MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9ea862e0fae95bc7fc1acc8ffd7afdaa96eac42c8aaf4d3c4ea47cd8b346291. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9ea862e0fae95bc7fc1acc8ffd7afdaa96eac42c8aaf4d3c4ea47cd8b346291
SHA3-384 hash: 1bc0216bf3fb81585a06fedfd4c932ee4ccd67294dda2da47f65402ffff5e2a757344aeb6b1b7c2cd8d70ff797e1a286
SHA1 hash: 652e1073239fa0570c000315c80ba17b86c0fb1c
MD5 hash: 14cd46a14456cb563b7754e6c1f21d39
humanhash: alaska-may-juliet-uranus
File name:RE Offer Request.rar
Download: download sample
Signature AgentTesla
Create hunting rule
File size:612'439 bytes
First seen:2023-07-22 08:41:42 UTC
Last seen:2023-07-22 08:46:56 UTC
File type: rar
MIME type:application/x-rar
ssdeep 12288:/98plpdqW0BlBhaOLknuyKrfFqf+4CyiVmpM:/HDB5Auy6Fq4p8y
TLSH T1E4D423C028D1483C786DB43586DE9799FE09FA7EDA1B32CE4A6CB665342D640770A34F
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:AgentTesla rar


Avatar
cocaman
Malicious email (T1566.001)
From: "janice.jones@atacgroup.com" (likely spoofed)
Received: "from atacgroup.com (unknown [45.81.39.59]) "
Date: "21 Jul 2023 04:03:24 -0700"
Subject: "tracking Document"
Attachment: "tracking Document.rar"

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:GcCE76hjL8UkxbX.exe
File size:824'832 bytes
SHA256 hash: 3e6bbe38e8e9e781e0354485ee68334d4b81ae0077a280d2b4c42fc747cec650
MD5 hash: 29f4a9b774e5d766f15ce000d9c9e919
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/c9ea862e0fae95bc7fc1acc8ffd7afdaa96eac42c8aaf4d3c4ea47cd8b346291/results/dashboard
Gathering data
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/c9ea862e0fae95bc7fc1acc8ffd7afdaa96eac42c8aaf4d3c4ea47cd8b346291
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9ea862e0fae95bc7fc1acc8ffd7afdaa96eac42c8aaf4d3c4ea47cd8b346291/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-21 08:27:42 UTC
File Type:
Binary (Archive)
Extracted files:
21
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhvimlqpv2k3y76bvtep7v5p3kuw5lcczcvpju6e5jd43czumkiq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230722-l83j9sba4z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9ea862e0fae95bc7fc1acc8ffd7afdaa96eac42c8aaf4d3c4ea47cd8b346291

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar c9ea862e0fae95bc7fc1acc8ffd7afdaa96eac42c8aaf4d3c4ea47cd8b346291

(this sample)

AgentTesla

Executable exe 3e6bbe38e8e9e781e0354485ee68334d4b81ae0077a280d2b4c42fc747cec650

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 3e6bbe38e8e9e781e0354485ee68334d4b81ae0077a280d2b4c42fc747cec650
  
Dropping
MD5 29f4a9b774e5d766f15ce000d9c9e919

Comments