MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9c86947b445df66fe7859c36885e11455743c776a4e9911192e9a355eecde04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9c86947b445df66fe7859c36885e11455743c776a4e9911192e9a355eecde04
SHA3-384 hash: 75dfd3dc9ea0444422a11da2ab66d6cc85b5ae451cf6387e2f88b2db4c8ba33739dcbfd5355f889aad2673497c078d99
SHA1 hash: c9ab9b9febae1b884122a1a9d823f2d300659b3b
MD5 hash: ed55b32151792a117b9c9bfe439734cc
humanhash: april-alpha-single-virginia
File name:file.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:243'712 bytes
First seen:2023-09-14 13:42:31 UTC
Last seen:2023-09-29 16:29:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:XclYULRgvDeka2be0UtIlNp3X/GNTAPTBQbYrwoNKMCh:smUlgvDekPbe0UtILQbYMw
Threatray 5'598 similar samples on MalwareBazaar
TLSH T1FF340E037E48EB11D6583D3B82EF6C2853F2A0D71633964BAF48AFA525552536C6E33C
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
284
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-09-14 13:45:53 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/a31e59f2-b26c-4763-adf5-d0e9b3d58bfb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448642/
Detection(s):
Win.Packed.Generic-10003641-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware hacktool lolbin packed packed replace
Link:
https://www.filescan.io/uploads/65030de69bae8a3785570730/reports/e982cd67-04f6-4589-965b-6a40a82f6064/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/a9c86947b445df66fe7859c36885e11455743c776a4e9911192e9a355eecde04
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2dc54687-a998-4dc3-be30-4d4982e4f8ab
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307919
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a9c86947b445df66fe7859c36885e11455743c776a4e9911192e9a355eecde04/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2023-08-15 15:51:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vhegsr5uixpwn7tylhbwrbpbcrkxipdxnjhjseizf2ndkxxm3yca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
006097e3d7d6197a68620f216825374a2c2d77c77353c0588afe63a74e5cbc43
AgentTesla
508432c3300c1ae6bcd805aeb5c114dd4ad34f71f8aa25d41616038153142a89
AgentTesla
5fd07dc149245f0e030ebc164f54ab264c41afee13f1015c59bf3bc10fdbc37d
AgentTesla
727096181382a9795ce59638b0030e97223c9e5c12738332fe93caedc5b1da93
AgentTesla
7fd4f276c26f9d25e10af688e4b21db9719e2f03b9ef0b33eb9f6fa83a1a6591
AgentTesla
8eb67ef01c5b94ac2d62942cc2b7678b1172350028dab7d9f5e04010ac4b9d78
AgentTesla
cc0ff94435a883b461d26716d636619c6c670e6e574a2f58ad76f5c1f6de5d40
AgentTesla
d01903480e2d2cc9a33d4318568d77ee3e04531e74b91f09cfff9d1d99d38b6e
AgentTesla
e153822c2b44991890999567badd47a2935249fa5f25d50042fa586d857c9065
AgentTesla
f45bd55f4bcfa912f42082644048a3b1bb49c773fffa9fe84843c79a2c3b9eac
AgentTesla
+ 5'588 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230914-qz8gdacd6y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
a9c86947b445df66fe7859c36885e11455743c776a4e9911192e9a355eecde04
MD5 hash:
ed55b32151792a117b9c9bfe439734cc
SHA1 hash:
c9ab9b9febae1b884122a1a9d823f2d300659b3b
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/979a6165-5fac-4c44-8b12-a9ce4d06abe2/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a9c86947b445/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9c86947b445df66fe7859c36885e11455743c776a4e9911192e9a355eecde04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/448642/

Comments