MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9426f66ba3dbff178904ff41cbddf65618a0b7b776b460c5b4af3f3f78ab970. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9426f66ba3dbff178904ff41cbddf65618a0b7b776b460c5b4af3f3f78ab970
SHA3-384 hash: cec61cb405cf8047f682406d286cdbf7630fe601bec324258a20817f043d1b5bd5b17b551e937319476ef2fdcf0a44f3
SHA1 hash: 186ccbb0eb39426dc0439c7dd388930dec0ebf2f
MD5 hash: 4e4c867be87859bce4c0ca42afed00d8
humanhash: hawaii-fix-sodium-orange
File name:mx5YxLHScoqMImo.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'994'240 bytes
First seen:2023-12-05 07:10:00 UTC
Last seen:2023-12-05 08:29:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:nGpbwGhL9CgTtXcF8cpaR9MM2Tx2v8ZqgpKVad+WjGAmUjgwRl:nGpbwGpZTJc2cpW9Mjx2vGqgpz+WjGAj
Threatray 327 similar samples on MalwareBazaar
TLSH T16495229873447ADFC42BCA368AA41C14AB6025F7031BD21365D711EE9E4E69BDF242F3
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0060696969716800 (8 x AgentTesla, 6 x Formbook, 2 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
323
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
mx5YxLHScoqMImo.exe
Verdict:
Malicious activity
Analysis date:
2023-12-05 07:10:54 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/038386a9-55c1-4623-8153-820da59f0ed6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/462528/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Crypt.22844.31061.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/656eccd08b5ba47db2d216db/reports/d956fa45-f8a1-4f41-8568-1f994912979b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d9426f66ba3dbff178904ff41cbddf65618a0b7b776b460c5b4af3f3f78ab970
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9599ce4-90ef-4ecc-94e5-f5514c42111d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353748
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1353748 Sample: mx5YxLHScoqMImo.exe Startdate: 05/12/2023 Architecture: WINDOWS Score: 100 78 mail.globalifb.com 2->78 80 fp2e7a.wpc.phicdn.net 2->80 82 3 other IPs or domains 2->82 88 Snort IDS alert for network traffic 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 9 other signatures 2->94 9 mx5YxLHScoqMImo.exe 7 2->9         started        13 LElSceeKwBDH.exe 5 2->13         started        15 fssBpDQ.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 72 C:\Users\user\AppData\...\LElSceeKwBDH.exe, PE32 9->72 dropped 74 C:\Users\user\AppData\Local\...\tmp94CC.tmp, XML 9->74 dropped 102 Detected unpacking (changes PE section rights) 9->102 104 Detected unpacking (overwrites its own PE header) 9->104 106 Uses schtasks.exe or at.exe to add and modify task schedules 9->106 116 3 other signatures 9->116 19 MSBuild.exe 6 9->19         started        23 MSBuild.exe 9->23         started        25 powershell.exe 23 9->25         started        37 4 other processes 9->37 108 Antivirus detection for dropped file 13->108 110 Multi AV Scanner detection for dropped file 13->110 112 Machine Learning detection for dropped file 13->112 114 Allocates memory in foreign processes 13->114 27 MSBuild.exe 13->27         started        29 schtasks.exe 13->29         started        31 conhost.exe 15->31         started        33 conhost.exe 17->33         started        35 conhost.exe 17->35         started        signatures6 process7 file8 70 C:\Users\user\AppData\Roaming\fssBpDQ.exe, PE32 19->70 dropped 96 Adds a directory exclusion to Windows Defender 19->96 98 Injects a PE file into a foreign processes 19->98 39 MSBuild.exe 19->39         started        41 powershell.exe 23 19->41         started        43 schtasks.exe 19->43         started        100 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->100 45 conhost.exe 25->45         started        47 MSBuild.exe 27->47         started        49 schtasks.exe 27->49         started        55 2 other processes 27->55 51 conhost.exe 29->51         started        53 conhost.exe 37->53         started        signatures9 process10 process11 57 MSBuild.exe 39->57         started        62 conhost.exe 41->62         started        64 conhost.exe 43->64         started        66 MSBuild.exe 47->66         started        68 conhost.exe 49->68         started        dnsIp12 84 mail.globalifb.com 68.65.122.101, 26, 49711, 49712 NAMECHEAP-NETUS United States 57->84 86 api4.ipify.org 104.237.62.212, 443, 49710, 49713 WEBNXUS United States 57->86 76 C:\Users\user\AppData\Local\...\firefox.exe, PE32 57->76 dropped 118 Drops executable to a common third party application directory 57->118 120 Hides that the sample has been downloaded from the Internet (zone.identifier) 57->120 122 Installs a global keyboard hook 57->122 124 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 66->124 126 Tries to steal Mail credentials (via file / registry access) 66->126 128 Tries to harvest and steal browser information (history, passwords, etc) 66->128 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9426f66ba3dbff178904ff41cbddf65618a0b7b776b460c5b4af3f3f78ab970/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-05 07:10:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fbg6zv2hw77c6eqj72bzpo7mvqyuc33o5vumdc3jlz7h54kxfya._file
Verdict:
malicious
Similar samples:
22831628191c902a9ecd0b30822a80fd61cbf32ca11996cc77f3faec57a2f750
AgentTesla
34cd5a3fe4b96b4fd09ec6ea72ee1cd3924d5a69cd1a27c894c44cc705e6b5f8
AgentTesla
5ff4d73cbcddd2c8f6fa1ec60c1e8e49980d180dce672e84974b1b51d90d4a50
AgentTesla
be1c3157dae47377644ac3bc9fcb301be2365769b69a8282ad71181f05eaee4d
AgentTesla
e57fb469a4416cbbca73d9f60e2ce15371f937808bf3f9cd9072344a6d601fbb
AgentTesla
+ 317 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231205-hzdm1aaa56/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
81a9e5e4f2481170ea07fbe19c19308d55453dbe893e283d74f9d34768067068
MD5 hash:
f82eaca89ad8b7c448dca6411ff2a8fa
SHA1 hash:
411af9e95ac5b764865f8f9a032458f9a7cc2501
Link:
https://www.unpac.me/results/4015e12b-70f8-46b4-a002-541c7870341f/
SH256 hash:
7540a8e0e9269c0f175bc358c98ce6d4025b8800f1e8baf1317cf06c98a23e62
MD5 hash:
b6d62172041f1e695a475ba37cb766db
SHA1 hash:
3e53ce32ad1c35f2b1306934ce5fc6cc4b330032
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/4015e12b-70f8-46b4-a002-541c7870341f/
SH256 hash:
a189210ddd5dc18f2c3220c123f6cc6ae467daea5fc1842438c0a3cdcec864c3
MD5 hash:
8f69af1b465e8a3aebc45a7f8eee0a12
SHA1 hash:
25f19ed1865e532443f2572a9b13a331b2ecce00
Link:
https://www.unpac.me/results/4015e12b-70f8-46b4-a002-541c7870341f/
SH256 hash:
c34dfbc328de247d25d670c3b7853f1dddd2ec2607d5dbb0480743b45a15ea64
MD5 hash:
85b87384830444e6ab86a4a692ce96cc
SHA1 hash:
0d7d4614cf31d27e68ebf48e76fb1d308cc08152
Link:
https://www.unpac.me/results/4015e12b-70f8-46b4-a002-541c7870341f/
SH256 hash:
b32f64139e9cfc3afa129ec4bd0adced5c90f5bb1d3cde1d1a6415165b875370
MD5 hash:
9385019216c64b66fb1e4ceae3ca9486
SHA1 hash:
ad74faf0fc06b34ff4ddd1f44b8cdea500c8fef6
Link:
https://www.unpac.me/results/4015e12b-70f8-46b4-a002-541c7870341f/
SH256 hash:
72dab9aa8cd66e77be88374b0fa17e1d2a742035ba929615655ba59e089a7801
MD5 hash:
bd1e9bd18c710ea901d8fe78a244227a
SHA1 hash:
58cfcea0d363d73cbfc490a0553c4a310d0b8974
Link:
https://www.unpac.me/results/4015e12b-70f8-46b4-a002-541c7870341f/
SH256 hash:
ca829a3b395a1fd1fca7c3a721e04facf94da82b20910b24014434e683e6e2d1
MD5 hash:
3a5d67adfb1f6c372d22dac83c761974
SHA1 hash:
51b1c86df2fa1f9f17bc7c2009ba23ecba21e29c
Link:
https://www.unpac.me/results/4015e12b-70f8-46b4-a002-541c7870341f/
SH256 hash:
7fa6342560b497a18146dd6b9841992b18d9c077135977fe26139821058a4cd3
MD5 hash:
b4bbca1c613fcae703f1ec6fd514c496
SHA1 hash:
4145d88512331f57472fac46cf1742d97a2d1a8c
Link:
https://www.unpac.me/results/4015e12b-70f8-46b4-a002-541c7870341f/
SH256 hash:
d9426f66ba3dbff178904ff41cbddf65618a0b7b776b460c5b4af3f3f78ab970
MD5 hash:
4e4c867be87859bce4c0ca42afed00d8
SHA1 hash:
186ccbb0eb39426dc0439c7dd388930dec0ebf2f
Link:
https://www.unpac.me/results/4015e12b-70f8-46b4-a002-541c7870341f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d9426f66ba3d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d9426f66ba3dbff178904ff41cbddf65618a0b7b776b460c5b4af3f3f78ab970

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d9426f66ba3dbff178904ff41cbddf65618a0b7b776b460c5b4af3f3f78ab970

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/462528/

Comments