MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fadae8c6a192536c41677546bc32e530d38084906e8be610573538f0955c49d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9fadae8c6a192536c41677546bc32e530d38084906e8be610573538f0955c49d
SHA3-384 hash: a19cc8d961fdd6457b93f17c260a4037e874a08203a6fe78a26a8c8c4100d72d7226c55de587d687b4b7d6d27d9a17ae
SHA1 hash: 185b7ee31ac87e4d1de151ca40e9af25b7c5bae0
MD5 hash: 0162655d37168ffb03c4afafad5ef674
humanhash: kentucky-ceiling-finch-pip
File name:0162655d37168ffb03c4afafad5ef674.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'049'088 bytes
First seen:2021-04-22 06:16:48 UTC
Last seen:2021-04-22 07:19:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:zqcvD8qsg6t3DACnVxRRRRRmLwXSn3oFSmfSV:BsAARRRRRmLwCnYQsSV
Threatray 4'628 similar samples on MalwareBazaar
TLSH A2256C1EE75E6B00E7EA973AC1E45974802BDC12E905ED3E5BE473BD4AF16CD2014A83
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Biomed quotation.xlsx
Verdict:
Malicious activity
Analysis date:
2021-04-21 13:28:08 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/ee8856e3-29ac-455f-bafe-633cec6b9cd6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/143544/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36756505.22614.476.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/692344
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 395107 Sample: KqXtlrj1Vk.exe Startdate: 22/04/2021 Architecture: WINDOWS Score: 100 41 www.saporilog.com 2->41 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 9 other signatures 2->55 11 KqXtlrj1Vk.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\TBJPnHZv.exe, PE32 11->33 dropped 35 C:\Users\...\TBJPnHZv.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\...\tmpA745.tmp, XML 11->37 dropped 39 C:\Users\user\AppData\...\KqXtlrj1Vk.exe.log, ASCII 11->39 dropped 65 Uses schtasks.exe or at.exe to add and modify task schedules 11->65 67 Tries to detect virtualization through RDTSC time measurements 11->67 69 Injects a PE file into a foreign processes 11->69 15 KqXtlrj1Vk.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Sample uses process hollowing technique 15->75 77 Queues an APC in another process (thread injection) 15->77 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 43 www.sabaimeds.com 192.64.147.164, 49722, 80 VOODOO1US United States 20->43 45 www.smartspeicher.net 80.120.70.88, 49719, 80 TELEKOM-ATA1TelekomAustriaAGAT Austria 20->45 47 www.anchotrading.com 81.17.18.197, 49724, 80 PLI-ASCH Switzerland 20->47 57 System process connects to network (likely due to code injection or exploit) 20->57 26 cmstp.exe 20->26         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 26->59 61 Maps a DLL or memory area into another process 26->61 63 Tries to detect virtualization through RDTSC time measurements 26->63 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9fadae8c6a192536c41677546bc32e530d38084906e8be610573538f0955c49d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-21 18:10:11 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6w25ddkdestnrawo5kgxqzokmgtqccja3ul4yifonjy6ckvysoq._file
Verdict:
malicious
Similar samples:
06468ea1dc2797e282fadf08ce089550b3f4f665277c65889106e9d33ed61239
AgentTesla
144ba78ed9c55be4ae5cf35ce9dfa6ee728c8e3eec6ae24e86b63b16c259d772
AgentTesla
5386335debe7df955f9f8cf8e2fa0d5d482b197a3e24c59b0197eba5bf3d28b4
AgentTesla
57605921f72fd210ec256ed3010b59d111c6d3b9e49b9e830e06d6bddce83db4
AgentTesla
9b9218d3692f38654cde45d5a9b01a6d5cb83aa5442c286fc4e073a6348e08d1
AgentTesla
c2b8d66b59eabf04dadf3af98e03e6f3aad3f289e826852fabda188863eb679b
AgentTesla
e614d735f9fb59c6c21cfed37a1177fa6607684c1ef6be58707b517c96407462
AgentTesla
ee0a32169adde722c5652fb40046d8251fa8a89ce615a637ed5708372af0d163
AgentTesla
f3147300f9248e07ffd3a1b7131bed4febad8b0a88eeda27e606f36d04ff1340
AgentTesla
f8c3b9a8f01e022158ef5f9bc6d69287b6b03ce5527f7ac911de25dcdc016569
AgentTesla
+ 4'618 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210422-3ldc88dtl2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.kelurahanpatikidul.xyz/op9s/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/9fadae8c6a192536c41677546bc32e530d38084906e8be610573538f0955c49d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 9fadae8c6a192536c41677546bc32e530d38084906e8be610573538f0955c49d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/847209/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/143544/

Comments