MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9a6d59745a7eff46ed411e4f7f4894eec5df85d70d931082194b35becc25799. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9a6d59745a7eff46ed411e4f7f4894eec5df85d70d931082194b35becc25799
SHA3-384 hash: f3f2e98e4529c14853b5cab739d7ffd7667798a9f2378d178c7ab1b94e36a632eb680acebd8e02d9936d6acd4dcec922
SHA1 hash: 136f71da888e97dd1dcadb321187c199260eb72d
MD5 hash: 32466b1e6b2ea104d176e297aa1dace5
humanhash: steak-minnesota-mars-rugby
File name:##RFQ MT-QUOTE 90920028726Y27.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:551'424 bytes
First seen:2022-01-16 02:17:22 UTC
Last seen:2022-01-20 11:06:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:Ep2mZ3/2lWIzPRWhkU561PHSdD0BeEuAu7OwhJ+g3RFzcNrt7ABEnw8U:OAoD0EEuAmO2ZcZnw8
TLSH T144C4DFA8726072EFC85BC572DEA81C68FA6570BB531F4607A027019DDE4C99BCF245F2
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
##RFQ MT-QUOTE 90920028726Y27.exe
Verdict:
Malicious activity
Analysis date:
2022-01-16 02:19:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8fb6808d-e7d7-4a45-9fca-0462cf9e75be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219563/
Detection(s):
SecuriteInfo.com.Malware.AI.1034152941.3604.31603.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/61e3805ce997359713f5c55a/reports/e7e731a3-d829-4e3a-8327-44fc1c8d7b83/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/451a2bad-945a-45fc-a587-ecd7b2bbc91d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921305
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553783 Sample: ##RFQ MT-QUOTE 90920028726Y27.exe Startdate: 16/01/2022 Architecture: WINDOWS Score: 100 29 Multi AV Scanner detection for dropped file 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected AntiVM3 2->33 35 11 other signatures 2->35 7 ##RFQ MT-QUOTE 90920028726Y27.exe 6 2->7         started        process3 file4 23 C:\Users\user\AppData\...\qpGbWXnRWs.exe, PE32 7->23 dropped 25 C:\Users\...\qpGbWXnRWs.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp829B.tmp, XML 7->27 dropped 37 Adds a directory exclusion to Windows Defender 7->37 11 powershell.exe 25 7->11         started        13 powershell.exe 24 7->13         started        15 schtasks.exe 1 7->15         started        signatures5 process6 process7 17 conhost.exe 11->17         started        19 conhost.exe 13->19         started        21 conhost.exe 15->21         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-16 02:18:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
28 of 42 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zgtnlf2fu7x7i3wuchspp5ejj3wf36c5odmtccbbsszvx3gck6mq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220116-cracqafebn/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot2030557675:AAF2CRvHF_rfT7tYXz9VN8YUb6kF5qxu_xg/sendDocument
Unpacked files
SH256 hash:
6d6255e43f8c15ac35d75832b1b8ac911010720326488ca424eee3e0566817c6
MD5 hash:
6fbeffefb041ca0248c2873f8f170127
SHA1 hash:
dc99780c9888bd4855c7fb8c75e95921ecd6a96a
Link:
https://www.unpac.me/results/8079a9b5-9bed-47e5-a251-ba9d7e7d03bb/
SH256 hash:
4ed4c6fa42e480d12918408f7cd5275d198bc6b4512b232f0c7eb1e2f5bc12b4
MD5 hash:
217737ad7f132f789b9ba90b8b3a20ed
SHA1 hash:
52edd368edb082f9c50ba1b2854945c7b69269ed
Link:
https://www.unpac.me/results/8079a9b5-9bed-47e5-a251-ba9d7e7d03bb/
SH256 hash:
7a26361c13be4367800976a27976af3f0c05e24ffa597ab9cf86b67ff4f90c77
MD5 hash:
053a1214f9a6fde19a5873a9c6863f35
SHA1 hash:
22618e8d34216def6bb81f734468dabcaa0b3094
Link:
https://www.unpac.me/results/8079a9b5-9bed-47e5-a251-ba9d7e7d03bb/
SH256 hash:
c9a6d59745a7eff46ed411e4f7f4894eec5df85d70d931082194b35becc25799
MD5 hash:
32466b1e6b2ea104d176e297aa1dace5
SHA1 hash:
136f71da888e97dd1dcadb321187c199260eb72d
Link:
https://www.unpac.me/results/8079a9b5-9bed-47e5-a251-ba9d7e7d03bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/c9a6d59745a7eff46ed411e4f7f4894eec5df85d70d931082194b35becc25799

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c9a6d59745a7eff46ed411e4f7f4894eec5df85d70d931082194b35becc25799

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/219563/

Comments