MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9d8cc34d640b907e851d2d0695a7e2df2d2d0a28ac20259c41f904b417530f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9d8cc34d640b907e851d2d0695a7e2df2d2d0a28ac20259c41f904b417530f6
SHA3-384 hash: d8b5ffb37c180aa2ef4dd51150ffd915640c952adb9c8f95a67c19e8ed77b50f618dfce94ff8909c1efd16738bccfb5c
SHA1 hash: fdb5974ee3a6d14b583a9c5f5c01e64d2233dbf2
MD5 hash: 7b7e201e5db6628a14b2616ca73e94c6
humanhash: speaker-tennessee-failed-west
File name:ADEX SU QTY -7184.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:529'920 bytes
First seen:2022-01-18 10:27:34 UTC
Last seen:2022-01-18 13:11:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Zo3aP80D3dr4EZ6lraJqFQAzC3GGx6gT93Hsc+WwkRRRRRERHR:a3Z0DdEEZieIQAG3GW6E93Mc6kRRRRRc
Threatray 14'427 similar samples on MalwareBazaar
TLSH T1A1B4127A064C8667C6EE873CE5E2418042F1CD0AA782FB49CA817DDE7F467D19D0269F
File icon (PE):PE icon
dhash icon 30b2b2f069f0d48a (6 x AgentTesla, 2 x DarkTortilla, 2 x PureLogsStealer)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ADEX SU QTY -7184.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-18 10:56:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2d98ab55-5a61-4ed8-b48e-e437813b74b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220086/
Detection(s):
SecuriteInfo.com.Artemis7B7E201E5DB6.11380.5194.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61e69638d32385db630113d2/reports/cecc096e-a21c-4370-8a1e-85d1fafaa346/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4d77a91-bba3-4dcb-bb86-ec92f6449e0e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/922283
Signature
.NET source code contains very large array initializations
Found malware configuration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d9d8cc34d640b907e851d2d0695a7e2df2d2d0a28ac20259c41f904b417530f6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-18 10:28:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3hmmyngwic4qp2cr2ligswt6fxznfufcrlbaewoed6iewqlvgd3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
361cfcc65ffe2112687ddd9fd49ad22102d4bb83aa9afb40b04a3531d852f95a
AgentTesla
40ccb45b307f55135d9e754e4ef2033b9a6ac4c84596b0c6b4962d54221de710
AgentTesla
54920b6428a47f26167fa633550d0dffb12ec4981ede7f4e7ec9ad08948432f1
AgentTesla
a3b413ab4cd2a50c24494d4b421b51cedaac054ab520ee68c5536a599f99c391
AgentTesla
ad28a444141c8894fc961bb6a358c29bc063e6e1f140526a1cbc973f5966db79
AgentTesla
e9f44dcc77be10a541bf42cc49ec068404b0fc6f02c68aeaae624f69c0fccbe5
AgentTesla
+ 14'417 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220118-mhpfdsahdj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
660a1abc9ad3b0549267e3f0bb801f623dcbaee3005e60c78180814050b8032e
MD5 hash:
1a1b7d8a316cbc369d0e97f0ede67944
SHA1 hash:
a0bab881cad024714eb37def8fc9ef3681b1e0c6
Link:
https://www.unpac.me/results/838088e7-5946-41ed-868a-8c79d72d9944/
SH256 hash:
625c7ab845b249081a86f22f901ac55707f0ebe5defcec3bffeae916b5adcd24
MD5 hash:
1b8903e41ac91c94ad2b283258da712e
SHA1 hash:
6fdb7c3891ee0190bc24fa0bb05d8f60df9e8b23
Link:
https://www.unpac.me/results/838088e7-5946-41ed-868a-8c79d72d9944/
SH256 hash:
50975d05eb37246ebd5823a0ebac56788fb30a307e3ef476429d3330d954241f
MD5 hash:
f3fdcea5519cadb461b23c490f2ffe2a
SHA1 hash:
1fe5e310d3338274bf63db27db10a230269e0e43
Link:
https://www.unpac.me/results/838088e7-5946-41ed-868a-8c79d72d9944/
SH256 hash:
fe9f80e0784010a9c1804ff12cbb458b385af529f27542634a33b0a273b85819
MD5 hash:
4a5ee4fdc92c2f34662cff4603c8828b
SHA1 hash:
65480e40a9080486629edb807b7fcfbeecd018f1
Link:
https://www.unpac.me/results/838088e7-5946-41ed-868a-8c79d72d9944/
SH256 hash:
d9d8cc34d640b907e851d2d0695a7e2df2d2d0a28ac20259c41f904b417530f6
MD5 hash:
7b7e201e5db6628a14b2616ca73e94c6
SHA1 hash:
fdb5974ee3a6d14b583a9c5f5c01e64d2233dbf2
Link:
https://www.unpac.me/results/838088e7-5946-41ed-868a-8c79d72d9944/
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d9d8cc34d640/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9d8cc34d640b907e851d2d0695a7e2df2d2d0a28ac20259c41f904b417530f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d9d8cc34d640b907e851d2d0695a7e2df2d2d0a28ac20259c41f904b417530f6

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/220086/

Comments