MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9cb59244ae380b87c41822802fe472bbab263e701339ce83a3d3896fbbda8d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9cb59244ae380b87c41822802fe472bbab263e701339ce83a3d3896fbbda8d2
SHA3-384 hash: eb57b6b680ce656d419d56b5dbf7aabcb65c863ca03334c7aefc374176cfd42bfb84427bfda1424e7508be2394368b4e
SHA1 hash: f590a8f1b2f337864b166d8ce53a53e77089135b
MD5 hash: 19116e822e8178fc103e51fe18c825a4
humanhash: north-april-skylark-muppet
File name:3278-pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:35'408 bytes
First seen:2021-07-28 05:43:23 UTC
Last seen:2021-07-28 19:04:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 768:fMjB/JpMfHDWqpuXDvod3UmQmv4acY2GS2C9xjwhU:UFQlpSDvoJrbvUfGS2q
Threatray 7'477 similar samples on MalwareBazaar
TLSH T190F294595150B125D6EB4AB02D61EC643B38E7B16880E10EE466960CCF82BFA74EDCDF
Reporter cocaman
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:cddw3aae0eb4KbTR3407
Issuer:cddw3aae0eb4KbTR3407
Algorithm:sha256WithRSAEncryption
Valid from:2021-07-28T00:01:39Z
Valid to:2022-07-28T00:01:39Z
Serial number: 3bbfd2c946969c65cb7fd2a6e18c87ba
Thumbprint Algorithm:SHA256
Thumbprint: 945957ec74f9a72390c7b0c7cd8032385f86f2030a30af33ec7a38eb648f85a3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
4
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3278-pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-07-28 05:48:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/49bf3e4c-f822-4536-84fc-db178ee0acbc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174573/
Detection(s):
SecuriteInfo.com.Artemis19116E822E81.17670.10435.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25e65497-23b1-4db1-9b1f-e21ff31436b9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822909
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455321 Sample: 3278-pdf.exe Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 35 pss.net.pk 2->35 37 mail.pss.net.pk 2->37 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected AgentTesla 2->53 55 Yara detected AgentTesla 2->55 57 Machine Learning detection for sample 2->57 7 3278-pdf.exe 15 5 2->7         started        12 xepul.exe 14 4 2->12         started        14 xepul.exe 2->14         started        signatures3 process4 dnsIp5 39 backupcost.gq 172.67.158.78, 443, 49707 CLOUDFLARENETUS United States 7->39 29 C:\Users\user\AppData\...\3278-pdf.exe.log, ASCII 7->29 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->61 63 Injects a PE file into a foreign processes 7->63 16 3278-pdf.exe 2 5 7->16         started        41 104.21.57.19, 443, 49728 CLOUDFLARENETUS United States 12->41 65 Multi AV Scanner detection for dropped file 12->65 67 Machine Learning detection for dropped file 12->67 21 xepul.exe 2 12->21         started        23 xepul.exe 14->23         started        file6 signatures7 process8 dnsIp9 31 pss.net.pk 194.88.106.241, 49747, 49748, 587 WORLDSTREAMNL Netherlands 16->31 33 mail.pss.net.pk 16->33 25 C:\Users\user\AppData\Roaming\...\xepul.exe, PE32 16->25 dropped 27 C:\Users\user\...\xepul.exe:Zone.Identifier, ASCII 16->27 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->43 45 Tries to steal Mail credentials (via file access) 16->45 47 Tries to harvest and steal ftp login credentials 16->47 49 3 other signatures 16->49 file10 signatures11
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 03:21:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xhfvsjck4oalq7cbqiuaf7shfo5ley7haezzz2b2hu4jn655vdja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
17a68f9da8d4a8ad6bedb9e2245d88ec5d368ed97c4de660057a1b4ef17b848a
AgentTesla
7fd54c9cec09c8213fb6ff87cdef3be0e7ed3e127fd9ff41576ee9b95d8fc19e
AgentTesla
aa28ed9da9cdf288cf48c84f1ff22c3f1536f9ca19029ef482be063049ae0116
AgentTesla
c2f21acde289adec4dbf7163480b89064e1eb476558c9729a520303cc75b40bc
AgentTesla
d1cf7e0daa513a6f309d5ba1cf2d854c62aad2a87cca96c543de24c19a9936e1
AgentTesla
de49258994a651e41ea2b519ae39eb815b8d26cb3097fab2dd0e1ee5c9ea37b1
AgentTesla
f3f681c71b259b83868bf64d9cbd877ddef4b78fb67b91e899e0d970e5e5de66
AgentTesla
+ 7'467 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210728-2gavd9rcgs/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
suricata: ET MALWARE DTLoader Binary Request M2
Unpacked files
SH256 hash:
b9cb59244ae380b87c41822802fe472bbab263e701339ce83a3d3896fbbda8d2
MD5 hash:
19116e822e8178fc103e51fe18c825a4
SHA1 hash:
f590a8f1b2f337864b166d8ce53a53e77089135b
Link:
https://www.unpac.me/results/c76dd380-4717-4aec-a62d-d7d38403b9c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b9cb59244ae380b87c41822802fe472bbab263e701339ce83a3d3896fbbda8d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 90e4af23894afb6b2fc86d8906faa27ded6b63ec2d849d8cb2e4d32d2306aac6

AgentTesla

Executable exe b9cb59244ae380b87c41822802fe472bbab263e701339ce83a3d3896fbbda8d2

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 90e4af23894afb6b2fc86d8906faa27ded6b63ec2d849d8cb2e4d32d2306aac6
Cape
Cape
https://www.capesandbox.com/analysis/174573/

Comments