MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9795e3dcb1336ffd749e26b4bf2fc0f0b33f963cfbcd32c45d33498a037dc3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9795e3dcb1336ffd749e26b4bf2fc0f0b33f963cfbcd32c45d33498a037dc3c
SHA3-384 hash: ea33b486bb08904df534f4e9a6ceef814594e28bcb97dd723a9032e0b590a39415c30e73e47ab27be1f39f9de8da9588
SHA1 hash: e5bc4f047fba05ad26116e2208e18610fee92e96
MD5 hash: 4b53952ca3d4332a530e7a9c9e5f09f7
humanhash: potato-high-cup-fourteen
File name:4b53952ca3d4332a530e7a9c9e5f09f7.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:637'952 bytes
First seen:2023-07-17 12:14:08 UTC
Last seen:2023-07-17 12:30:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:6P6vJZSm2meaLsgDNspjqSLYCrIw/mE1fV10+QmI3teqNo:S1aLFpY9cW5Rr63te
Threatray 4'940 similar samples on MalwareBazaar
TLSH T17ED40113B62C975ED199C7B83030667863BA1FDB2826DA127CC1FDDD1872B4D0B50AE6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0b2f0b1d271b6921 (1 x AveMariaRAT, 1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
324
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
4b53952ca3d4332a530e7a9c9e5f09f7.exe
Verdict:
Malicious activity
Analysis date:
2023-07-17 12:15:20 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/61a0dc01-5112-4ff6-8090-5944d49c7aa9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/422195/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.101793.24880.22578.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/64b530c87a9c6ddebf0b1a92/reports/a1f808ae-ef03-49c8-9e70-cd15d3f8ecfc/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b9795e3dcb1336ffd749e26b4bf2fc0f0b33f963cfbcd32c45d33498a037dc3c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5cd0fc16-1060-487f-a9e9-ee9ec45eeebe
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274400
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1274400 Sample: 6QC6FNDmci.exe Startdate: 17/07/2023 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 5 other signatures 2->59 7 6QC6FNDmci.exe 7 2->7         started        11 qacjjHjO.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\Roaming\qacjjHjO.exe, PE32 7->37 dropped 39 C:\Users\...\qacjjHjO.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmp2775.tmp, XML 7->41 dropped 43 C:\Users\user\AppData\...\6QC6FNDmci.exe.log, ASCII 7->43 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 67 Injects a PE file into a foreign processes 7->67 13 6QC6FNDmci.exe 2 7->13         started        17 powershell.exe 20 7->17         started        19 powershell.exe 21 7->19         started        27 3 other processes 7->27 69 Multi AV Scanner detection for dropped file 11->69 71 Machine Learning detection for dropped file 11->71 21 qacjjHjO.exe 11->21         started        23 schtasks.exe 11->23         started        25 qacjjHjO.exe 11->25         started        signatures5 process6 dnsIp7 45 smtp.yandex.ru 77.88.21.158, 49700, 49701, 587 YANDEXRU Russian Federation 13->45 47 192.168.2.1 unknown unknown 13->47 49 smtp.yandex.com 13->49 73 Installs a global keyboard hook 13->73 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        51 smtp.yandex.com 21->51 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->75 77 Tries to steal Mail credentials (via file / registry access) 21->77 79 Tries to harvest and steal browser information (history, passwords, etc) 21->79 33 conhost.exe 23->33         started        35 conhost.exe 27->35         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b9795e3dcb1336ffd749e26b4bf2fc0f0b33f963cfbcd32c45d33498a037dc3c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 09:21:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xf4v4polcm3p7v2j4jvux4x4b4fth6ldz66nglcf2m2jribx3q6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0203a7aeb82b24054ceee810c5218caf63d36c75f00b9df5ba62c41aa0ac4de7
AgentTesla
1428623f3d2769a2f63e2e07444e0af8f334cdcc0b8d38faafc06dea97ee322c
AgentTesla
273af1b5521eb9976cce02519b2a6b9036347af59cc2eb63454eacc537cee331
AgentTesla
54b8c91ae0485d795f9821b01eb839bd682aee18df6a0b54d14d6eb2a2c0e83d
AgentTesla
816dcc8bb5070ed2db687bdb064a383c946c8183f5e0c089f2453653be8a3086
AgentTesla
c3d408d3ba7f6ea4acf913b8fd845e98c587fc8a6c67f48ef3542e3895ba7153
AgentTesla
d3c78007c8fa7de455de452208e6c3f487237162369a57f01e6a79b53cb19a9b
AgentTesla
d71f0f448eaf4589f3e415bf5fd1ccc10d6ef85f2279539c263c4f6928836bda
AgentTesla
ff83137921b3eeff0d4fb13d18137b9350419d94b84e42f791251dd83af8563a
AgentTesla
+ 4'930 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230717-pewreacd2s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
2ddc69ca255feff0245cad4f87399a298f086f23d16ec97a0e5c6f1f79565411
MD5 hash:
63ce13fa51fdd75cc845868082e8dcd1
SHA1 hash:
e6e3821242585bdae2d9c545bbd934fb74dfa60d
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/a3a72005-e491-4000-876e-6e9a26829d4c/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/a3a72005-e491-4000-876e-6e9a26829d4c/
SH256 hash:
3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9
MD5 hash:
a5228b97b33467ac41fac5cac2718252
SHA1 hash:
28bb020c8a53b046fc8e8106f2913e62c5941a0d
Link:
https://www.unpac.me/results/a3a72005-e491-4000-876e-6e9a26829d4c/
SH256 hash:
ca8ca43e1b147aac4740e83f052e009a119acb1a4b894a221f224e17dd1607cf
MD5 hash:
f6d6e5b3d5b4e7beaed1a7a2f72412f5
SHA1 hash:
0aaf714dbc886f092a28d2596fd943348be76101
Link:
https://www.unpac.me/results/a3a72005-e491-4000-876e-6e9a26829d4c/
SH256 hash:
b9795e3dcb1336ffd749e26b4bf2fc0f0b33f963cfbcd32c45d33498a037dc3c
MD5 hash:
4b53952ca3d4332a530e7a9c9e5f09f7
SHA1 hash:
e5bc4f047fba05ad26116e2208e18610fee92e96
Link:
https://www.unpac.me/results/a3a72005-e491-4000-876e-6e9a26829d4c/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b9795e3dcb13/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9795e3dcb1336ffd749e26b4bf2fc0f0b33f963cfbcd32c45d33498a037dc3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV4
Create hunting rule
Author:Rony (r0ny_123)
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/422195/

Comments