MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9f08fb27479f796c6fc4acb74759336ea2a426b1282d89fe78764a7680c758c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9f08fb27479f796c6fc4acb74759336ea2a426b1282d89fe78764a7680c758c
SHA3-384 hash: 64c7d6c2f760331b6592e9ab799783b1c1f7e91801f3f7097d9a7a6b53855587494ae210477f3fbf3e2bd73290ec5d9f
SHA1 hash: e9f8551b5847ddbbd7f02ac471ff197a2e63fb2e
MD5 hash: b58c4bf6bc36e7e9290bb3be27f96e1f
humanhash: fix-carbon-emma-emma
File name:2222093748098765434567898.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:341'472 bytes
First seen:2022-03-29 06:14:16 UTC
Last seen:2022-03-29 06:47:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:KbE/HUAwE09DIFhMbICI6C0fBdTLBX8FmR6kT1bMmRx5K20SMu8:KbA+eaRB3aknJx+bu8
TLSH T1DC740283AF55FD13C04E453C192762FA859295214FB06323E7B11FBA5EB3ECC9A1C692
File icon (PE):PE icon
dhash icon b28e8ea2a6be9a92 (1 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/258926/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.32528.24463.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11913/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6242a3eb9253b276b79876d8/reports/6aa0c1c9-16f3-4052-a6df-bcb5bee94b59/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6995020e-9fd4-4e59-8e91-5fde0a3189e9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/966386
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 598877 Sample: 2222093748098765434567898.exe Startdate: 29/03/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 3 other signatures 2->45 7 2222093748098765434567898.exe 18 2->7         started        10 ivdklqb.exe 2->10         started        13 ivdklqb.exe 2->13         started        process3 file4 23 C:\Users\user\AppData\Local\...\ackwhpvd.exe, PE32 7->23 dropped 15 ackwhpvd.exe 1 2 7->15         started        55 Multi AV Scanner detection for dropped file 10->55 signatures5 process6 file7 25 C:\Users\user\AppData\Roaming\...\ivdklqb.exe, PE32 15->25 dropped 31 Multi AV Scanner detection for dropped file 15->31 33 Detected unpacking (creates a PE file in dynamic memory) 15->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->35 37 4 other signatures 15->37 19 ackwhpvd.exe 4 15->19         started        signatures8 process9 dnsIp10 27 mail.cml.net.in 205.147.111.116, 587 NETMAGIC-APNetmagicDatacenterMumbaiIN India 19->27 29 192.168.2.1 unknown unknown 19->29 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->47 49 Tries to steal Mail credentials (via file / registry access) 19->49 51 Tries to harvest and steal ftp login credentials 19->51 53 Tries to harvest and steal browser information (history, passwords, etc) 19->53 signatures11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e9f08fb27479f796c6fc4acb74759336ea2a426b1282d89fe78764a7680c758c/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-29 01:24:37 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5hyi7mtuph3znrx4jlfxi5mtg3vcuqtlckbnrh7hq5sko2amowga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220329-gzwyxagccp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
b4536a638db24534844e46f63494d436bc1f9354e988a58080df5047066ef70c
MD5 hash:
b94c478894bbc6128513daede2d68c99
SHA1 hash:
86571ee8b9b3394083e01ec816dd007b48fe8abb
Link:
https://www.unpac.me/results/09c57982-4dc9-4f9b-a631-fa88f646ac07/
SH256 hash:
5cc1e0ab791b4618f25a53b5d5ab05561a3fb7430dc7ae06677f36c244e0f2e2
MD5 hash:
5509f1e3ee1e7b069d32ec923a393016
SHA1 hash:
04db1d25b79e5e79bc026aee9afcba055039bcb6
Link:
https://www.unpac.me/results/09c57982-4dc9-4f9b-a631-fa88f646ac07/
SH256 hash:
b4f040c8381f4ba7469e8522e5f918c5d2ea5632a69b8efec7f73278914da818
MD5 hash:
c8d020e447bcc32e064635fa53bc2942
SHA1 hash:
e92a222c884d78dd2861da7e7c1d2d961604ad61
Link:
https://www.unpac.me/results/09c57982-4dc9-4f9b-a631-fa88f646ac07/
SH256 hash:
85b75f7b517ee28e9c3a7adbbf8a0cb6f8cef4acb4d93072048bb0bbb18701f0
MD5 hash:
20a42c192bbd5f6d0656c0780905ac5d
SHA1 hash:
1bff25bdd348802f884a95e2514458b0faa6e018
Link:
https://www.unpac.me/results/09c57982-4dc9-4f9b-a631-fa88f646ac07/
SH256 hash:
e9f08fb27479f796c6fc4acb74759336ea2a426b1282d89fe78764a7680c758c
MD5 hash:
b58c4bf6bc36e7e9290bb3be27f96e1f
SHA1 hash:
e9f8551b5847ddbbd7f02ac471ff197a2e63fb2e
Link:
https://www.unpac.me/results/09c57982-4dc9-4f9b-a631-fa88f646ac07/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e9f08fb27479/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9f08fb27479f796c6fc4acb74759336ea2a426b1282d89fe78764a7680c758c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:ach_AgentTesla_test
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 49526812402e3af2e4e3326e080b892f491a9ebf960939e97d750ca1c4d962ad

AgentTesla

Executable exe e9f08fb27479f796c6fc4acb74759336ea2a426b1282d89fe78764a7680c758c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 49526812402e3af2e4e3326e080b892f491a9ebf960939e97d750ca1c4d962ad
Cape
Cape
https://www.capesandbox.com/analysis/258926/

Comments