MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9200cb5d55018691f1b7467f90ba449d85272f2952847aab726ce53d14a63d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9200cb5d55018691f1b7467f90ba449d85272f2952847aab726ce53d14a63d3
SHA3-384 hash: 0d52cc446985c2b89a8d31986edc1bb453d63bf6763ce527752b2aa424226ba8ac410d67772b14004b5dc14f1086c81f
SHA1 hash: c6bd4caab3584eec2d59c21d526f6d7c7d97d161
MD5 hash: 343df2292e675417c6ff16fc647da34a
humanhash: one-arizona-harry-coffee
File name:JJD202202240500100026901_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:830'976 bytes
First seen:2022-02-24 04:06:02 UTC
Last seen:2022-02-24 05:51:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:XCyxiEyfK3zY9so9IxInUCtR/GnPSeknOKDy:SdEyf2xo97nr/GP+Oh
Threatray 16'080 similar samples on MalwareBazaar
TLSH T14D05CF1035AB20DDF063DAFE9ED8FDB1DD6AF53A220E76BA20460F164B49901DE12572
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/244040/
Detection(s):
SecuriteInfo.com.Artemis343DF2292E67.4055.3531.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6217042d2fde1a6198ffb74f/reports/64cf7da9-6dea-4464-8edf-e7c798b02780/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29138823-e39d-4bcf-a384-14092ad6fd17
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/945347
Signature
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c9200cb5d55018691f1b7467f90ba449d85272f2952847aab726ce53d14a63d3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-24 04:07:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zeqaznovkamgshy3ort7sc5ejhmfe4xssuuepkvxe3hfhukkmpjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
188b05a7d982f85116bd27a0fc5943ab7a8bda1e128b97a3039c5819fea90119
AgentTesla
27063a947fb63661a2a131bba2aa322b7d3769bd0ac7a893c5c71a8593cdcd8a
AgentTesla
3af0a9ad9d1f4116b70e681dd60f9d10a05050574585382c0ac0dad2ccf2a3e5
AgentTesla
4e46927fca13b53697d0a5c5257df1075af4e356f2f48ac518768793051f317b
AgentTesla
79001cdea4e9f4dea6fb4a9ad4a04439f59daf5e980ffff69bebc8c82e3da52b
AgentTesla
8ad92322cb846fdababb127d4bfecc5d60d710f004b0d349e8397c1f7b342507
AgentTesla
af1ce5c2a758843b6812b25d3f7646fe186575c7b06510cf8fdbcbe1f827c0c9
AgentTesla
f7437bba4e59178441160b2b89e5aa94ee2afca4f07b7f1a47d5e93468de4742
AgentTesla
+ 16'070 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220224-en37qsbhb9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
da25f85b3555f458407b830502152b5a8b2ae7f3c3d261c5b178f7095bbc6cfb
MD5 hash:
98974ca0c70129675e975b8a6998036e
SHA1 hash:
efba17834b65edebbbc592970ad1254a3a3ab197
Link:
https://www.unpac.me/results/17c4f877-b3f6-430f-bfa8-5ba62270c0bc/
SH256 hash:
2c9301e9c2bf2a615b6ff7b83803158e29eba613fb85b8abcc1393cba97e1abb
MD5 hash:
16477cb608813086a4a3989d557d16c6
SHA1 hash:
d9a2dcacdc774f4327146a65f9c06a7b5985aafd
Link:
https://www.unpac.me/results/17c4f877-b3f6-430f-bfa8-5ba62270c0bc/
SH256 hash:
906a0b3e956afad2fbf9868c20deb2f0263d442d4bb948b9dfa78e151fa68332
MD5 hash:
c9940f3349ca5a4e76570dc315cc66e6
SHA1 hash:
a780d61def2dc2a1a8616851e58972a0ec6eba72
Link:
https://www.unpac.me/results/17c4f877-b3f6-430f-bfa8-5ba62270c0bc/
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/17c4f877-b3f6-430f-bfa8-5ba62270c0bc/
SH256 hash:
c9200cb5d55018691f1b7467f90ba449d85272f2952847aab726ce53d14a63d3
MD5 hash:
343df2292e675417c6ff16fc647da34a
SHA1 hash:
c6bd4caab3584eec2d59c21d526f6d7c7d97d161
Link:
https://www.unpac.me/results/17c4f877-b3f6-430f-bfa8-5ba62270c0bc/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c9200cb5d550/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9200cb5d55018691f1b7467f90ba449d85272f2952847aab726ce53d14a63d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/244040/

Comments