MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9961b923d5187cab6c6216a4de0f61a03a24fd3cf6765a5c3eb0963e05f580c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9961b923d5187cab6c6216a4de0f61a03a24fd3cf6765a5c3eb0963e05f580c
SHA3-384 hash: 17473deffe0f7b6e36bb801c76501d1f9cae3b376353960ea489246b24a965a2104c3855c5d696a39100c39c5e90e288
SHA1 hash: 4ff679166f942395b2d335757f759f39fe8dcdd4
MD5 hash: bc093d7923b582bc37b09a814940a4e4
humanhash: uniform-lion-golf-oven
File name:payment confirmation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:805'888 bytes
First seen:2023-12-01 18:54:34 UTC
Last seen:2023-12-04 13:07:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:QWodJz/ZGPpglaJwnQieFtD6Ba+FdEmp2UdAmhu1qCvRUULCeNPSiyyjK:QzEpglw53t2I02wfU1PnNPd8
Threatray 724 similar samples on MalwareBazaar
TLSH T109059F517388988FF8DF05F2501E813252B8A99F9156F78E3B43AE6919D3381149BFCB
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f29296968e9e9ea6 (60 x AgentTesla, 37 x RedLineStealer, 35 x Formbook)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
323
Origin country :
US US
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
payment confirmation.exe
Verdict:
Malicious activity
Analysis date:
2023-12-01 18:57:15 UTC
Tags:
purecrypter agenttesla stealer
Link:
https://app.any.run/tasks/7917aa2a-6c8e-4312-9cd0-22eb09a3ee0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461808/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.3696.2636.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/d9961b923d5187cab6c6216a4de0f61a03a24fd3cf6765a5c3eb0963e05f580c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e8f56ad-9d8a-4a88-a9ed-17c23f962a26
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1351656
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d9961b923d5187cab6c6216a4de0f61a03a24fd3cf6765a5c3eb0963e05f580c
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d9961b923d5187cab6c6216a4de0f61a03a24fd3cf6765a5c3eb0963e05f580c/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2023-12-01 18:53:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3glbxer5kgd4vnwgefve3yhwdib2et6tz5twljod5mewhyc7laga._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3
AgentTesla
5b614a4b5b02994b6900991eed28ee0a76a753d9e134eab400cccfc9ecd37e0a
AgentTesla
611736ddb98d5e8561be8977e92737e3833203a8a2e9428436b003d20bc09b01
AgentTesla
8fc8d08ac95f945b863195ee3556c1e756754faff354db781a67a9323b4c06fc
AgentTesla
d9961b923d5187cab6c6216a4de0f61a03a24fd3cf6765a5c3eb0963e05f580c
AgentTesla
dbb832a8e39eadb4dff92c86785f16fc52682f8acfe0a831a4ce8b6a958e93ea
AgentTesla
+ 714 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231201-xkrnmsfb77/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b363b408508f17bade5c83465a0f6b2b856a6f3443ad488284c8b11fb99bc46d
MD5 hash:
c65c13c3999c2f9d0299b7ca1a8b395d
SHA1 hash:
6da0808c3f2bec2a820686eb5cf959d7c01ec3f5
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/1477dcfd-fa45-4962-b80a-574f8d901b3b/
Parent samples :
864fd318ac33d9788aaaa7ec0414ace672ca381ef2f7d4d878e3e4789c9b8976
e16c1dfcd46162a057a38ddc99698d28e9da15d37d15cce27dd49b0411f95556
261445c7e46260e4be5a14f4603478a26bb69b3158c81197c62786f43be29939
242c9fcb4922c50dec24989b8994de592f9c3eab91b64196f106a54cf89ba61f
391085720087ca47539076781ecfb5e4027f3c89bb19097b0c3d9e599cc6b6cd
d9961b923d5187cab6c6216a4de0f61a03a24fd3cf6765a5c3eb0963e05f580c
91ff3998adf51757d7580e1c190ff9f4c12e9b2de48b56c7507824753a9930e2
502d7ec69173cc68e242caf59956a90e519dad247b118c60394be96c9474f2d3
d11d805c3dab49566aad8dfe6d9bbd1c206918980870792ed9d496e8836aefe6
2992b737cc487bae341eee8c6b11377b5baaace7ee2904ba6e4c91c542f1a515
SH256 hash:
5299de66498fc5b1b092b4147d9c564ad3fedbb214ecc2bf2af8dbe2239893ca
MD5 hash:
c237def497251d0e1e94572bef6879c7
SHA1 hash:
5b13a4c2b85ef5c85920900bd7d61d00030457ab
Link:
https://www.unpac.me/results/1477dcfd-fa45-4962-b80a-574f8d901b3b/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/1477dcfd-fa45-4962-b80a-574f8d901b3b/
SH256 hash:
951e9966735926a81848dc2bad6664093f0b181d0e4981bb371a708caa564acb
MD5 hash:
8e9bf409eb8c03f6a1da90348d343545
SHA1 hash:
14043a51ff5916e6d4e36065a3867bcb88eafe51
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/1477dcfd-fa45-4962-b80a-574f8d901b3b/
SH256 hash:
d9961b923d5187cab6c6216a4de0f61a03a24fd3cf6765a5c3eb0963e05f580c
MD5 hash:
bc093d7923b582bc37b09a814940a4e4
SHA1 hash:
4ff679166f942395b2d335757f759f39fe8dcdd4
Link:
https://www.unpac.me/results/1477dcfd-fa45-4962-b80a-574f8d901b3b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d9961b923d51/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9961b923d5187cab6c6216a4de0f61a03a24fd3cf6765a5c3eb0963e05f580c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 5e677270292e15434757d07857994ecd05b20c0872120d9858b94f56186ff6aa

AgentTesla

Executable exe d9961b923d5187cab6c6216a4de0f61a03a24fd3cf6765a5c3eb0963e05f580c

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/461808/
  
Dropped by
SHA256 5e677270292e15434757d07857994ecd05b20c0872120d9858b94f56186ff6aa
  
Dropped by
MD5 2bda9ab0ecfb10e452c32de33eb5c0ab

Comments