MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db9b829443caa52821b672731426400ed85709bb7aec5093c845e144b962faeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db9b829443caa52821b672731426400ed85709bb7aec5093c845e144b962faeb
SHA3-384 hash: 09b8e3ad41b86a5d94fbc078bc57cf46651138a9e74094e082e2e1ced74ff8413a295fc8fc9a16cc457f0f74f1385d9b
SHA1 hash: f6365ffed52dea01c73151958f0add694a02470f
MD5 hash: 29e015893d13661d1110c11f280c73c6
humanhash: gee-vegan-item-twelve
File name:SecuriteInfo.com.Win32.PWSX-gen.13359
Download: download sample
Signature AgentTesla
Create hunting rule
File size:207'792 bytes
First seen:2022-09-08 12:05:48 UTC
Last seen:2022-09-08 12:48:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:Jxb8VmuNH12LB27cqKrRfsjAk7DYcbvrV5xT8cbUFHcMc:jYVm0cLB2wijtYcTx5xThU9cMc
Threatray 18'824 similar samples on MalwareBazaar
TLSH T108149D887610B68FC81BD836DC9D4C64ABE47C675717C203B49B32AD9A1D7DBCE090E6
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4dcd8c4d4d4c4d4 (95 x AgentTesla, 51 x Formbook, 12 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.13359
Verdict:
Malicious activity
Analysis date:
2022-09-08 12:06:25 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/0ce45cb5-1264-488e-aab9-b9bb54dfc946

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308762/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13359.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
DNS request
Creating a window
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6319db3ad836d6918483eeec/reports/74d95192-8e6c-4c4c-9ab3-ecde81696396/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4fd4ed63-dc84-49bb-b408-2ce060499b1c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1067094
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/db9b829443caa52821b672731426400ed85709bb7aec5093c845e144b962faeb/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 12:06:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3onyffcdzkssqinwojzrijsab3mfocn3plwfbe6iixqujolc7lvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3e927ea7d9e59f48ac8dae514c97f80678cd412e82be06078c1be661eec15e49
AgentTesla
4f5057f749812cda5d588b54fa0e514a3c0acf82d2a7bc6ec4eb7074cc950683
AgentTesla
5adb4cea36b31385d66787ec1a8b686704e9c85793fb8aec0be8ddd7f12fcd0b
AgentTesla
72e4a4fe5801818e196675661939e12520b62566481812f61563250d41ddecf6
AgentTesla
84e9f33b682944d11444e1ddd0f27f2fa6c1d0ca29ed8a6a620b406233ef82a0
AgentTesla
89823f7c472a09c6062578082579da7f8cdb093c99de1a7c92aafa5d741c7316
AgentTesla
8d5f8190ec870db510d2b95b830a07bf3c67d9996df775778dfa82b6c2bdd7b3
AgentTesla
fb1afa6e7bae619514d7d2ff10a9cc96a03b5e10640059f592c7e5f3d6093d31
AgentTesla
+ 18'814 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220908-n9qyzabfgq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
AgentTesla
Unpacked files
SH256 hash:
9d37011e8ac53d0fd2a45b0d79f1d9e8a6f3026beb3b7d2a4154bcb19d56895d
MD5 hash:
b212c1f23540b5fd5a5ac6eec0ea9add
SHA1 hash:
632cebb6ce78f97c59cc0a24187390aaaecdf400
Link:
https://www.unpac.me/results/6a920e09-012f-419f-8a45-4c7493edb937/
SH256 hash:
f6650299cc59a94123487873a6afbe371a3ca6b1f5e4e32c57cfe056c0759684
MD5 hash:
33a6b46d00c32a875b21b9cd3e363064
SHA1 hash:
25c1183f59d37445efed561882dca2da0478b687
Link:
https://www.unpac.me/results/6a920e09-012f-419f-8a45-4c7493edb937/
SH256 hash:
db9b829443caa52821b672731426400ed85709bb7aec5093c845e144b962faeb
MD5 hash:
29e015893d13661d1110c11f280c73c6
SHA1 hash:
f6365ffed52dea01c73151958f0add694a02470f
Link:
https://www.unpac.me/results/6a920e09-012f-419f-8a45-4c7493edb937/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db9b829443ca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db9b829443caa52821b672731426400ed85709bb7aec5093c845e144b962faeb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308762/

Comments