MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c109fdc9eebddd35215c226381a886b4f2fdec8956ac9cfc428cbb6ef3405777. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c109fdc9eebddd35215c226381a886b4f2fdec8956ac9cfc428cbb6ef3405777
SHA3-384 hash: 53474e32c86b967b59d2e52e11f7b6cd3be82ea39f932d129543089332a6a446187da157fd0ef6eae8de405a78620c03
SHA1 hash: 6f6dbce9332a844976698b75911c77afebb1543f
MD5 hash: 9b0315924b8b25d861199d276becfd34
humanhash: five-coffee-virginia-mexico
File name:9b0315924b8b25d861199d276becfd34.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'221'632 bytes
First seen:2021-06-29 19:33:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0jq28uyXXKMcUgNIU0FSbpHpkvbd07cGhzlYgznl9:eq2wt6HLbzfx
Threatray 4'986 similar samples on MalwareBazaar
TLSH E345144DBCF43683F22B96BD36C960E24275BC2D9B18EDE35D82F3E6056160AA477503
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9b0315924b8b25d861199d276becfd34.exe
Verdict:
Malicious activity
Analysis date:
2021-06-29 19:47:19 UTC
Tags:
trojan rat xpertrat stealer
Link:
https://app.any.run/tasks/bbf10481-a3b2-4596-a0af-19a6dceb4214

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168824/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.800-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b371ff6-7948-4d59-a2bb-4d34050ea8e1
Result
Threat name:
XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809639
Signature
.NET source code contains very large strings
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Disables user account control notifications
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Generic Dropper
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442052 Sample: GMdeajdu6W.exe Startdate: 29/06/2021 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Yara detected XpertRAT 2->53 55 Yara detected AntiVM3 2->55 57 5 other signatures 2->57 10 GMdeajdu6W.exe 3 2->10         started        14 J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4.exe 2 2->14         started        16 J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4.exe 2 2->16         started        18 J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4.exe 2->18         started        process3 file4 45 C:\Users\user\AppData\...behaviorgraphMdeajdu6W.exe.log, ASCII 10->45 dropped 65 Injects a PE file into a foreign processes 10->65 20 GMdeajdu6W.exe 2 10->20         started        23 GMdeajdu6W.exe 10->23         started        67 Multi AV Scanner detection for dropped file 14->67 69 Machine Learning detection for dropped file 14->69 signatures5 process6 signatures7 59 Injects a PE file into a foreign processes 20->59 25 GMdeajdu6W.exe 1 1 20->25         started        process8 signatures9 61 Changes security center settings (notifications, updates, antivirus, firewall) 25->61 63 Disables user account control notifications 25->63 28 iexplore.exe 3 9 25->28         started        process10 dnsIp11 49 mertrerfeyy.duckdns.org 195.133.40.193, 49738, 49739, 49740 SPD-NETTR Russian Federation 28->49 47 J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4.exe, PE32 28->47 dropped 71 Creates an undocumented autostart registry key 28->71 73 Creates autostart registry keys with suspicious names 28->73 33 iexplore.exe 28->33         started        35 iexplore.exe 28->35         started        37 iexplore.exe 1 28->37         started        39 4 other processes 28->39 file12 signatures13 process14 process15 41 WerFault.exe 33->41         started        43 WerFault.exe 35->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c109fdc9eebddd35215c226381a886b4f2fdec8956ac9cfc428cbb6ef3405777/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-29 19:33:19 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yee73spoxxotkik4ejrydkegwtzp33ejk2wjz7ccrs5w542ak53q._file
Verdict:
unknown
Similar samples:
1ca3cfc63c029b0d6a0d312cac86c5dc77e9efe86dd711a08e1f25d0ec62c366
AgentTesla
29a4c9380a91012be5a2b3659f9a4c46d0eca15c689a95707f78ccde9cd11f02
AgentTesla
49b1f7e34f74b3ea4b97852292dfd6e856a58f74a181f5a3aadd6356503ae617
AgentTesla
53174a644680154786d09b66cc8c4a1aa83c625bd10137600bf191573fa5c602
AgentTesla
5c32fd3de4bce60a2529cebc5f47b8a1562ea9bd22549f829b22b0533b32f79b
AgentTesla
68f58a48d09d07cd851a8d03cef1a6000f715257fbfbad215e22013ac7a7e611
AgentTesla
6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd
AgentTesla
a6c456dcee9a9c53aeb0360bdb52a682137745ad9ec607fce1199e24cd348ee5
AgentTesla
d171f74f5d0cb8a469db9262869b3798ae0ed18098b4017207ff7f6e69fcd07a
AgentTesla
f8e52fa75724eb08c0ec68db6799740ad36c7178b8f0dd7c8b0ee755ff60c653
AgentTesla
+ 4'976 additional samples on MalwareBazaar
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:xpertrat evasion persistence rat trojan upx
Link:
https://tria.ge/reports/210629-p315pw6l2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Program crash
Windows security modification
Adds policy Run key to start application
UPX packed file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
UAC bypass
Windows security bypass
XpertRAT
XpertRAT Core Payload
Unpacked files
SH256 hash:
06febadb1cc71ef3987c339b7c862ea4cd32656c372c4f266cd1af68c355a0c0
MD5 hash:
939a42faab70585cf4aed59c73425492
SHA1 hash:
ccc57ed7de341f637e1ba6e671105ec304bd2c4b
Link:
https://www.unpac.me/results/5fd24b3c-47eb-4dc5-9fa1-cc9cd0d5c6ad/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/5fd24b3c-47eb-4dc5-9fa1-cc9cd0d5c6ad/
SH256 hash:
08fd6248f0dffde9817be27867c2cbe90c89e641d424bce67b54f96ef84a6a43
MD5 hash:
d8c2072238f12bcd6c2e5993b8caa32a
SHA1 hash:
17b97f8b4a58eb08371613e00a3d29aae85aa118
Link:
https://www.unpac.me/results/5fd24b3c-47eb-4dc5-9fa1-cc9cd0d5c6ad/
SH256 hash:
c109fdc9eebddd35215c226381a886b4f2fdec8956ac9cfc428cbb6ef3405777
MD5 hash:
9b0315924b8b25d861199d276becfd34
SHA1 hash:
6f6dbce9332a844976698b75911c77afebb1543f
Link:
https://www.unpac.me/results/5fd24b3c-47eb-4dc5-9fa1-cc9cd0d5c6ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c109fdc9eebddd35215c226381a886b4f2fdec8956ac9cfc428cbb6ef3405777

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe c109fdc9eebddd35215c226381a886b4f2fdec8956ac9cfc428cbb6ef3405777

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1150070/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168824/

Comments