MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ee852c4dcad25ccc76de768f756f63c0c49fa41eea3c5e9a01b31e8741dadfa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ee852c4dcad25ccc76de768f756f63c0c49fa41eea3c5e9a01b31e8741dadfa
SHA3-384 hash: eb4202c6751f728f574c548825458dbfce5a57d69e92461d6b7801889510451608de39219a41511b8e4f17d9af1587a3
SHA1 hash: 411ac383458ea95353205303839ce82bc4940a5e
MD5 hash: c7d275554ba50e071538c42d7a1c3c19
humanhash: leopard-foxtrot-november-helium
File name:MACHINE QUOTATION.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:459'595 bytes
First seen:2021-09-16 10:45:48 UTC
Last seen:2021-09-16 12:01:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:kmJxRHHE6mRsc9gC8NLhPtD/fJomIA1jjAbVpgWr5ld0t6go1wzX:oO/fJHjjGGY5nEIwzX
Threatray 9'902 similar samples on MalwareBazaar
TLSH T167A4D163A193DDA2C585593D4564FBAC823C8F610E1FB289A1793223EA73D4B1F4CCD6
dhash icon f0f0f2b2e834b498 (29 x AgentTesla, 12 x AveMariaRAT, 8 x RedLineStealer)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MACHINE QUOTATION.exe
Verdict:
Malicious activity
Analysis date:
2021-09-16 10:45:58 UTC
Tags:
keylogger stealer agenttesla trojan rat
Link:
https://app.any.run/tasks/128fe64f-1c23-47cc-9ed0-57d30ec8a657

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188403/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.25610.21615.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/617521d49a5a1e91c5d2045d/reports/dcd2d067-044d-4d1b-9de1-0b6e70d14592/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/25cd45e9-be32-4adc-ab5e-f1b839a06936
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/851998
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ee852c4dcad25ccc76de768f756f63c0c49fa41eea3c5e9a01b31e8741dadfa/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 10:46:09 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t3uffrg4vus4zr3n45upovxwhqget6sb52r4l2nadmy6q5a5vx5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
216dc98d0a9b992b98806b104dfea335abe2c28673825b0b26dda374d62b46f2
AgentTesla
21b7caf5f732c0b5927cec1c22391c81dcc13114128f36bedbce750f214c959d
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
4fc3b496c7ac53d926fc798cc9e31d907f70c5392b4e7b6b0b368f7eccd2d638
AgentTesla
916146b7a06999f90a389b0384608f0e4fee074f6d322b2e6437980af9a4c8f4
AgentTesla
c42b7b1630553baa3aeb65e40b04244910822c175e9b6cb3f7f365264171196b
AgentTesla
cb39ca4eb7f5c23639bf05752a6e57f28346b35ad175845b2ed0a5caa019fe77
AgentTesla
d6e209bed82a28f5559074dc102c43d10bd28d9468f1a15a5ae2cc6011de234c
AgentTesla
dc5d2c1e1e0bbce8f84b0ef295b9187c98d514765c92ddb720ed17322789a09f
AgentTesla
+ 9'892 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210916-mtz19sfffr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
62c3d848112322e14c98ca00b7074824045d343fa973b1196efc656c8b5b6679
MD5 hash:
a823d5d3474056d50e27edd8aed5099b
SHA1 hash:
8439317fddcfd452c9dd6c2c396d610289d3e326
Link:
https://www.unpac.me/results/993ddb15-83ba-40fe-9bac-ae84d1f01326/
SH256 hash:
9ee852c4dcad25ccc76de768f756f63c0c49fa41eea3c5e9a01b31e8741dadfa
MD5 hash:
c7d275554ba50e071538c42d7a1c3c19
SHA1 hash:
411ac383458ea95353205303839ce82bc4940a5e
Link:
https://www.unpac.me/results/993ddb15-83ba-40fe-9bac-ae84d1f01326/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9ee852c4dcad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/9ee852c4dcad25ccc76de768f756f63c0c49fa41eea3c5e9a01b31e8741dadfa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9ee852c4dcad25ccc76de768f756f63c0c49fa41eea3c5e9a01b31e8741dadfa

(this sample)

  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/188403/

Comments