MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9b11315a65d68d5577ca5b762e4d5d16f660b1ffde12cd5192c9717747a63ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	c9b11315a65d68d5577ca5b762e4d5d16f660b1ffde12cd5192c9717747a63ca
SHA3-384 hash:	1402476c15a72888e3ef544164600bf674f373f61308d23b322eecbc61db22fb205e419ef84cf1140842990faa64f73c
SHA1 hash:	19c37068fb9eaade4091d639b4078b1d21e2aee8
MD5 hash:	0e3611c937911177a709f5ffc83672de
humanhash:	east-robin-wisconsin-batman
File name:	New Enquiry List.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'060'864 bytes
First seen:	2021-03-16 13:33:07 UTC
Last seen:	2021-03-16 15:37:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:HIuTKPhPmTBokXVgTkX8pioBTmF1BqwAO3FDmS1:ShPQlV/X05BOLqoFa6
Threatray	3'245 similar samples on MalwareBazaar
TLSH	3D358B21E6A4ABB0F03973765432133143FDAD069226E7BD7D4831DA09B5AC585F3EB2
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

New Enquiry List.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-16 13:37:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/78bf49ad-d0cd-4dcb-8d09-6b8bb296ce55

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.580.2857.17647.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/59ef02e5-b5d1-4df8-8efc-d26a74c7ae5d

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/640746

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Moves itself to temp directory

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/c9b11315a65d68d5577ca5b762e4d5d16f660b1ffde12cd5192c9717747a63ca/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-03-16 13:34:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zgyrgfnglvunkv34uw3wfzgv2fxwmcy77xqszvizfslro5d2mpfa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3862ce529663c434d80c6870db4e0946bd6aaf60e1ff5b05bbd9c4ef066a8838

AgentTesla

492a4a339324e1bb41f6d4d74b43c8bd886fed3f808532e599a49a3f220d1878

AgentTesla

4ee357dd7681ca5f80acaeb7d55df4432de5d370c73e6bb887e3461b6ed537f8

AgentTesla

703170d16b28086934737a474038f62654f595f1f5b30b0115806187022d1df6

AgentTesla

8078e1f99bc52197192e8e06ca039b8cac18c86c99bffa2ef70bdc3ca2bfa7ba

AgentTesla

a03e120f219832ce89401ddfe77837c3710b505e5480842bf298704b3cc38085

AgentTesla

aa9692c1769e25297176b847f4274570c56c4d74f4577608bd036e72d82d5bdb

AgentTesla

dca80db9c7ade94a508600fcc3982e3f8ff292d464cf3041bae8cc1600f715a2

AgentTesla

f782d415e7975acdf521b8a92ceb1e1f5c51c030dfdfdf5d798ad381003ed1bf

AgentTesla

+ 3'235 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210316-5swseq82hs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

2b43013edb5706a946f4e523a1a219b31fe2a7e05c48884c048882b3c1327655

MD5 hash:

b7159eb14fe565d4e233604b629bbd8a

SHA1 hash:

64f82c67e6c7cbc078141162a49bffcee3d9ebb9

Link:

https://www.unpac.me/results/a55bc1ba-481e-496e-9e4b-e041051e1aba/

SH256 hash:

c9b11315a65d68d5577ca5b762e4d5d16f660b1ffde12cd5192c9717747a63ca

MD5 hash:

0e3611c937911177a709f5ffc83672de

SHA1 hash:

19c37068fb9eaade4091d639b4078b1d21e2aee8

Link:

https://www.unpac.me/results/a55bc1ba-481e-496e-9e4b-e041051e1aba/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/c9b11315a65d68d5577ca5b762e4d5d16f660b1ffde12cd5192c9717747a63ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample