MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9d56a970eec658eb67a023fe7b188a4275499d2acf9f91819ae95ffcbebbdad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	a9d56a970eec658eb67a023fe7b188a4275499d2acf9f91819ae95ffcbebbdad
SHA3-384 hash:	ad5c5bc64e8bdc5f92378f5f0a16fcecbd257e48fc67f1685ea567384951c19e981ceb598d95f75bd413433de0ea46b7
SHA1 hash:	d0ebdd8c0fd0a6baf96bc187b012981685ac138f
MD5 hash:	78d8eeac81b803458a7af557e7a6616b
humanhash:	mexico-minnesota-mirror-victor
File name:	Bid RFQ_pdf.gz.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	593'871 bytes
First seen:	2022-03-15 14:48:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	12288:6sQF2KfpUOa0YIwQ/AqGluk9vn+NN2qQ9gXrcbmiH5u59gt1kZjp:GRT9v8cN2qqg7w/HQEkZt
Threatray	19'160 similar samples on MalwareBazaar
TLSH	T103C4121BB2C0E3E6E82482B1547EC03597722C6B91F055BF3385F77E1BB11F25A0A969
File icon (PE):
dhash icon	c8f8f8d8d4c4fcc8 (1 x AgentTesla)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

229

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

Bid RFQ_pdf.gz.exe

Verdict:

Malicious activity

Analysis date:

2022-03-16 05:03:43 UTC

Tags:

installer trojan rat agenttesla

Link:

https://app.any.run/tasks/9f386a87-05e0-4370-842e-f9472177bf7e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/250938/

Detection(s):

Win.Dropper.Temonde-6571898-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6230a76bb94fb38cb48588ff/reports/3448462a-3731-42eb-8490-6480a01067b4/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ce753b2b-9ee6-4bf1-bdfc-e691f5c174f7

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/957119

Signature

.NET source code contains very large array initializations

Antivirus detection for dropped file

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/a9d56a970eec658eb67a023fe7b188a4275499d2acf9f91819ae95ffcbebbdad/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-03-15 15:40:25 UTC

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vhkwvfyo5rsy5nt2ai76pmmiuqtvjgosvt47sgazv2k77s7lxwwq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

5168c572e69b3f0a5742e12e645eeefedf6c00b377540fc9ce5cff38169ccb19

AgentTesla

74c2f8176fadf84bb04083901d52033b0975245676b45cd8607d80bebc91e570

AgentTesla

86360d8e1d473b72a48bdc1e7de4cd2fe3c20cc94c22fb4463ea15328d40f2c4

AgentTesla

acd30587225c95ccfdadc1e18152c01911c0ee78486c921034a6e5de12ce7376

AgentTesla

b045b7b993b005e1930ca50a9eb65df8b62ca29d1dfdbbb28ca6621384172908

AgentTesla

c21d2f1d2c5dad844ee2c789b2a424f0808e9eaf4edbf4319dca34531aacbe2c

AgentTesla

c9af30b2a800c774844eee76e019d10b72c4637adbccd34a6de3bcc8a4f32ba4

AgentTesla

e644c575f18d16b4e432bc02d45c35aff42affc618f7c08e3d9139405e0cea7c

AgentTesla

efb57210b5fd113a175d3ad61b58e60c90f42b31b55f8f85b517378954ba8b05

AgentTesla

+ 19'150 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220315-r61wjschh3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

a9d56a970eec658eb67a023fe7b188a4275499d2acf9f91819ae95ffcbebbdad

MD5 hash:

78d8eeac81b803458a7af557e7a6616b

SHA1 hash:

d0ebdd8c0fd0a6baf96bc187b012981685ac138f

Link:

https://www.unpac.me/results/d923e08c-93dd-428c-8e4d-cc411b16964f/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a9d56a970eec/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a9d56a970eec658eb67a023fe7b188a4275499d2acf9f91819ae95ffcbebbdad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz cf3d34b8ae35248e2a3894ab18b95ca6b9a1432bb1951839d7bb70a4f1b5a99f

AgentTesla

exe a9d56a970eec658eb67a023fe7b188a4275499d2acf9f91819ae95ffcbebbdad

(this sample)

Delivery method

Other

Dropped by

SHA256 cf3d34b8ae35248e2a3894ab18b95ca6b9a1432bb1951839d7bb70a4f1b5a99f

Cape

https://www.capesandbox.com/analysis/250938/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample