MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05b00d0b9ac332ba8792e402dc7e5bd9dbb436166fa34a9e81d4a46316ea700d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 19

Intelligence 19 IOCs YARA 6 File information Comments 1

SHA256 hash:	05b00d0b9ac332ba8792e402dc7e5bd9dbb436166fa34a9e81d4a46316ea700d
SHA3-384 hash:	95c9d183f13b1eb51b2efef2973d2fcbe74f00642ab1c9ee80b0ce2f8cd7e5c4fabad1d6de0bf76047df511461d592a5
SHA1 hash:	f9176f150925781a4410aa186f3876e77e927062
MD5 hash:	7c52031c4ed1a6922317bf2c668a3308
humanhash:	illinois-stairway-grey-beer
File name:	7c52031c4ed1a6922317bf2c668a3308
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	274'561 bytes
First seen:	2023-06-30 04:14:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:vYa6lzmacpkwAMi9MrYraYWCTmi07wus57e+sWwxiVnRppz:vYfzmacWXMTiWCSLUwxUN
Threatray	4'637 similar samples on MalwareBazaar
TLSH	T13F4412A1B7F4C073D0560A362D7516A27BB7C82A04B5430F3710A755B95B182EA2FB6B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	zbetcheckin
Tags:	32 AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

295

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

7c52031c4ed1a6922317bf2c668a3308

Verdict:

Malicious activity

Analysis date:

2023-06-30 04:15:25 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/a6bf8479-bc0e-4a39-b4b6-b9589695dfb2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/403898/

Detection(s):

SecuriteInfo.com.Variant.Tedy.391406.23594.31231.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Restart of the analyzed sample

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/94180/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control formbook lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/649e56c8e546ae296104fe85/reports/0f1cc26c-c0b3-4640-b43d-627e379d7ab1/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/05b00d0b9ac332ba8792e402dc7e5bd9dbb436166fa34a9e81d4a46316ea700d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/10d8186f-ca94-4f15-8496-6c98fa19735d

Result

Threat name:

AgentTesla, NSISDropper

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1263598

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/05b00d0b9ac332ba8792e402dc7e5bd9dbb436166fa34a9e81d4a46316ea700d/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-06-29 17:48:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 36 (69.44%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=awya2c42ymzlvb4s4qbny7s33hn3inqwn6ruvhub2ssggfxkoagq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3d318fe7e857edb9267b1b826b71027ad24d9872f8540a707f1e2505a43c95af

AgentTesla

51f801db0d98833131185353dd344e17d432aa84caa8ad27df9a5851cdb30f2b

AgentTesla

61c6ffbcd2c7c685bf8e3f6181f28c0e5ffb915a382b5c5848ef71e13042b41d

AgentTesla

7f4eaccd05489039f57a3d4258721fd636ce8ec8104c2184d366af9a75498e8e

AgentTesla

a75cc6c61c37543596e278999caa8d38a27025d599f050bcb7846f15e291c0ba

AgentTesla

bb5df98c2c7bc29973d2f2eeb67ce8b7a2f9da4166fabe5dfd70e5117e404991

AgentTesla

c34e7d631363ca2e25efa585c43abffbbed3219195715a6f5f39a8b50f287127

AgentTesla

d5a8ba6e3442a460c4edef925eced1f1ac00e4a200b82df436c5af9dccd1d7f3

AgentTesla

e29da5419ccde47362b68768236bc146bfdb198905405e7b05ef3dbefa5d28cf

AgentTesla

+ 4'627 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/230630-et8z6sga83/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

5c03b81158bb0a90efff97fb7c3dc1959b2f7b3feef2301cdeb500c39a6671bb

MD5 hash:

4fc8fb9b957c043d24f293726999f7fb

SHA1 hash:

642b3b9b90436aaacfaf162dd3cfb71a98013609

Link:

https://www.unpac.me/results/5977503b-5e08-4c83-82c3-aa8ca0d95d18/

SH256 hash:

13f8b888a0fdab507eb04afce398167ceff84b784a3623d7f6aa6ed52d63d29b

MD5 hash:

27e2109bf3764e69ca432c284dd2d3ff

SHA1 hash:

20fe60a05b2250fc2b10ced9845144310e5fe8bd

Link:

https://www.unpac.me/results/5977503b-5e08-4c83-82c3-aa8ca0d95d18/

SH256 hash:

e29da5419ccde47362b68768236bc146bfdb198905405e7b05ef3dbefa5d28cf

MD5 hash:

b94c5017de2f5cca39c71a10f3b0175b

SHA1 hash:

00ccefee4a110b6939cc311b292ef2e9eae11e55

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/5977503b-5e08-4c83-82c3-aa8ca0d95d18/

Parent samples :

e29da5419ccde47362b68768236bc146bfdb198905405e7b05ef3dbefa5d28cf
05b00d0b9ac332ba8792e402dc7e5bd9dbb436166fa34a9e81d4a46316ea700d

SH256 hash:

5c03b81158bb0a90efff97fb7c3dc1959b2f7b3feef2301cdeb500c39a6671bb

MD5 hash:

4fc8fb9b957c043d24f293726999f7fb

SHA1 hash:

642b3b9b90436aaacfaf162dd3cfb71a98013609

Link:

https://www.unpac.me/results/5977503b-5e08-4c83-82c3-aa8ca0d95d18/

SH256 hash:

13f8b888a0fdab507eb04afce398167ceff84b784a3623d7f6aa6ed52d63d29b

MD5 hash:

27e2109bf3764e69ca432c284dd2d3ff

SHA1 hash:

20fe60a05b2250fc2b10ced9845144310e5fe8bd

Link:

https://www.unpac.me/results/5977503b-5e08-4c83-82c3-aa8ca0d95d18/

SH256 hash:

e29da5419ccde47362b68768236bc146bfdb198905405e7b05ef3dbefa5d28cf

MD5 hash:

b94c5017de2f5cca39c71a10f3b0175b

SHA1 hash:

00ccefee4a110b6939cc311b292ef2e9eae11e55

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/5977503b-5e08-4c83-82c3-aa8ca0d95d18/

Parent samples :

e29da5419ccde47362b68768236bc146bfdb198905405e7b05ef3dbefa5d28cf
05b00d0b9ac332ba8792e402dc7e5bd9dbb436166fa34a9e81d4a46316ea700d

SH256 hash:

5c03b81158bb0a90efff97fb7c3dc1959b2f7b3feef2301cdeb500c39a6671bb

MD5 hash:

4fc8fb9b957c043d24f293726999f7fb

SHA1 hash:

642b3b9b90436aaacfaf162dd3cfb71a98013609

Link:

https://www.unpac.me/results/5977503b-5e08-4c83-82c3-aa8ca0d95d18/

SH256 hash:

13f8b888a0fdab507eb04afce398167ceff84b784a3623d7f6aa6ed52d63d29b

MD5 hash:

27e2109bf3764e69ca432c284dd2d3ff

SHA1 hash:

20fe60a05b2250fc2b10ced9845144310e5fe8bd

Link:

https://www.unpac.me/results/5977503b-5e08-4c83-82c3-aa8ca0d95d18/

SH256 hash:

e29da5419ccde47362b68768236bc146bfdb198905405e7b05ef3dbefa5d28cf

MD5 hash:

b94c5017de2f5cca39c71a10f3b0175b

SHA1 hash:

00ccefee4a110b6939cc311b292ef2e9eae11e55

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/5977503b-5e08-4c83-82c3-aa8ca0d95d18/

Parent samples :

e29da5419ccde47362b68768236bc146bfdb198905405e7b05ef3dbefa5d28cf
05b00d0b9ac332ba8792e402dc7e5bd9dbb436166fa34a9e81d4a46316ea700d

SH256 hash:

05b00d0b9ac332ba8792e402dc7e5bd9dbb436166fa34a9e81d4a46316ea700d

MD5 hash:

7c52031c4ed1a6922317bf2c668a3308

SHA1 hash:

f9176f150925781a4410aa186f3876e77e927062

Link:

https://www.unpac.me/results/5977503b-5e08-4c83-82c3-aa8ca0d95d18/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/05b00d0b9ac3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/05b00d0b9ac332ba8792e402dc7e5bd9dbb436166fa34a9e81d4a46316ea700d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it

Rule name:	pe_imphash Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe 05b00d0b9ac332ba8792e402dc7e5bd9dbb436166fa34a9e81d4a46316ea700d

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/403898/

URLhaus

https://urlhaus.abuse.ch/url/2674049/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-06-30 04:14:39 UTC

url : hxxp://23.95.122.102/54/iccu.exe