MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9306a1c01d5697b35534bd8156c06c6a18bc9b9f582a53de124534f35d0fa74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	d9306a1c01d5697b35534bd8156c06c6a18bc9b9f582a53de124534f35d0fa74
SHA3-384 hash:	f885215f9308c097e6981bdeaaa87914c688daf0feb4b612e1e0f33f0c809f0752d313531003409e95c66fcf0e4e5685
SHA1 hash:	75e3d8834e2bf83e72147182b457cc4f42f41198
MD5 hash:	e3a4753126706bc808dabf688b1bce71
humanhash:	happy-four-quebec-potato
File name:	d9306a1c01d5697b35534bd8156c06c6a18bc9b9f582a53de124534f35d0fa74
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	911'360 bytes
First seen:	2023-06-08 10:04:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:k2iNfUFotEvZ41qUQe3g86Csi9cCtpOnxcc2lt/zbpt0FO8:k1Bs0qZ4x6Csi9cCUcc2l9zbGO8
Threatray	4'968 similar samples on MalwareBazaar
TLSH	T1F715CF60EAE8C6DDD8350BF09193D4B407262D28E4E9EA560EDB3CDF31B6A44316753B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	3119113da9a9a929 (8 x AgentTesla)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

252

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d9306a1c01d5697b35534bd8156c06c6a18bc9b9f582a53de124534f35d0fa74

Verdict:

Malicious activity

Analysis date:

2023-06-08 10:04:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/893dc2a5-3baa-4a68-b5a1-ff98e57d1f66

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XorStringsNET

Link:

https://www.capesandbox.com/analysis/396838/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin packed

Link:

https://www.filescan.io/uploads/6481a7cfac63cac41b536469/reports/aaf14e8f-b736-44d1-b312-8508dfe0fea7/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/d9306a1c01d5697b35534bd8156c06c6a18bc9b9f582a53de124534f35d0fa74

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ef8c5d0c-3299-49e9-96b2-3d17bef9d5a4

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1251062

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Telegram RAT

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/d9306a1c01d5697b35534bd8156c06c6a18bc9b9f582a53de124534f35d0fa74/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-17 15:17:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3eyguhab2vuxwnktjpmbk3agy2qyxsnz6wbkkppberju6noq7j2a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

48a9074aa2eebe724b1e9d3828e2eb3ab0fde8d370ef71652b5ffe44cf51322e

AgentTesla

577593e5d16e4c0439339d4345505db0eb1595670ebdb271feaeaab510fd8b56

AgentTesla

5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067

AgentTesla

68b61b3391e5fad5d50cbd18853fabf24c68f7adb9df0dbb44a29d810983acfd

AgentTesla

92a4f2858bb9f3e546b315c52ee4e07903125b02f55c23cc8ae3e32e2012b2e0

AgentTesla

9e7d1abe2f5fdce4a9a6ee0119efe08c5ccad3a27a1728471e13a32ce7574057

AgentTesla

b3fbab4d8090fb6109b890d24c1e457db6e3f6bd5e17c6be2f2cb8448d53d5ab

AgentTesla

dce5cc1b0218e1f354e61012d9c5ffe4ff9f3c99e986faaf3d6386e5188b6fc6

AgentTesla

ef32afc779d1f535f073f29dc96ca6cf8dc36c1835b66017c62c8428865eef58

AgentTesla

+ 4'958 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230608-l4g3rsdh95/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot6277498666:AAH4URlmeSysUKKZG20OTvrve55BRMLEu_o/

Unpacked files

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/10e340ac-0832-4efd-8fa6-4cd270ca48eb/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

f9021a9e1610a19bafd9f21c3ae02c8d4311e51c26088bad0b4656d12696269f

MD5 hash:

10a323a5614f656ff87524ec3a3954ea

SHA1 hash:

31fe827daa419d117c8ac75fff8253c57cb014d7

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/10e340ac-0832-4efd-8fa6-4cd270ca48eb/

Parent samples :

5c55eec6f12aa60ac02540ebb2af7b7780d148d76a07ad27bfad0d4f3bc1a067
0e77fc7adca97943ad5bca6f1cd20d05e80bcdda01b29087bf1d6fccd4379063
b3fbab4d8090fb6109b890d24c1e457db6e3f6bd5e17c6be2f2cb8448d53d5ab
92a4f2858bb9f3e546b315c52ee4e07903125b02f55c23cc8ae3e32e2012b2e0
577593e5d16e4c0439339d4345505db0eb1595670ebdb271feaeaab510fd8b56
d9306a1c01d5697b35534bd8156c06c6a18bc9b9f582a53de124534f35d0fa74
f45d13987da07c44c15886a61b0534254e8dfc55b9dca16156df5e2a21bfc5fd

SH256 hash:

d15bac2ee0e39278f4e039493d658bd66bbbbaa960f64cb1773b49cb7bd69369

MD5 hash:

b524f747add626801e86b4c05744a392

SHA1 hash:

29ccc80182afef231c805ee5b46bfa40eb1ffaa2

Link:

https://www.unpac.me/results/10e340ac-0832-4efd-8fa6-4cd270ca48eb/

SH256 hash:

81d3b893aad0def2fc419f00eacab146e9bc389c261bab03416ebd5155ca68eb

MD5 hash:

c9f0b8319c7ca450341379fc83a29a71

SHA1 hash:

26dbd09bb76b06cad76d1076f7a38892d4cb37d9

Link:

https://www.unpac.me/results/10e340ac-0832-4efd-8fa6-4cd270ca48eb/

SH256 hash:

7c3af675e56f59e313d2e5d3891e2cd8ee1c21666336a621d7c8305bdd93f2ce

MD5 hash:

d97f6602d3c624f1ccaf9a5f7f99007b

SHA1 hash:

24bd745a84c998ddd4e125f6c6356c057715568a

Link:

https://www.unpac.me/results/10e340ac-0832-4efd-8fa6-4cd270ca48eb/

SH256 hash:

d9306a1c01d5697b35534bd8156c06c6a18bc9b9f582a53de124534f35d0fa74

MD5 hash:

e3a4753126706bc808dabf688b1bce71

SHA1 hash:

75e3d8834e2bf83e72147182b457cc4f42f41198

Link:

https://www.unpac.me/results/10e340ac-0832-4efd-8fa6-4cd270ca48eb/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d9306a1c01d5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d9306a1c01d5697b35534bd8156c06c6a18bc9b9f582a53de124534f35d0fa74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/396838/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample