MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9e6cbd72f298a92da436afa4f798a3cbc4b951c4e7532c57b4809e7a2d1ee4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9e6cbd72f298a92da436afa4f798a3cbc4b951c4e7532c57b4809e7a2d1ee4d
SHA3-384 hash: 6a709e697e4e8959af9af91a9993c21e55ef058137539752522dbc0ff3045498cbc1765dfd1ef1a007ac3c776a38a338
SHA1 hash: 4055dda5431af415e0c35e93998789e6828b2cd5
MD5 hash: bb280b52a02541cf5bb94582df86b9c5
humanhash: eleven-michigan-potato-august
File name:Payment Advice 17-1-2022 SKMBT03783930484050888904003TXT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:426'496 bytes
First seen:2022-01-17 02:22:24 UTC
Last seen:2022-01-17 06:34:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:7PwXKz253GmOpJWfP8xitKkLicOj4zJFkRRRRRER:b1zcOpJWpwhZjsjkRRRRRER
Threatray 14'390 similar samples on MalwareBazaar
TLSH T1B6941254A3F47799C89ADBF4A432504407FE256A6023DB8C1DCAB4DF2A4B7420E97B37
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Advice 17-1-2022 SKMBT03783930484050888904003TXT.exe
Verdict:
Malicious activity
Analysis date:
2022-01-17 02:25:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4bd67e53-850a-4bd4-9751-dd3916bb736e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219675/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.9481.4490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61e4d309d32385db63f84e32/reports/29089e69-f137-45b4-ad81-30cc3585597c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd18d5d3-dd43-4308-8f92-72fbccd39f17
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921515
Signature
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-17 02:23:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3htmxvzpfgfjfwsdnl5e66mkhs6exfi4jz2tfrl3jae6piwr5zgq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01488f4b9d6f4bc59cdc4faa78d18c2459178dc627d2a19a73ba54cc1a4dd8ab
AgentTesla
2948189227236b12a612f2032a2819d4a0208b92a56ecb033c8c8d0604e55441
AgentTesla
50b382187f7eb9e5e8a046aa37a52311deed74ad19fe92dcea4afa3a3fe534a2
AgentTesla
854fdbaa39b3da5ed2d094c57511d14dc97c392358da47e42fbbd7b2d03101d2
AgentTesla
d9e6cbd72f298a92da436afa4f798a3cbc4b951c4e7532c57b4809e7a2d1ee4d
AgentTesla
d9ef341853931d195e3fc1d9b94bca1a50be2e49e2cd1443dd05f55f4f2915c2
AgentTesla
f5f60691fc5f947e17d9f29028ccaad80f6862468db5dcae7a2e65572b99f9f9
AgentTesla
+ 14'380 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220117-ct576sged7/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
81ceb52b46b9ab88f0d79ff989a490ad0204c4e81146852932abae97d71f74f5
MD5 hash:
3da92a08a8fd4de696b1b543f7c7b499
SHA1 hash:
fc51594011ad0cf98b631e20557c5286f668cf7c
Link:
https://www.unpac.me/results/1114dcc9-0f9e-4a50-ba50-b5aa40423ed3/
SH256 hash:
749668d25f1c867e2304aa4dc090ed4618a2ed7de6bbaa2374159d8d25cdc4bf
MD5 hash:
5913846541860d125668b90f732ae554
SHA1 hash:
ba3d1469538a5c1085c3c26c14608bc79ae581c7
Link:
https://www.unpac.me/results/1114dcc9-0f9e-4a50-ba50-b5aa40423ed3/
SH256 hash:
8995963e6cd0f365fc545572145fbe99132b3a2a4311deb1de6be6cf676f54da
MD5 hash:
9d0dcb3ac59dcf93c703cf2a96b6d8d3
SHA1 hash:
1c58a237720c3236ecd7dcdd3749400c133ee6aa
Link:
https://www.unpac.me/results/1114dcc9-0f9e-4a50-ba50-b5aa40423ed3/
SH256 hash:
d9e6cbd72f298a92da436afa4f798a3cbc4b951c4e7532c57b4809e7a2d1ee4d
MD5 hash:
bb280b52a02541cf5bb94582df86b9c5
SHA1 hash:
4055dda5431af415e0c35e93998789e6828b2cd5
Link:
https://www.unpac.me/results/1114dcc9-0f9e-4a50-ba50-b5aa40423ed3/
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d9e6cbd72f29/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9e6cbd72f298a92da436afa4f798a3cbc4b951c4e7532c57b4809e7a2d1ee4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d9e6cbd72f298a92da436afa4f798a3cbc4b951c4e7532c57b4809e7a2d1ee4d

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/219675/

Comments