MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9f6f3b9202df46f9e2b996e4c47cd77ea107932712c50d300f3d0ddefa75686. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	b9f6f3b9202df46f9e2b996e4c47cd77ea107932712c50d300f3d0ddefa75686
SHA3-384 hash:	4fa37cda58eb71b46eda10a5a1d3cfcfa7df4714c9ee3522c64f6684d146cc277c1604cafcfb547feeacfbb948daaf05
SHA1 hash:	a0eef6a6122dab1d2c0e24c2d39edf0eb9999b05
MD5 hash:	2a2c37b0186b83c12b975807546da3fb
humanhash:	moon-whiskey-kansas-iowa
File name:	SHIPPING DOC.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	489'984 bytes
First seen:	2022-11-28 13:48:38 UTC
Last seen:	2022-11-29 10:52:46 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:qwpYDXo4z1SRFedmp4JgoIkfoqbalNgp:qww4U1SRFr4ao9Aqbaly
Threatray	692 similar samples on MalwareBazaar
TLSH	T139A4239CDAF6A64AD0F7C33048AA5F2F01F15E05FA91874F217AA48DE57EC1B42CE464
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

210

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SHIPPING DOC.exe

Verdict:

No threats detected

Analysis date:

2022-11-28 13:53:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/94a98827-f401-4355-bad0-9637e0a684b3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/339440/

Detection(s):

SecuriteInfo.com.Malware.PDB-57.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Creating a window

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6384bc52536377388865eba0/reports/d82e10c7-165a-49a5-aadc-4cd7ce05f225/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/02cac4a9-15ad-4fcc-a335-3d24b11a33bc

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1122550

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b9f6f3b9202df46f9e2b996e4c47cd77ea107932712c50d300f3d0ddefa75686/

Threat name:

ByteCode-MSIL.Trojan.Injuke

Status:

Malicious

First seen:

2022-11-28 04:59:24 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xh3phojafx2g7hrltfxeyr6no7vba6jsoewfbuya6pin335hk2da._file

Verdict:

malicious

AgentTesla

3a26dd85c2956529f42c1622a093f7b817cbd4af7a474d75198df9e455ac753f

AgentTesla

4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499

AgentTesla

81278e61b365975c3ba6eb47c4734c4831e2488dfd3357cf8d0d018b4a57123f

AgentTesla

ac1bbc53ec6158d8dfa191b81292c96d8fb106d4ea196a6bef55027e0702b6f9

AgentTesla

dd1d02c072a5644dbbbcadc2a8b6195cd420b55a6f8ec2309d0e1682f434bdff

AgentTesla

e82920cb9b7cf1077cdddabb9b56e84c70653f836ef85ea4d4a700501ccd12a3

AgentTesla

fc4f03fc4b6d9495dfee1c7e31788915bc3d2bb25eb007f2fc4cbefaf2793491

AgentTesla

+ 682 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221128-q4nyjacf5x/

Behaviour

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

b9f6f3b9202df46f9e2b996e4c47cd77ea107932712c50d300f3d0ddefa75686

MD5 hash:

2a2c37b0186b83c12b975807546da3fb

SHA1 hash:

a0eef6a6122dab1d2c0e24c2d39edf0eb9999b05

Link:

https://www.unpac.me/results/150fd77e-d15e-4548-8e8a-5defdecb931a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/b9f6f3b9202df46f9e2b996e4c47cd77ea107932712c50d300f3d0ddefa75686

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/339440/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample