MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fcfa4b4de180ef84d066d2a1841bb50ff5a5c2612e2a09c32826e752fd09d3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	9fcfa4b4de180ef84d066d2a1841bb50ff5a5c2612e2a09c32826e752fd09d3b
SHA3-384 hash:	fb1f25b6bded520a15bf575bd65f8ca6acf23737f0bd5313a78e4af7cfb4bf7d262e351cf66992f6f3cfa459b5b84591
SHA1 hash:	3e236752adb4208b1331f1ae2438d28a298bf4c5
MD5 hash:	9a7fb3227261802ab37e4d83f1402526
humanhash:	kentucky-sad-beer-west
File name:	SCAN_20210723_102237977_07232021_103213,pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'039'872 bytes
First seen:	2021-07-23 09:51:46 UTC
Last seen:	2021-07-23 11:11:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:DHW5oaXpcB7mVSaccPuvcd5OGQT/1/0nS+7n4SYwqK4zf3RTsAHWAgqChJ+hu3AX:Siecqqr2wIR
Threatray	7'437 similar samples on MalwareBazaar
TLSH	T1C425C644568FC7BFAA5B22F0082C109C94BBDD2EC209BA79BE0E4C76B563FE5117D485
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SCAN_20210723_102237977_07232021_103213,pdf.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-23 09:59:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fe7ac729-dfa0-43fa-9562-6498d5a3fa38

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/173588/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.DLO.genEldorado.2528.25998.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6dff92e7-ad6b-416f-8835-a3b9ac553c6f

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/820683

Signature

.NET source code contains very large array initializations

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/9fcfa4b4de180ef84d066d2a1841bb50ff5a5c2612e2a09c32826e752fd09d3b/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2021-07-23 06:41:39 UTC

AV detection:

13 of 46 (28.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t7h2jng6dahpqtignuvbqqn3kd7vuxbgclrkbhbsqjxhkl6qtu5q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

024906728c5f959b3c9ee04fb87143c243bb1d636f33c362d4eb77d14824f57d

AgentTesla

3af6ba5f69116c96cddaacbd5bfb5db4f1e3da780f0d0b71448c0b8ff91b0dbc

AgentTesla

50092ce00b7ddc00affb030883d416375fa8acc6139fd8f3ca0ca9d087e2602f

AgentTesla

5d56e2b91fe3a63ccc44c1502e87d0253ab4d12e77cff395700c42122872bf73

AgentTesla

85c5f35470f6e7921ec125f8c7e103c9f32b22e369634f2706f98949f676641f

AgentTesla

93428591d0bd2f4373fbb11177f0812329f7b759688c1e76e85b16e37a64b285

AgentTesla

b5c47964271578c767ebb7c3bfee10cda45464043d6e2879408f138da8031cf4

AgentTesla

d111287aee920760e92b0c9a80e3aa551a3e439961a2aac3976420c3c6e04e55

AgentTesla

e2442b1de26c03cdd8343e1a8f0428a97c341181bc8289d92f2764931dcab744

AgentTesla

+ 7'427 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210723-lwyvhm6bp6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

de5789174361d73723459b063a161d22943076a69b31ce2dbfe554fd6a77bb35

MD5 hash:

4c18fbb276f17c0361c3ae33b6c95219

SHA1 hash:

f7b7b2e7b041620063acd74d16308ee6044506ea

Link:

https://www.unpac.me/results/298c0628-e9dc-41b6-b411-7b22021c73cf/

SH256 hash:

9fcfa4b4de180ef84d066d2a1841bb50ff5a5c2612e2a09c32826e752fd09d3b

MD5 hash:

9a7fb3227261802ab37e4d83f1402526

SHA1 hash:

3e236752adb4208b1331f1ae2438d28a298bf4c5

Link:

https://www.unpac.me/results/298c0628-e9dc-41b6-b411-7b22021c73cf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/9fcfa4b4de180ef84d066d2a1841bb50ff5a5c2612e2a09c32826e752fd09d3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/173588/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample