebf973fd783a4e771cf2f011a
MD5 hash:	1961277fdced10c3db399ad13bbbb4fb
humanhash:	three-johnny-diet-violet
File name:	file
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'142'784 bytes
First seen:	2021-01-19 06:09:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:Qt/rdPqdJxOWbj8MRdYTw2L4cE+lDzCb/4mEp9r7c9n3Cdwb:8ydJx5bj8MRdY5LzVDzBnp9r7e3F
Threatray	2'186 similar samples on MalwareBazaar
TLSH	E735AD14139DCB21DBFCA6F9A81140A063A9EE55F368E73CD9B2B4D5A835D2804DFF81
Reporter	fabjer
Tags:	AgentTesla pdf

Intelligence

File Origin

# of uploads :

# of downloads :

212

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1961277fdced10c3db399ad13bbbb4fb.exe

Verdict:

Malicious activity

Analysis date:

2021-01-19 05:48:39 UTC

Tags:

rat agenttesla

Link:

https://app.any.run/tasks/e0bfd605-4751-4cf8-a3e1-2625ac1465e7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/112715/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.72552.27090.3044.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Changing a file

Creating a window

Sending a UDP request

Modifying a system file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/584441

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/9ed750b07b16001b5f78dd725fb6ada74d583075fd25dd66aaa65f80be26e541/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=t3lvbmd3cyabwx3y3vzf7nvnu5gvqmdv7us52zvkuzpybprg4vaq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

62b2de7bb2bb84023725e04675fef0090998a2c96ec05fa40113c7f2c52e6562

AgentTesla

721059bc4edd6685620382cf7c1f86f95f8b20317e4bb22d0e8d364705f73c2e

AgentTesla

999df2b1578774aa6b144821d4bf67cd6f4b4ebb473a7455bb77616e3a421db4

AgentTesla

a90a76baa627c920147d32f42d72199eb9cf32091dff86cc3c387c0f7718ec58

AgentTesla

b1567ae2352fa558314ea7ddfe788d5203fca64d58bc85d01fbf5ec6324f15d6

AgentTesla

bc9a46b5c7cd6b3da735da819ef3f0298259761e87580cb2e61341ee41505471

AgentTesla

cf38c4fdb8899476e09925741f225203c9f07d2be1cb95833c1c48414812f2a2

AgentTesla

e89ccb74c57a4bd8ae32b247688abb9ce7f600704ff3b9fea788a717f3af61ac

AgentTesla

e90239127fa731890c6f55de5a7dc6cfaff1b6d8a2c61eba0d2fc7ef2e7a6ee3

AgentTesla

+ 2'176 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/210119-vxakx1fgje/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

1d6ecf546163882d34d4bb2b7afa3889506ca3036ed536c4ed972ed89bdf5035

MD5 hash:

fb169513679d349cb2a7e4121bacfd4a

SHA1 hash:

26619d7ce0a175b9fc4fbfd7f4b105050562924f

Link:

https://www.unpac.me/results/d3c81a40-87f8-460d-9f59-9e3b31f4840e/

SH256 hash:

9ed750b07b16001b5f78dd725fb6ada74d583075fd25dd66aaa65f80be26e541

MD5 hash:

1961277fdced10c3db399ad13bbbb4fb

SHA1 hash:

f8935021d9fc11aebf973fd783a4e771cf2f011a

Link:

https://www.unpac.me/results/d3c81a40-87f8-460d-9f59-9e3b31f4840e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ed750b07b16001b5f78dd725fb6ada74d583075fd25dd66aaa65f80be26e541

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 93ecbff92cfadfdaf26093aa377048328d19821c09fdb6c8a926d3751f28ceab

AgentTesla

exe 9ed750b07b16001b5f78dd725fb6ada74d583075fd25dd66aaa65f80be26e541

(this sample)

Dropped by

SHA256 93ecbff92cfadfdaf26093aa377048328d19821c09fdb6c8a926d3751f28ceab

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/112715/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample