MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d0aaa114bac9aa0afb33e6c70959524af7afa277e7700967763c604d4d188c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d0aaa114bac9aa0afb33e6c70959524af7afa277e7700967763c604d4d188c2
SHA3-384 hash: 3cb3423ba70a2af91a025c2fb5170c4b7f0646ed85ad567c21e11cf9f37337575ab59562f2b187b5867d67fb33628bb5
SHA1 hash: ee05de47457938350639af461c138c801b54f5b3
MD5 hash: 38128c21bb7c951f6916f29d641a3ffc
humanhash: idaho-bravo-nebraska-network
File name:packing list .pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:757'248 bytes
First seen:2020-07-14 01:16:44 UTC
Last seen:2020-07-14 13:23:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e1c1ff870c7f2916086288f794229846 (5 x AgentTesla, 4 x Loki, 2 x FormBook)
ssdeep 12288:VkXOU51w5qnnf9aG3EV+M6qzvXkqYJZybMMKgW4Ql/yucJM0o4wc:+eMbnn7EIqzATsMMfW4U6uyNo4wc
Threatray 11'806 similar samples on MalwareBazaar
TLSH C6F4BF22F6E04433D16B1A3E9D1B97F8983AFE41ED1C5A872BE45D4CAF393413829197
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25560/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.13070.25735.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Creating a file
Stealing user critical data
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0d0aaa114bac9aa0afb33e6c70959524af7afa277e7700967763c604d4d188c2/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 22:58:24 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bufkueklvsnkbl5thzwhbfmvesxxv6rhpz3qbftxmpdajvgrrdba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
18a41b50c8885afe4978787aa8c44601134838f73f66e7edc520bad7d76bfad2
AgentTesla
21327be564dca2dd0136871d257a99b68daf3a09af75a0fb947f65708f1df2b0
AgentTesla
461c2209ba38f790373f05c8bac84c4e0fc454d83cdf1f8d859d656a59567bb0
AgentTesla
6b0f2c8d4a8c8883be658db9868b33db30eb73755e4688279c29599eb25c6099
AgentTesla
7a3c761d105aebdfc06ce56ef43ba47d374ba81cc1d64d5380054cccbd92bd57
AgentTesla
930d653a60d5eea45cb332a3b313d8bf129c1b6a0dfa82aaedadfb9dd0dc8ced
AgentTesla
9a4aa8d0acefa1f81a81440379ce5c4c76175c6a28d72ab61d372394646bab6b
AgentTesla
d59490ae49d0b6cd7021ee0c19277854011da2352e0654853d71805b41a5f850
AgentTesla
edd3a9064d9828a06d55be4ea729afe1847c1ea5190287469ee8ed2088c018b0
AgentTesla
ef3cbb89feca43a0f0756ff2c3e485755e38f2d4ea6f807e7c09fe31ab710920
AgentTesla
+ 11'796 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200714-m8c595bv1x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 2d5be6e74442a56b9f45d41d5a3aa6a723d434b849c5059fecf322ce091ed324

AgentTesla

Executable exe 0d0aaa114bac9aa0afb33e6c70959524af7afa277e7700967763c604d4d188c2

(this sample)

  
Dropped by
MD5 1e668a8f40f8ecef49303811e88b66c8
  
Dropped by
SHA256 2d5be6e74442a56b9f45d41d5a3aa6a723d434b849c5059fecf322ce091ed324
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/25560/

Comments