MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9c440aea8cb456e194c0659262cf6365f2e1a3d7c0b0324fbda6ef7db0e3ee4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA File information Comments

SHA256 hash:	c9c440aea8cb456e194c0659262cf6365f2e1a3d7c0b0324fbda6ef7db0e3ee4
SHA3-384 hash:	352c1e542380d5c4001ff236a3211ab10784027ed29a496e42120606d4eb397faf3eb9680161d120e760a3fa164300cb
SHA1 hash:	72db24174d891f1afe5487c630d84c828cc4a1fb
MD5 hash:	bfe5f5e379a125683510eebd80512be3
humanhash:	papa-saturn-apart-quiet
File name:	2QPDLF3M.EXE
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	956'928 bytes
First seen:	2023-12-29 16:01:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:RdKxnV/AyG2iNuOUd7LAGaE0tj79rcaxBdTq20GTnB9V1TjMj5FxS:RdKj/w16ZAGkZ9rcandTqwTnB9VpMj5
Threatray	2'451 similar samples on MalwareBazaar
TLSH	T16F15D43F5BBB292BCD76C2B5C7F48467B313D46B3111AA695AC6DF950302B4228C325E
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	6ccccce4e0f8ccc0 (6 x AgentTesla, 4 x AsyncRAT, 2 x RemcosRAT)
Reporter	cocaman
Tags:	AgentTesla exe Shipping

Intelligence

File Origin

# of uploads :

# of downloads :

420

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

c9c440aea8cb456e194c0659262cf6365f2e1a3d7c0b0324fbda6ef7db0e3ee4.exe

Verdict:

Malicious activity

Analysis date:

2023-12-29 16:09:35 UTC

Tags:

evasion stealer agenttesla

Link:

https://app.any.run/tasks/35d1b0f3-ebc7-4944-bb1b-bc836a0d3471

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Setting a keyboard event handler

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/658eed7bf4b6e5e1635f1f82/reports/88edebb8-feb2-453c-979f-5561158e2f2c/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c9c440aea8cb456e194c0659262cf6365f2e1a3d7c0b0324fbda6ef7db0e3ee4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6dfca692-2045-4185-9e7d-2837ef140193

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1368018

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c9c440aea8cb456e194c0659262cf6365f2e1a3d7c0b0324fbda6ef7db0e3ee4

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/c9c440aea8cb456e194c0659262cf6365f2e1a3d7c0b0324fbda6ef7db0e3ee4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-28 11:31:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zhceblvizncw4gkmazmsmlhwgzps4gr5pqfqgjh33jxppwyoh3sa._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

268df61fa4fc10d350f4ef84296250ecbfffcdff8ee993ddfaa9205aeab835f6

AgentTesla

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

AgentTesla

8ded0da09fc0b8996bbca51a3f001669e85a74b7da56a64d97c1168c8d6a4b0d

AgentTesla

c7cc0f7a7ed0c73215911f54bc1af9665d7e364d94de0cc691a14adc8fb5e574

AgentTesla

eca38ab8f3b089027841b1acd760b43e7697eef4dd347f76a175774bcb1b444a

AgentTesla

+ 2'441 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/231229-tgryfsecar/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

e0d6ccd4eef1083936ea45d9bb8d95d67919c5a31bf1bd36e73335784d5e4cdf

MD5 hash:

0a050ea4a4824d6fa7d6a1083eb89a3d

SHA1 hash:

e069f3c095a4a0bdc045781c82cc23a34e9fcc1e

Link:

https://www.unpac.me/results/de1f79fe-c094-4734-9f1e-bf9159cbfe16/

SH256 hash:

338351000da640530c2f23f1cdbd5529459f57f05ced197801ac86405180983f

MD5 hash:

dfc1e145c652da827f2c382186ea2834

SHA1 hash:

53e28e6d095d6d47a95bd14125a7d0651516b7d8

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/de1f79fe-c094-4734-9f1e-bf9159cbfe16/

Parent samples :

c9c440aea8cb456e194c0659262cf6365f2e1a3d7c0b0324fbda6ef7db0e3ee4
53b88a249d4c970ada7b688e9e44282aa3a36c44a4b170bd2988b5b53c8a224b

SH256 hash:

21afe82a0b71ee589c26f32dc88e0a6e22817f21194b2a83f1807c6cecc8c818

MD5 hash:

440bb4db146ccb1161ac2bcf365d7676

SHA1 hash:

506eda511b46df6e95d86861e70fda81307f8623

Link:

https://www.unpac.me/results/de1f79fe-c094-4734-9f1e-bf9159cbfe16/

SH256 hash:

e3d65bd9581460ee982d8040e2376222317843cba4c45e1e8567a4bb2d426f66

MD5 hash:

0a64362f023ad6fb6846acba666136ef

SHA1 hash:

1cf8a0db76830c2a093084e2b04f268648a943de

Link:

https://www.unpac.me/results/de1f79fe-c094-4734-9f1e-bf9159cbfe16/

SH256 hash:

c9c440aea8cb456e194c0659262cf6365f2e1a3d7c0b0324fbda6ef7db0e3ee4

MD5 hash:

bfe5f5e379a125683510eebd80512be3

SHA1 hash:

72db24174d891f1afe5487c630d84c828cc4a1fb

Link:

https://www.unpac.me/results/de1f79fe-c094-4734-9f1e-bf9159cbfe16/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c9c440aea8cb456e194c0659262cf6365f2e1a3d7c0b0324fbda6ef7db0e3ee4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 042a7c109c5b7465acba0dda0ef8b3bb8b5737085b7e1581ef164bca7f4426d7

AgentTesla

exe c9c440aea8cb456e194c0659262cf6365f2e1a3d7c0b0324fbda6ef7db0e3ee4

(this sample)

Delivery method

Other

Dropped by

SHA256 042a7c109c5b7465acba0dda0ef8b3bb8b5737085b7e1581ef164bca7f4426d7

Dropped by

MD5 8733ccfa5f216a3719521711899a667a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample