MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9aae697de8f7e3a68c93b050e7006e87be5773b57f32622efcfe2dae56461ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9aae697de8f7e3a68c93b050e7006e87be5773b57f32622efcfe2dae56461ca
SHA3-384 hash: 4ecb4a4a906ba5183b94ec440f214c595bba5ed935ec755f067c518f574552283ac9caf6404d0906497a1ef2c3258f02
SHA1 hash: 1fae345f324ec5675089cd7ee54d263116b89bea
MD5 hash: 30b591da0141af2fa6692e1a9f6cf841
humanhash: earth-avocado-king-delta
File name:Requirements.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:580'608 bytes
First seen:2023-04-12 08:03:02 UTC
Last seen:2023-04-12 08:36:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:qY9aGLsCgEg7iiDIBkvyKi4xDAcSyy3TxPqOYK/vT:V9aGLHAiiDIvKmcSyyp5RT
Threatray 1'974 similar samples on MalwareBazaar
TLSH T142C4E17862C4978FD8002BFD6E009C8C27F289F5D5D4CE9EDAA6A48B0AFD7215045E9D
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Requirements.exe
Verdict:
Malicious activity
Analysis date:
2023-04-12 08:07:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3e20b322-65c0-452d-a6da-7ad87e3d8b9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381725/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643669b48ffcff940e106327/reports/4de43a6e-9964-48ff-9052-676057102ed4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f9aae697de8f7e3a68c93b050e7006e87be5773b57f32622efcfe2dae56461ca
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d622186-e6c4-4c5f-bf45-1121e18c9608
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212385
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9aae697de8f7e3a68c93b050e7006e87be5773b57f32622efcfe2dae56461ca/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-12 05:26:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gvonf66r57du2gjhmcq44ag5b56k5z3k7zsmixpz7rnvzlemhfa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1d507bf363414ee632d706b9c53f5351715c641585a54c9cbc93f82c880fda02
AgentTesla
2425598129b104c77948e02bdbfab451e7696de693d90f875d0cb0e3ffdb300c
AgentTesla
285f52c66b141680b77dcbb20f42a4ee9fab83815bd7c47a0e3cf581dad1404f
AgentTesla
5509e143021f95074f9cde2dac4d79960710adb794bb1cdf57582be08681c3bf
AgentTesla
5e07308b25241de53ccc1a6f833e13bf63ad9bf9fe3f4786b28fdd959702a50d
AgentTesla
6ab23b6c600f2f84df0442f21ba552973126809d9b26557d2f815e60c135517a
AgentTesla
84276cf4e302cf1bafbc65f6987316dcd7842e73e107fd58c476127f3cf34c03
AgentTesla
9975c3c2c7bb393e635997f7e9060557ddc22931a8d700e558b7bb2c8d6ff892
AgentTesla
e68df2087331bc53cc8df1fea6ccabb8fd68ce31e9b5a6addbb6bc9036988c51
AgentTesla
f388b5e3cf8b41bf483a00dcd8d53cc02c298ec970510f68190e33992b184440
AgentTesla
+ 1'964 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230412-jxqp8acd6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
9902047a0a53d61d6e4aa862f282178e060ba206441e9ebaa5730c6e10d1a59c
MD5 hash:
3cf3ba776504c67dde731864494d9246
SHA1 hash:
e02d8b92ea2c61d6e985778ec01640466b1cf5c6
Link:
https://www.unpac.me/results/3f55e689-4e03-4c56-8228-4b8e51506e6c/
SH256 hash:
37ca4b23e7bb82701b5e195f4fc4b7d4cfc7a05241d252740d0a6f8f07e21a8a
MD5 hash:
eca2a1f777f59644a547ffae7e749bea
SHA1 hash:
dbdf777656289b5d1f5c7ead5ede0cff76cbed90
Link:
https://www.unpac.me/results/3f55e689-4e03-4c56-8228-4b8e51506e6c/
SH256 hash:
976ee4be239b38edb82bf8bf3bc508b4a6e110138c3484d30cea4e17e36d7d6b
MD5 hash:
9093759d3cf79299efa2a3ddc4215d6b
SHA1 hash:
8c879fa938d82bdaa7e9c64b765947846db64928
Link:
https://www.unpac.me/results/3f55e689-4e03-4c56-8228-4b8e51506e6c/
SH256 hash:
313e0c33c3815ed0b7e2afff8852027e17cf3b187a7ac1d861a80e026c770de4
MD5 hash:
e6f6019d84e912eba66189e1232ff0c8
SHA1 hash:
48cbd94aa1b63e4858d23f27bd4416c9d2c8933a
Link:
https://www.unpac.me/results/3f55e689-4e03-4c56-8228-4b8e51506e6c/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/3f55e689-4e03-4c56-8228-4b8e51506e6c/
SH256 hash:
f9aae697de8f7e3a68c93b050e7006e87be5773b57f32622efcfe2dae56461ca
MD5 hash:
30b591da0141af2fa6692e1a9f6cf841
SHA1 hash:
1fae345f324ec5675089cd7ee54d263116b89bea
Link:
https://www.unpac.me/results/3f55e689-4e03-4c56-8228-4b8e51506e6c/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9aae697de8f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/f9aae697de8f7e3a68c93b050e7006e87be5773b57f32622efcfe2dae56461ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f9aae697de8f7e3a68c93b050e7006e87be5773b57f32622efcfe2dae56461ca

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381725/

Comments