MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9b2c05c193a6df71266380c102c635199a45263722c6395a0b03de819a01ee1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9b2c05c193a6df71266380c102c635199a45263722c6395a0b03de819a01ee1
SHA3-384 hash: e2e4dbd1333321c6e8e6db67abc6249be47873453a969cecbf0303c157cc4cb151f93e7d8aa23c40410d9717a3727578
SHA1 hash: 7c9a62b778db3d6e08962749967c29c5f9084da7
MD5 hash: dcb57041d46889e94cf100e4e0325176
humanhash: cup-foxtrot-one-march
File name:HTG-9087650.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:797'438 bytes
First seen:2021-01-27 08:26:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep 12288:s4y5IGtofjDTOQODX0wuyho9lyJ+DA8oziyS8rCvgdqQjJZhX+h5XCw:sh/mXTNODk3yhUlYMyS8m44QjJyDXZ
Threatray 2'453 similar samples on MalwareBazaar
TLSH EB0523A1B1E0E66BC086C77824F12EBA67C75B1029667B4F3B8133183857BE34A6D553
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HTG-9087650.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-27 08:28:31 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/0b7c6a1e-3925-4aba-8786-1aab95149258

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114625/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/591618
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b9b2c05c193a6df71266380c102c635199a45263722c6395a0b03de819a01ee1/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xgzmaxazhjw7oetghagbalddkgm2iutdoiwghfnawa66qgnad3qq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
15adffdd98424d4317bce40e3ba268620ae78df9aca409d4e18f2f9c57d26824
AgentTesla
1bda01f0ea187a42b179d780e45f45e229caecdca515402f781df52bc8ca3420
AgentTesla
1ecb56fae94db17332e267fa2d786083ac82329386f8405152768cd231a40a57
AgentTesla
1fb769b269392860ff1951b079f7b8cf4bbe22e09a856e15fbb7a5426aa6a109
AgentTesla
2d03d586cd5f7c3a9cdda77d45f78124acfef0879489a78081b6885eb75dcd2d
AgentTesla
6c6c4041482944d1b1990286dd40957b91316c51cf38091a4768cee84811f3ec
AgentTesla
78f2e6b22029260e24aa12f380a47137c8306ab44a6174701e2147431471370d
AgentTesla
a690487422504d796125e9df91b906d43a3584cb8b9da7d06fc8f50ce8126c33
AgentTesla
b9df96522a30d05a026ab8874eef5ddae02042585e4cc5773909838250cf2635
AgentTesla
fcc8681690501353e6d76cb30176c9972dd81817fe2d02a99ab0f669e78e349a
AgentTesla
+ 2'443 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210127-rymtny459j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Unpacked files
SH256 hash:
8cf5cf0efb072fac79a80001ad1fcaefc548ff159b57534e9f0331c8b1cdb3e2
MD5 hash:
5da5ad17cc53039f55fe216f897ef97f
SHA1 hash:
f563f00d68660dc1b5bcb62987c646be46c06c07
Link:
https://www.unpac.me/results/21819f64-8a80-478a-abb8-af51bf1871b1/
SH256 hash:
5b6fa74ddeb750128a628e53726e4721ac2605e6cbb051f642d4637041d69c8f
MD5 hash:
74024c3dfdd34de5501514d10bb2b909
SHA1 hash:
6c3d722761b7a2acb7f8ccd3957cb7b81123a51e
Link:
https://www.unpac.me/results/21819f64-8a80-478a-abb8-af51bf1871b1/
SH256 hash:
ef3076f6d5133737cdde48424c5d9c81a9950058ec8a613e04aef8330488c230
MD5 hash:
251c71a2e4d45be867d59ae3a17748ef
SHA1 hash:
31374500c62e5d449df14e31d2c365e12ee79221
Link:
https://www.unpac.me/results/21819f64-8a80-478a-abb8-af51bf1871b1/
SH256 hash:
b9b2c05c193a6df71266380c102c635199a45263722c6395a0b03de819a01ee1
MD5 hash:
dcb57041d46889e94cf100e4e0325176
SHA1 hash:
7c9a62b778db3d6e08962749967c29c5f9084da7
Link:
https://www.unpac.me/results/21819f64-8a80-478a-abb8-af51bf1871b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9b2c05c193a6df71266380c102c635199a45263722c6395a0b03de819a01ee1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip b32197b3c7762c92f30c2a4fdbaf342385c6172eb7437ad4ea06ddc5d9dfa994

AgentTesla

Executable exe b9b2c05c193a6df71266380c102c635199a45263722c6395a0b03de819a01ee1

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b32197b3c7762c92f30c2a4fdbaf342385c6172eb7437ad4ea06ddc5d9dfa994
Cape
Cape
https://www.capesandbox.com/analysis/114625/

Comments