MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f9cd55cae9d3807b8b594dc0d21f373b011ced9fb9c5b5c967245e274966647. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f9cd55cae9d3807b8b594dc0d21f373b011ced9fb9c5b5c967245e274966647
SHA3-384 hash: 238754b68ad540eac2bde9f91fa9bca0cfe9807bc448fc6316f0a7ad8a2f1ec919f3d91c023cc91ce6e1fb72b9a820fb
SHA1 hash: 3411f02533cbfdcbfac18b081a6dcf8777fbd42e
MD5 hash: db6fee87c1d18f981fbafe77012a99bf
humanhash: massachusetts-utah-summer-magnesium
File name:db6fee87c1d18f981fbafe77012a99bf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:680'448 bytes
First seen:2022-12-19 09:24:58 UTC
Last seen:2022-12-19 10:32:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:W6wO4H2xtAqQXMe6wc4aWxu4P9rmoBxl73ESaHPktuG/1/hCpSX:Py2nAq2Me6/cxNBmo57USav6XL
Threatray 24'670 similar samples on MalwareBazaar
TLSH T172E4E00CA3B80A21DE6A83BDD4714B1403F6DA058A9DEFDD8EC7B8F71D2278D8515663
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c399998b8b9b8bfe (7 x AgentTesla, 3 x SnakeKeylogger, 1 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
db6fee87c1d18f981fbafe77012a99bf.exe
Verdict:
Malicious activity
Analysis date:
2022-12-19 09:31:55 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/e6919cdb-b0af-43a2-84bd-9987bdafec0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/347903/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.4896.14742.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be1d7672-ed8b-4402-859b-1371f58b7dc4
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1137023
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f9cd55cae9d3807b8b594dc0d21f373b011ced9fb9c5b5c967245e274966647/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-12-19 02:38:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6onkxfotu4apofvstoa2iptooybdtwz7oofwxewojc6e5ewmzdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1077d3daea82b7cb84943204ccfc70ee040676a305d7027c7980512b3da80f53
AgentTesla
10a93da7c42086684ef092f01843f6e69393d91222fe6ee894d4cee54a8715cd
AgentTesla
2ac99a0d6380c05c5cd8062d20855f96cc600cc22412c3dc1117b040dca19c00
AgentTesla
3a940b88c6cc22f5051a10c4b437cfb72aa9aad9e0bcb15c18a83116e80739d4
AgentTesla
3f08f63c3f336f3823c710a40e674421bbc6316e0088e0989d1ac06085bc5b62
AgentTesla
5e63926b7ce5fb0d4bc1363397c655d0c3b29114497308db183b124b048c033f
AgentTesla
624986bf92ce4a3301888ca62e5e20b19d4b662862fb2289d87865a3d67b206d
AgentTesla
b02d61086cfa6f876e71f4eb2ba5bae874887cf3ef87c339cc634151a388f679
AgentTesla
b7394e25936c4fd44716fcdcce914a35c0cdb0980e4527035681df4f800520e7
AgentTesla
c1f9f8a6133d2f6f01574b1a8dafabae2376448bc7a6727a66b8070b66ff15dd
AgentTesla
+ 24'660 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221219-ldngvsef89/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/861cc824-4a19-4c11-8aaf-5872bfd656cf
Unpacked files
SH256 hash:
22a99e2740dcb5fcab542cb6ee33472a01b8f226f76e031e31b9f00ca1b08b8c
MD5 hash:
bb7995fc982c684be3ddc978e7853bca
SHA1 hash:
b5b9064f2f4ca6b8fa9646700d0bb7d0e0acbd55
Link:
https://www.unpac.me/results/9e5075e3-0937-4321-99dc-71ab58d7238d/
SH256 hash:
5faa13708728ddbc1db9949d729835d1b07a026a15af9bc3253e9a6619981d1b
MD5 hash:
182807d466e6f3f95bf05271cd760f85
SHA1 hash:
6b3ff6d7a3b8fc1951d99cf253a702f4f77cd93f
Link:
https://www.unpac.me/results/9e5075e3-0937-4321-99dc-71ab58d7238d/
SH256 hash:
0171d6e3170b2b15df689f5c94f6181f8eb5eebdb1e5c2710b71ba61e9b04273
MD5 hash:
7d563963637be3d025a3a37dac6d62da
SHA1 hash:
64cb450a00aaf945bfcf9aae6e3f4ae1c5a43c4f
Link:
https://www.unpac.me/results/9e5075e3-0937-4321-99dc-71ab58d7238d/
SH256 hash:
648749114b1a7f198b44dba4261ea0ca4f6752d76bd1842f1b3f6429c7f2506f
MD5 hash:
583545ed70314bb191ffcafb5a686fb9
SHA1 hash:
4977b87e43a706353cb5161bf1d3512aa0938282
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/9e5075e3-0937-4321-99dc-71ab58d7238d/
Parent samples :
082690655361b35e9d40944052ab73cc0a621c46b26797b4103eac51b25d7247
c1f9f8a6133d2f6f01574b1a8dafabae2376448bc7a6727a66b8070b66ff15dd
7c84afbd1d85d46654f72829812a1f2eb3cee52899e39d7bc54be3a4c8fe45d8
397e51f9b8a9a61de32f21b12d23334dca268c256d9024cfe4fb3605bd9c4204
a76b7df57b1b16e4bac4e1e19e88b1a03c0b31aec4441046be5cbe7ce68cd58c
d8ead95646470952403879a6bc78117d895ffe37a3b3a551cf65731a1260c8ad
42c55bc7230056d825019e88be1682afb9a3500de5d0e4582a1db497f9ec902d
8431eb1fb2cdcdc154e0692322e26cfb020248e5c64a5bb1f5989878ea69974c
b05d969714238e447faff32ccbe88b5ddef15a089157a0dcfd18a2f03cd493bb
ffbed79e038cf8090a789bd931d8e17f940f7c51bd1491c1102530c76b0ff502
3703e29e26455c33c0f38d99036cb9ca0a0126e4f46ed5ff5900b4b4dc49cd14
cdf98d2d51a7776d859d4e866bcca6c3d323e076ef86654b0e1071137433368f
9f9cd55cae9d3807b8b594dc0d21f373b011ced9fb9c5b5c967245e274966647
67e9518c5adca9e7235912cdf74ad530841ff8879a5cb38c5d7767b8ea16d491
4be7ea0807b3e60e8d123107ce1da7dde5c044c2cbc04a8ff9733540a3c4ffaf
b4afb050b3582ac523796306096936a520c5faf302d60b934d8f59bbdc97aceb
300e22ba7444d4fd02bfbdd2e336bbc861ec4be97576b1065bfa49309946fd4c
9705354879b69702831083e4c3113e7f61c2d33a8eff41a73c7c1ca678df9588
fb948365420fb40a1f19fdb12b15670c15b1eb8626d6e12f792184683e72b557
18e15b5d7924548af144cf5449eda73c8d67c093a6c945ac00db6de533ff13db
ceeb2e11ecbce4f2948f5505afa83c9e7594284d701234791c8d32d0b05521de
7a5b7449fcd765f1a3be1dc0c8286cb46afe94b8c8040a0d268b27fe8d658ee4
f826131b5c356693f53746f0af896eaac4217ef48a1e148759541c21fe29b07d
04698304959253365ac8015e9af904b4be0e1938c63a5b91276028636a90cbbc
971dfc5c82fae0d102f99d405119645d49629ab7679fe0d7eafeffeba4041d45
3d38bac8b15d5ab3b1f5b2c13610928eb7482057dbd2b111be9c287aefc407e8
c5805f6651b3ac3e15f770607a867a8c014d2637a8af30ac272b744409b0d170
564e748a2164cc70ec2c77d9830e301dedc3439f165fd8cc798bbd53fa168862
c6922f3de8e40e5e56073a9a180de581ac3ae0eacf20f6623e0de4c7eef693e1
770c54042217d87ffe83dd0674d556c6bde9d1acc4a4cd830820170ebf2e7ca4
a53eafec588919d171746ba18abf11ca4643c9e2b858d3e825b5141946af0901
5b4d52030d1568ee351d1f51d467ec102f4923ad9947f7a9237076fff39b7791
5113b6fbc97bc224a327cdcdfa5558d3526652b76b5a157e744f2fd9a9be0aa7
9df08396c2e40b7ad647f56a6441a309996dd3b6ac40cb5944753c9fee5a38bb
df439bff97d28e23956a71daa13d628a07b7cc2973ca3a6956d7b9036d13700c
17b6e0bb426b762e1caee67606532e3350d8c752c0625994424916e0fba527ab
af2a4df6137e85a5f69a4e5478992d32bee91b7208757879e3b98aba9ec88919
78fedb4b5349e928c359cdbc4e5b0e106ce84a0ee729538e9a28795c5c8fea4e
e82d940033891932405dfdeedbd283a3be9dcea92d0a4d3cda675abc3345dfc4
094b5e896bf9c2b8b10f16de33313f39384a9e42784a49e3176a0d9b565bb0d7
2dd2ebd30b691da32cc47292b130a4781fabf091f341e045a7a72b53c5566ba6
f18a2b2d68691d79ca7b517b7111b3bcdc5f978f70735cbda33ba0260b54780f
754d1ba349e7f1633d9a6ee33497c5543aeb8710e70e89e799368d00b6e7062a
4905116d90f4b6b08798705b2bce585c9c17e8ebb83cc17b998265e2ceb97525
2ada13943b92d98911f75e2844fe9beba7659cfeef2aaa521ff9df0fb4bf7f15
8fea022b2f3c3f6f97a8c4ebe93fe862fb731fa82f8d23ac8cd11c21a4824041
04ff0a9d357afb8e0d2f7dc07f9a9d3ded1104c25f4cad3dc08524f235283245
d7e3abee48bb92e413e8a2dab38594934ea6bcdde8dd493dccd01bd4808020b6
1d9870e41cc277f5ae025cc7b5f062da933e1a78d39f76393f0c12ff45f57fe5
d5ed9504812940d2447bb851ae8bb2467a1578b4554b52bac7654ca62d9e04c1
de46ab143d523dfdba34843a47df51f1112cac3bc7b3c8c053ab791b2c0a5010
3bc2c61a0e15a16eb536081daadd7275600e57f0be74d284dc64ef64552e2cc4
5020f288ce75458c32396de7fbf75933adb16ae00d868f999667ee34a2eb295c
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/9e5075e3-0937-4321-99dc-71ab58d7238d/
SH256 hash:
9f9cd55cae9d3807b8b594dc0d21f373b011ced9fb9c5b5c967245e274966647
MD5 hash:
db6fee87c1d18f981fbafe77012a99bf
SHA1 hash:
3411f02533cbfdcbfac18b081a6dcf8777fbd42e
Link:
https://www.unpac.me/results/9e5075e3-0937-4321-99dc-71ab58d7238d/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f9cd55cae9d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/9f9cd55cae9d3807b8b594dc0d21f373b011ced9fb9c5b5c967245e274966647

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 9f9cd55cae9d3807b8b594dc0d21f373b011ced9fb9c5b5c967245e274966647

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2271081/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/347903/

Comments