MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9ef6dd0ddbe95b3f858ec1e3cb40d5493c89f8844227f2c31739a9e7cef7ab9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9ef6dd0ddbe95b3f858ec1e3cb40d5493c89f8844227f2c31739a9e7cef7ab9
SHA3-384 hash: 05ef547085d87ddda85ae98c612beebcedf7b76b44040be4f08eb3814e6b1379453497eced028e6b8cc25b455cd6861d
SHA1 hash: 74117a3e6345472e52c283dafb71647478988b87
MD5 hash: 63fd7ddf82fa470150fc1362112e0eb1
humanhash: solar-march-lima-black
File name:CNC 39200-pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:692'224 bytes
First seen:2020-10-14 16:35:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:umCZfcyGSgsEp01d2dQg6AzhkURIaigx6kFhMb669Hu612jswihj+y8bhnVi6ifG:umoYpId2CoRIazhMbh9O6mswi
Threatray 546 similar samples on MalwareBazaar
TLSH EFE4CF9C325071DFC42BC9779AA41C64EA6174BB931BC207A05716ACDA0DAEBCF245F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: fnadk-36.srv.cat
Sending IP: 46.16.62.46
From: Info TTY (Nuevo) <info@taxtrophy.com>
Reply-To: Info TTY (Nuevo) <baeutyslondon@yahoo.com>
Subject: CNC 39200 // ANÁLISIS DE CONTRATO
Attachment: CNC 39200-pdf.7z (contains "CNC 39200-pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70964/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42621.16448.22402.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/491541
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298332 Sample: CNC 39200-pdf.exe Startdate: 14/10/2020 Architecture: WINDOWS Score: 80 16 Multi AV Scanner detection for submitted file 2->16 18 Yara detected AgentTesla 2->18 20 Yara detected AntiVM_3 2->20 22 4 other signatures 2->22 7 CNC 39200-pdf.exe 3 2->7         started        process3 file4 14 C:\Users\user\...\CNC 39200-pdf.exe.log, ASCII 7->14 dropped 10 CNC 39200-pdf.exe 2 7->10         started        process5 process6 12 WerFault.exe 23 9 10->12         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9ef6dd0ddbe95b3f858ec1e3cb40d5493c89f8844227f2c31739a9e7cef7ab9/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 15:03:20 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3hxw3ug5x2k3h6cy5qpdznanksj4rh4iiqrh6lbroonj47hppk4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
210c6f413be18ff3ba11a0ba9886179cf98e73e43d3e0b366960d04b925e9283
AgentTesla
2d9c1413a894e79ddcba0ce405e72fc4be4dae2bb7f9c7931c7d618c5a0c7a56
AgentTesla
39738c9fd5866fa8f6eb0473bb8bf03766e4fff79875f184823269e4fedb50c4
AgentTesla
3bbc420e96825537d8483d080f9918b4d8303aff054b1cd94126ff67fa0526b7
AgentTesla
6d9a45dbc2e4cb3cbcd745e44efa13c3c895c202bf9367f572d1d94d141cc81f
AgentTesla
b632282d2e46133203300355315a5ce12ecbe30201dc4dddcb66ce7b0e29c11f
AgentTesla
bd5a89235b1e44222a7cda1b6349967af2152683661cef1d8c8ef515d1706828
AgentTesla
ca23807d51b989324e04dafc821c7611cf0ee25d04aa9a20c41a6b92303ca81f
AgentTesla
e63d9fff34fc1c54b4e9bcb779e8101ca5e65f84d84e153c0788dec7d8ee5d42
AgentTesla
e6664f4dc05ada4dbb64eddc1fd5c2ef57214a83c55bfe65195d07adf17bcaca
AgentTesla
+ 536 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/201014-dhfw6wsaqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
ServiceHost packer
Unpacked files
SH256 hash:
d9ef6dd0ddbe95b3f858ec1e3cb40d5493c89f8844227f2c31739a9e7cef7ab9
MD5 hash:
63fd7ddf82fa470150fc1362112e0eb1
SHA1 hash:
74117a3e6345472e52c283dafb71647478988b87
Link:
https://www.unpac.me/results/aa1d1152-6812-4b49-8d82-594d6930628f/
SH256 hash:
00aa219ab49c9b78fe2034788e8b9c5e8cfb9142196c894cac664e3b439f2e3e
MD5 hash:
66427549faa437be425a63bf1a1e183f
SHA1 hash:
56e18358f82c40af70dab555713bd670621d92b3
Link:
https://www.unpac.me/results/aa1d1152-6812-4b49-8d82-594d6930628f/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/aa1d1152-6812-4b49-8d82-594d6930628f/
SH256 hash:
d01685838fe59264ffe2d4794c78ebe00c3763d67d8c3d4cdf123458fa4dfa71
MD5 hash:
5e78b713585a1252e0a8c7f05dcb53bf
SHA1 hash:
ca44ab41cc802acdc52602c6cff0df1c326babe3
Link:
https://www.unpac.me/results/aa1d1152-6812-4b49-8d82-594d6930628f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/d9ef6dd0ddbe95b3f858ec1e3cb40d5493c89f8844227f2c31739a9e7cef7ab9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e775d30df7e9b318f8657a4bd251c01c38f0a7e3867f082d4d4ab3b2935f7858

AgentTesla

Executable exe d9ef6dd0ddbe95b3f858ec1e3cb40d5493c89f8844227f2c31739a9e7cef7ab9

(this sample)

  
Dropped by
MD5 379663ad4df3ade52a87323c83dc1d6d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70964/
  
Dropped by
SHA256 e775d30df7e9b318f8657a4bd251c01c38f0a7e3867f082d4d4ab3b2935f7858

Comments