MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569
SHA3-384 hash: 6ac788004ebf9cfd4cda385c8debd131e345873f95e7f531ced089078851daa6eb6746050ea0aeaa17d16c20d4da10d1
SHA1 hash: 3e0b3726887007d144c4b6accd83a5c345f37b70
MD5 hash: f90b08685d00034d5a2055ed3ee5b4f2
humanhash: steak-sodium-robin-oregon
File name:O0831047974974.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:406'192 bytes
First seen:2020-09-25 13:28:51 UTC
Last seen:2020-09-25 14:51:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:zB/TqOoGcJwVAIJNQ+l3/4gjszffUJNosFZsTjpbsWlTIKVSwhk96kADe:ztTW/IJNQ+l3zKfUJmmcjtsWlTIK8wUP
Threatray 120 similar samples on MalwareBazaar
TLSH 5D841211BB034413DB2D4B3CA0A5550463B1BB4583B3DA8E63AD7F16BF923CA1CB566E
Reporter abuse_ch
Tags:AgentTesla ESP exe geo Santanderm


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: toptrending.es
Sending IP: 5.196.76.131
From: Factoring y Confirming - Grupo Santander <fycout@gruposantander.es>
Subject: Confirming - Aviso de pago
Attachment: O0831047974974.GZ (contains "O0831047974974.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/65838/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/475179
Signature
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 11:38:24 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3h2okobyuq4ydxxgowmtsjcijtkqrqow7zanmgljjyyt5hi6mvuq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
1ca56622a5046a55fd09c9cdc61c262d9db3a009a88e0314e7bb9c64c973e9a7
AgentTesla
25565e82a4ff19e43439a8188345ec8ad8d3538529dec10764c9ffba163ceb6c
AgentTesla
3832b8b199ec2a5c06dfc3ed80a489583043e6477668370861380ee5306d9e55
AgentTesla
4786c4e0b64e49ed37f8215c2b6c778ec6c7b31a4d044cab66d46c904c6a7cba
AgentTesla
4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c
AgentTesla
96a8399aef7760c49b1b2fd59de6f8747f5de3bf85249c5d7e09e7499a5c097f
AgentTesla
96b0419df5ee00bd898850a46dfe41636b6654ebb7dfe14b18d3cb6b7453f8c1
AgentTesla
97950fbe40dd26ac4eabd641e8bae0fc8f23ce04e3c4cf06ad5e451389b80556
AgentTesla
b07177183a0f5cce808293132d98364a64495885d4bf1bbe7e2cdc39418d723d
AgentTesla
fc87713edf4f4aa23cf04040a4f47604550b4ca2da324c0c3daf4fdcac6fa17f
AgentTesla
+ 110 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/200925-j4aer3lyrn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Unpacked files
SH256 hash:
d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569
MD5 hash:
f90b08685d00034d5a2055ed3ee5b4f2
SHA1 hash:
3e0b3726887007d144c4b6accd83a5c345f37b70
Link:
https://www.unpac.me/results/973bde5a-272d-49e2-8409-21028cb5ecd9/
SH256 hash:
8a9cb92b6c7ec65c0756f2d6a2d7e1034324c4a9554f2bf3691c912bd4e6c038
MD5 hash:
9d5c2fedf2a329f32b10bedc9c5a6db3
SHA1 hash:
2870972d1d753d0f76432fabdc340aad73e7eb8a
Link:
https://www.unpac.me/results/973bde5a-272d-49e2-8409-21028cb5ecd9/
SH256 hash:
ba17741952344fdbc93a2be053d36a57d515a398747fb9d9d083ad86279ffc1f
MD5 hash:
4a50ea026f917732a93f39bfea021501
SHA1 hash:
12697bddf38fc3fa1908aac766b009d1d44a2332
Link:
https://www.unpac.me/results/973bde5a-272d-49e2-8409-21028cb5ecd9/
SH256 hash:
4d2a3698ee6872e8cf4cb624443424261277810fd136d4e40285bd6b5aab67b5
MD5 hash:
6dabd715772036ae98787efcd70ffe74
SHA1 hash:
e74d3d8bf67236ec8a1112c8b2acc80fd95934be
Link:
https://www.unpac.me/results/973bde5a-272d-49e2-8409-21028cb5ecd9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 27b870f7a46fe17c94a2c2a79d4ade22bc28b39bc3c9bdde4427d8e61685e489

AgentTesla

Executable exe d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569

(this sample)

  
Dropped by
MD5 cb09af0796691fd7dc9aa42ee3f908a8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/65838/
  
Dropped by
SHA256 27b870f7a46fe17c94a2c2a79d4ade22bc28b39bc3c9bdde4427d8e61685e489

Comments