MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9232107c85b4b3a9ec90a32fa98b99d27f1ca84ef2b5654d7ab696f9f034890. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9232107c85b4b3a9ec90a32fa98b99d27f1ca84ef2b5654d7ab696f9f034890
SHA3-384 hash: 0545539c9d5db32b2595d870a898599eb4672d3a5eabdff5e10c017818bb34aca01f1a0f22fefbab1b18635369bce3aa
SHA1 hash: aa4197a75d07592c242850b13b1dea76671e025a
MD5 hash: aaca7e0cc2d952668293c38fd0345b99
humanhash: autumn-cold-hot-emma
File name:Sales Contract.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:689'664 bytes
First seen:2024-06-11 17:29:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:LSdTeRPW+zhKEuWJXXUw2Ql5M1szhYhwFMcSMgrsKuqyJMD0OB:LHRPW+9KZWJHUw2gIszhYhGMhVzNO
Threatray 4'162 similar samples on MalwareBazaar
TLSH T106E4018C325070EFC967CD35CAA81D24AA643477AB1BD10FA147419D9A5EAD7CF10AF3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
350
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
e9232107c85b4b3a9ec90a32fa98b99d27f1ca84ef2b5654d7ab696f9f034890.exe
Verdict:
Malicious activity
Analysis date:
2024-06-11 17:31:34 UTC
Tags:
evasion stealer agenttesla exfiltration smtp
Link:
https://app.any.run/tasks/b93abfa9-5210-4d40-aade-0ae0aa10757a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Taskun-10031574-0
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66688a2ba439c6d6b0877d85win7simulatehigh_evasion
Tags:
Generic Network Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Setting a keyboard event handler
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed powershell
Link:
https://www.filescan.io/uploads/6668899b21581a92819c463a/reports/70c1b69c-56c7-4411-b775-aa514b2c842b/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/e9232107c85b4b3a9ec90a32fa98b99d27f1ca84ef2b5654d7ab696f9f034890
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f52c4b3a-a5f3-4034-95ae-f1b643ed4163
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1455394
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e9232107c85b4b3a9ec90a32fa98b99d27f1ca84ef2b5654d7ab696f9f034890
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9232107c85b4b3a9ec90a32fa98b99d27f1ca84ef2b5654d7ab696f9f034890/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-06-06 00:12:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5erscb6ilnftvhwjbizpvgfztut7dsue54vvmvgxvnuw7hydjcia._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
36333708c9444391b6a026b688b2ee4429165a1d3fe0fc3869ae67095f050ce4
AgentTesla
4af4e807a39641a52d870358fa8b6486927f7f5daeb94a2a75d9e117ba41a3ea
AgentTesla
5a9523bba8e40c9d642fd99e046c4c06ddb7174cb26da584ccc0db4aea139f87
AgentTesla
9590e1d446b60f2a62ed6e543d623a857061ca1e80a2a499a9ef7d6c97cc5cb5
AgentTesla
c177812f5ee5c7643659dba85dcdb7d86134d2a437a8c7934c9b63eb3a5b4530
AgentTesla
c907b5ee8b9aae5ad661042f2aed0338df90653b95dad072ef8d8c0b582bc46b
AgentTesla
ec2271f3c4ca253b780325c5b0486672f7f4eb8dd9c355501103aa87f0c5f9f4
AgentTesla
+ 4'152 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240611-v25kqavfnm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/340e1a41-1a55-4e7f-aa3e-ca6aa886a7c3
Unpacked files
SH256 hash:
c984c840cfa3a800962ec140b43d6e92394adaae189d35e437db66970fae6793
MD5 hash:
1a4231260ea87d8d7d5b46ba765b153a
SHA1 hash:
d7447c3b4b798a8a4338352778e66c63fa9cb8c1
Link:
https://www.unpac.me/results/c4d8dbe8-01fe-45ce-ad10-c3efcdb62532/
SH256 hash:
1782e441900cf6fe57a2a1697b16cef43db792365991814621ad1f545b39afda
MD5 hash:
b4cec1725a68f13fdd2e3db6a720e137
SHA1 hash:
6439db4a427962ee0eafcc98ae7b96c1e3888948
Link:
https://www.unpac.me/results/c4d8dbe8-01fe-45ce-ad10-c3efcdb62532/
SH256 hash:
aa4240d3c6a1ba38ff9c7abe3455a20c782b5e3aaa96af6e4332bc9476fd656e
MD5 hash:
06af3c3f7b31c9d3d27981a0842dacb0
SHA1 hash:
407cc724660e5787cf05e03b08c6f28b4835d51f
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/c4d8dbe8-01fe-45ce-ad10-c3efcdb62532/
Parent samples :
5c1009bc821a697905465a8c104b90813332d5815a85b73cea23131b930db557
db083048a859cc61f02d17f62e940ca93ae1e986c91d80a8c7b5300fb80e3eb4
fe2a9ae78a0634c404db5100489e946283cfedf0240ddf57e7b4f17dfec30162
09c2bde39a42e15cf277c4d992c091a5832a396cf314345e9c233d786dc3438a
e9232107c85b4b3a9ec90a32fa98b99d27f1ca84ef2b5654d7ab696f9f034890
f419ddfc11a334a5ab4f9a289db5783877d4108107ed912e2e2b3f57ae9be808
19b604df73a21665949858204d634fc31077cc0b1c0c02f53712b2cf3b5e8bc0
18f7507efdb35483a8642553f66647b9c1cc54d67614782622b7a64261042924
a3d537273efd479c1cc02c3d7e288482b495d119ffe172afa28aa33a6c90522b
bf2bb447f3c3344ff70beede0d0889840d533b011f963136b9e3b1bf897f7991
afccbcb46f3ef4814055e5d4acbef95679cb05e80c7b57cdd49df43234cfae66
df83a2880c473c9491465e517ca3fdeefb533e3520b13432b7e6f063ccea8247
6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93
d18d881b4d582a792946d651f91f77a1b68b23b2abada7cb9b864ce4da24dbee
cda61139578f1cb169cfaa8b588dd7691c4f912baab91ad355ced6ea3edfdabe
c897b3234947f6478f99c333ecf8b9f06a52d8058de70fc5e6eb09aa4195d214
2cd4a1b5a6970f10245111eed4113323d391b1fe221f01fa11ad0d9695b82ea8
ec9b3edc6fdb39696ddff5fa0cba95f486c7fa765136eb92d78c94f57e37ccdd
ce69c0e4efa80c87b672f5fe7ec35808b24d05a1feffba954720e8a801a8acac
7d32ffb777ed327a39961748d04917f29b52bf373e7cb07a64cc86ebc172352b
f0a1308efe7bcf1be384db385b8183f48c5f1c2432da2322263b90f01a0820aa
ee58426723ce085d5ec2a045c3e020bc0b9ab6dc90e16ad1c2b8bac0804a2604
524cc2764d1bab453b5148129ee6942b8f6dca3fefa60a785d3d0f96848290ba
553efa334e9610ef0f28120965724b031ff0f26fb16e8aa23098c8af570ebc51
ba84ff47581d052e6fefe8f380126d6f770b6307b7d512388907225b576749d2
eb89a7b195591d21c6f902d02560d4b2d1d1837fd94d404c3211e9f4ae12444d
c7dc84187ebfc4521a3fe173e5b59850c753251a1a935b294c0a6fb63d6c9315
feb7b9b695fa6e3d5c9d19b4309aaadada0b15529364e17781e91553dc7e3406
508de38b2d605ccd6886dad188e151e3061896f795fc7ee60db182397d1b397e
e4d1908e539f5c7bcc6960d7616c88db9a0382e76186f28026e4f659b1ae058d
31ed160a5d6da518efe41113124db5c203316a965ccce18cca9e0ead7bac96f6
5dd25e32ca50fdacf6b304cfebd5d222141b9a13d9120c3a61342ff4588c85f0
96d2a9befbbed1913469d5e03f50cbbd700311f7cb8d87dc28d325be258cf35b
0d045677fbab19a80b17225c90ecca8fb973f67db71e7f86df8af5c25e0ac7a6
f9898f9bbef6d022dd0ce4343009f8d8ec465322ec384723e565a7ff0db259e7
87044fd80bd4cb7069021fa48e337e1ffc5d6f192932645045536ffccab8c4db
0a5816f1e55e810043fd6ac8a6d28eabd755696e76cf1b96d9fc3680c8af6177
3add79dac5ae034342c137acedfc270130622c6ccb3db23c36b3483a06c4fc96
c0606c7a28717e12ff2ba17844d4be166dcc9cfa060c98d0bd3b940c79d81ef8
d3956670c2fb4ab0739bff8f47efc5f6accc848960a9ec11e8bb1849dfc8a59d
317d4b1683e217b6af80de147bbeb8581255f320dd11ca5c13b0796f837d42aa
fd9725ecc7ed625c2174660e7f51f647fff9474f4c21c8ed84e0608bbcc5a409
67a8b2077a1aa43d393b1f843e556fd030c13dbe7a0e041d41c86fe233bddb38
18bdc6654a91219d11b56059df0aa5bdce67e8db3faade250c5d40dba9cf0e9b
97565e05b015972c9b22a7b55d9e68c6f8d0bc90693731cfc1c925a127611800
SH256 hash:
55729815a6ad44739f2af0c7a7096f4153fcc109d440f23d0d609065e96b625e
MD5 hash:
82a8fdab718d8d9c1c82472293a72e3d
SHA1 hash:
042c0d08baf858128d32c01476380e142891456e
Link:
https://www.unpac.me/results/c4d8dbe8-01fe-45ce-ad10-c3efcdb62532/
SH256 hash:
e9232107c85b4b3a9ec90a32fa98b99d27f1ca84ef2b5654d7ab696f9f034890
MD5 hash:
aaca7e0cc2d952668293c38fd0345b99
SHA1 hash:
aa4197a75d07592c242850b13b1dea76671e025a
Link:
https://www.unpac.me/results/c4d8dbe8-01fe-45ce-ad10-c3efcdb62532/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e9232107c85b4b3a9ec90a32fa98b99d27f1ca84ef2b5654d7ab696f9f034890

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e9232107c85b4b3a9ec90a32fa98b99d27f1ca84ef2b5654d7ab696f9f034890

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments