MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f514738ef91e49d1d6a170adf47381bcdcac08c99a12dd5036d45645e2bac16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f514738ef91e49d1d6a170adf47381bcdcac08c99a12dd5036d45645e2bac16
SHA3-384 hash: 591fd5a175dee2e67f59211850749a8dfcdafd9958119fb83aae4e9149a981e8f4eafd627ee8a84499c271945e95454a
SHA1 hash: 9bfd705640d1c34a26842d49e2e66c73c26c9a37
MD5 hash: dae7f23e07d7e741ea4c3e9279d709ca
humanhash: queen-speaker-minnesota-magnesium
File name:RFI.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:894'976 bytes
First seen:2022-03-15 19:12:45 UTC
Last seen:2022-03-15 20:47:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:7m7wOn5ZVVLGkzYgNPNiRWqjHYmbZZv8+o9:76fnrVDZNPNicqjHYmP81
Threatray 16'652 similar samples on MalwareBazaar
TLSH T13515128AB2E8ABC3F477CBFB8865160483B6B1692519E3491ED570CB05F3F408799B47
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFI.exe
Verdict:
Malicious activity
Analysis date:
2022-03-15 23:25:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2fa6aa92-7375-41ac-8e6e-c09dd826627a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/251043/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.25660.28659.15569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6230e5470cd58dbd92a0c031/reports/f476709b-715d-4b8d-a30f-5d8c563d6a16/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfe5ced6-a805-41bf-ae78-13be950f9b04
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/957398
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9f514738ef91e49d1d6a170adf47381bcdcac08c99a12dd5036d45645e2bac16/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 15:14:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5iuoohpshsj2hlkc4fn6rzydpg4vqemtgqs3vidnvcwixrlvqla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
484f6592d90c1da40b43355a3ca07b1114407f90ac7096981b597a2d07b9d770
AgentTesla
5ee6cbe5f63b3783286dd68a84ba5d14b29d1841511c3a7e184a6d107d1dedb0
AgentTesla
61af4f86908d3b0248cb2a618596cda0f082dec547943d6a197e93d7d3b01c89
AgentTesla
7ae521839625581fe6f803313ccb6c40f61b45b0597423eec46f4d99e25a7b41
AgentTesla
b265897f9d97d7c1d2ee2533e216946dd241bff6644b38ba8928db6e1ddf1b63
AgentTesla
b87496adef518762cc306678879a6388e4dd08a86f1c7c55ac3ddedd65e19267
AgentTesla
ea3ed08696eedadc8878332e3c2e2eeb69b54bdffd12165c8c1b60713cefd849
AgentTesla
+ 16'642 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220315-xw36tadcgp/
Unpacked files
SH256 hash:
ec1d1a39236fdb6ff8fce58c0f33bf50ae5c3b84f69f9a6bc045c5436fca1d5f
MD5 hash:
98a1f553814904ae6ae6687ab941f9b7
SHA1 hash:
c5a6a0e09b22f6b87e23583a19af841a681576a0
Link:
https://www.unpac.me/results/c37d0937-586d-4b1f-ba05-1aedd889e67a/
SH256 hash:
7858721a4a698376d65e988770b022635673439031ba21bc6471359d476bd5aa
MD5 hash:
cb478302a11fc7effeb931e48374f4d3
SHA1 hash:
bc3b9f462e5ffa93b3e43a23a6bd8cd5a84f788d
Link:
https://www.unpac.me/results/c37d0937-586d-4b1f-ba05-1aedd889e67a/
SH256 hash:
4ffb59b76867dc3ee5df8b1476a82043c8bbfa9679aa90a2e4b937292b3722b8
MD5 hash:
fc6d91ff314356715f5c76ba61240c9f
SHA1 hash:
aac8291f9af1c2e18b8302550ee4d1c96120949a
Link:
https://www.unpac.me/results/c37d0937-586d-4b1f-ba05-1aedd889e67a/
SH256 hash:
8e3103254640ef42e0af418d8fac62f21237eab2a3d7f8bcbded15d1ce7c93db
MD5 hash:
a970d92935d5f644b4696ae943aed61f
SHA1 hash:
7f77bc03316ce39c50bdadc3d0823883c3571676
Link:
https://www.unpac.me/results/c37d0937-586d-4b1f-ba05-1aedd889e67a/
SH256 hash:
9f514738ef91e49d1d6a170adf47381bcdcac08c99a12dd5036d45645e2bac16
MD5 hash:
dae7f23e07d7e741ea4c3e9279d709ca
SHA1 hash:
9bfd705640d1c34a26842d49e2e66c73c26c9a37
Link:
https://www.unpac.me/results/c37d0937-586d-4b1f-ba05-1aedd889e67a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f514738ef91e49d1d6a170adf47381bcdcac08c99a12dd5036d45645e2bac16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9f514738ef91e49d1d6a170adf47381bcdcac08c99a12dd5036d45645e2bac16

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/251043/

Comments