MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9818c8a1207c3efe5622fc128ead77a8bd82cbc4cadc731b23d0662ad601884. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9818c8a1207c3efe5622fc128ead77a8bd82cbc4cadc731b23d0662ad601884
SHA3-384 hash: b5d740d3e8106cee9d897686b8da8c79c39a0abf325287906cee01d59afe705588ed40a2aef3161b70d4acde08cdcbf4
SHA1 hash: 3c197a948da924b8eb327a566530ac284d218ddf
MD5 hash: 41e878a473b84aa00227fc9c46077743
humanhash: blossom-apart-steak-robert
File name:SecuriteInfo.com.Trojan.GenericKDZ.94950.8779.3609
Download: download sample
Signature AgentTesla
Create hunting rule
File size:924'672 bytes
First seen:2022-12-17 04:27:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:U/drdHq5nI+7DwvPz/8pLMDSAcfZ+wFMhH0T0WIHYA9gR4PmyFXpPgNPJI+I:O0lImMj/aLMOx5SpcyAUmyFXpPg
TLSH T1FF158C0A72D48F59EA62DBF10600B4B0269737DE29DDEA3C8EEA0FCE4411718D9456DF
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKDZ.94950.8779.3609
Verdict:
Malicious activity
Analysis date:
2022-12-17 04:29:05 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/e40c671c-a4b5-4aec-86c6-b79d0f41bc60

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/347201/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.94950.8779.3609.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/639d4553e0c2ab77481f4c83/reports/19e5684b-4f86-41d8-b8bb-0c7be1379cb6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80a37a7b-b52d-4993-9af0-d795f1f7d589
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1136594
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 769334 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 18/12/2022 Architecture: WINDOWS Score: 100 23 Malicious sample detected (through community Yara rule) 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected AgentTesla 2->27 29 4 other signatures 2->29 7 SecuriteInfo.com.Trojan.GenericKDZ.94950.8779.3609.exe 4 2->7         started        process3 file4 19 SecuriteInfo.com.T...0.8779.3609.exe.log, ASCII 7->19 dropped 31 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->31 33 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->33 35 Adds a directory exclusion to Windows Defender 7->35 37 Injects a PE file into a foreign processes 7->37 11 SecuriteInfo.com.Trojan.GenericKDZ.94950.8779.3609.exe 2 7->11         started        15 powershell.exe 21 7->15         started        signatures5 process6 dnsIp7 21 us2.smtp.mailhostbox.com 208.91.199.224, 49698, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->21 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->39 41 Tries to steal Mail credentials (via file / registry access) 11->41 43 Tries to harvest and steal ftp login credentials 11->43 45 Tries to harvest and steal browser information (history, passwords, etc) 11->45 17 conhost.exe 15->17         started        signatures8 process9
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-12-17 02:58:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgayzcqsa7b67zlcf7asr2wxpkf5qlf4jsw4omnshudgflladcca._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221217-e3netsgb68/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
35cad145efd0b5b6396491150d2e307d4cb5e06d4f1b41aa310393c6dce520b9
MD5 hash:
56f8354a2e307e73243ff0056295fedd
SHA1 hash:
ed3257769ea438e1b5e86c3ef033e2deca86e239
Link:
https://www.unpac.me/results/19cf0596-98d2-4c47-bb3c-07d663fb62b6/
SH256 hash:
c74236151611166905fb181243278101005417b4606e7163d2645977a9f35662
MD5 hash:
504b7db98753cecde005fe8e2e6a5023
SHA1 hash:
aeb871c727895a73f633b76280c9f429937bc36a
Link:
https://www.unpac.me/results/19cf0596-98d2-4c47-bb3c-07d663fb62b6/
SH256 hash:
ddb4b9708827cb344d5c08c6b07571d0d6a38fd4b594bcbdb73fa4e0104b274d
MD5 hash:
4709d80b2fe48a1401137beae6f231c7
SHA1 hash:
53856da064431f669e254da51bf4a3e7db634120
Link:
https://www.unpac.me/results/19cf0596-98d2-4c47-bb3c-07d663fb62b6/
SH256 hash:
a9b99f6e456cb0d251bf80b7bee217520563664c7c23b53e2cf8055ae27f154f
MD5 hash:
cbe1be685e5e27f85c924938024ab3e8
SHA1 hash:
512ab74cc3a29c00e843b60038f2cac4fdfff19a
Link:
https://www.unpac.me/results/19cf0596-98d2-4c47-bb3c-07d663fb62b6/
SH256 hash:
7a9e10da13deae16625383ac8609c6b6f808ecceab8d810c2b793cbd72b4d1bd
MD5 hash:
81a260020f3f322f87767dd0f6abcd48
SHA1 hash:
0a0825a75f1aa4e9b297e6c4c4ed6432c98bc456
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/19cf0596-98d2-4c47-bb3c-07d663fb62b6/
Parent samples :
1b48e5b3ab7fdf16b6a882222ae1d6c9736300fe0ef0b8832812213174f778bc
a9818c8a1207c3efe5622fc128ead77a8bd82cbc4cadc731b23d0662ad601884
f71d6ccca97f01d4c2c7504c441d97e7fb87049f4f68c4cf2b981e9ca37c5edf
SH256 hash:
a9818c8a1207c3efe5622fc128ead77a8bd82cbc4cadc731b23d0662ad601884
MD5 hash:
41e878a473b84aa00227fc9c46077743
SHA1 hash:
3c197a948da924b8eb327a566530ac284d218ddf
Link:
https://www.unpac.me/results/19cf0596-98d2-4c47-bb3c-07d663fb62b6/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a9818c8a1207/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9818c8a1207c3efe5622fc128ead77a8bd82cbc4cadc731b23d0662ad601884

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/347201/

Comments