MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9747168a0090d1b036e820b6e51b1983deded573227547901baa71f5914c7cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9747168a0090d1b036e820b6e51b1983deded573227547901baa71f5914c7cc
SHA3-384 hash: 8572baeb48af8a4804a57c5aaa79ef9b01701087613a817f933e9b453031ee8b2c6b8e74d6ab9a47676b276f73a4fce9
SHA1 hash: 6294eab2dd2c7d95f70b2837cfbd8bc87b7d9825
MD5 hash: 94cc2d7270498b41238168d5d3367caf
humanhash: bulldog-west-gee-finch
File name:Receipt.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:499'712 bytes
First seen:2020-12-04 21:16:22 UTC
Last seen:2020-12-05 09:51:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:4U3KLkvx2KmyPwZOmrteGjeylJ811Xy4aj0YX2pc6d/lezGys7Vz/uRpicM4lTwu:4U33OdeGjeCJ8XCczizVs75WCn5xRI
Threatray 1'692 similar samples on MalwareBazaar
TLSH 6EB4F13523657F96EA794FF462A034084FB4B53B6622E24DADC512DE30F7B118E90DA3
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106836/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.17070.16150.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/556105
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 327154 Sample: Receipt.exe Startdate: 04/12/2020 Architecture: WINDOWS Score: 80 19 g.msn.com 2->19 23 Multi AV Scanner detection for submitted file 2->23 25 Yara detected AgentTesla 2->25 27 Yara detected AntiVM_3 2->27 29 2 other signatures 2->29 8 Receipt.exe 3 2->8         started        signatures3 process4 file5 17 C:\Users\user\AppData\...\Receipt.exe.log, ASCII 8->17 dropped 31 Writes to foreign memory regions 8->31 33 Injects a PE file into a foreign processes 8->33 12 RegSvcs.exe 2 8->12         started        signatures6 process7 process8 14 dw20.exe 22 6 12->14         started        dnsIp9 21 192.168.2.1 unknown unknown 14->21
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c9747168a0090d1b036e820b6e51b1983deded573227547901baa71f5914c7cc/
Threat name:
ByteCode-MSIL.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2020-12-04 19:45:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zf2hc2fabegrwa3oqifw4unrta6633kxgitvi6ibxktr6wiuy7ga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a66f35418281dbaa66f5f15434d1f9c6ada3aa4154d993f21db8eeba60b2e69
AgentTesla
1fa34736c7a6aee84186c34b66c6e4c77beae1e5e1c7711a397275935d24c620
AgentTesla
4c69589ded9f474d14d6d9127d5a06ed5ff0aa8fba90711b265fa9cf3fd0a5c8
AgentTesla
6e1a37cc8b4d9d0588132c3f315a4e1f7873ddae440c7be61381b12edf74e723
AgentTesla
772d316873673ace45da234f8820d736d2f18c55eeab2b84a471dbfdaba963b6
AgentTesla
83ba4bfc9fc3f12c46cfd4798dba265cbef66f3410ed939c32636cae9354af0b
AgentTesla
badf7e8ef826b51aaa028ec3a296f7b9432474d8b6377552f0dcbfd520c0df47
AgentTesla
cce27a3b1e488838b31b9dc56003a53967648d5280fa1025eb85237f1525aea1
AgentTesla
e122c3451da271110f384ce3a0973b82ed2fa97346a884d1b7efe853aa774ba4
AgentTesla
e6efc787bb6b6506150aca14be1966713c7a28f55788af42902e500779818228
AgentTesla
+ 1'682 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201204-7ax4d73a2a/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/0b9ce7d5-2266-4cb7-9b5b-63c59705a39b/
SH256 hash:
33c0869ea884b0a2cbac0c5ce5812808ac6fe19c670b850e2c80b1d8b98fc574
MD5 hash:
872295358623158189a23ac67add4794
SHA1 hash:
c3fb26f5ee5f3bddfc314c1024733116535b40fc
Link:
https://www.unpac.me/results/0b9ce7d5-2266-4cb7-9b5b-63c59705a39b/
SH256 hash:
75bc650b9f0e2ab814f67487ab72fc72f6fecdec0f5e6c00e05da66cffaf8133
MD5 hash:
5e8047fd239281a7ade45cc3602b47a5
SHA1 hash:
fbfdbb46829fdcd9c14466352d290a0dbb6c557d
Link:
https://www.unpac.me/results/0b9ce7d5-2266-4cb7-9b5b-63c59705a39b/
SH256 hash:
c9747168a0090d1b036e820b6e51b1983deded573227547901baa71f5914c7cc
MD5 hash:
94cc2d7270498b41238168d5d3367caf
SHA1 hash:
6294eab2dd2c7d95f70b2837cfbd8bc87b7d9825
Link:
https://www.unpac.me/results/0b9ce7d5-2266-4cb7-9b5b-63c59705a39b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9747168a0090d1b036e820b6e51b1983deded573227547901baa71f5914c7cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip f886f350af7093b4b1b7b93c7742f230b066d3921856461c6d36da4d14e36456

AgentTesla

Executable exe c9747168a0090d1b036e820b6e51b1983deded573227547901baa71f5914c7cc

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 f886f350af7093b4b1b7b93c7742f230b066d3921856461c6d36da4d14e36456
Cape
Cape
https://www.capesandbox.com/analysis/106836/

Comments