MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a1dcba0bacf1df52c396bb63052e7e867e567067be6785ab057fc9ffe35f2f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	0a1dcba0bacf1df52c396bb63052e7e867e567067be6785ab057fc9ffe35f2f8
SHA3-384 hash:	308cf3f71bc15afa70817d39bc37cb17be89a9f765df935a35d73b634b6a36af0dae90235939a59a88d1f0a902c5c899
SHA1 hash:	c14382a56e771c6c9e7cda257c47aed2c2dcabca
MD5 hash:	287a30aad331a64bafbdeedabe3c0d5b
humanhash:	triple-orange-helium-finch
File name:	ORDER_QUOTATION_GO-CHARTER_5774658_2U5YBATSeL0bfdp.exe
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	1'574'400 bytes
First seen:	2023-10-05 09:29:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e74c8ae3503a17604f2a2d84ae3389c4 (4 x AgentTesla, 2 x SnakeKeylogger, 1 x DarkCloud)
ssdeep	49152:NUauBRl6w3WeK95jyNrPsiz8M8GSqvQNEm7wndm:GRl6w3fs6VSW
Threatray	90 similar samples on MalwareBazaar
TLSH	T12B7502ACD1BDBCDBD81780F99C76F6E5585BEB5884685D26392A311318723833CA2C1F
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	b46cccccd4e8f4dc (5 x AgentTesla, 2 x Formbook, 1 x XWorm)
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

290

Origin country :

NL

Vendor Threat Intelligence

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.27324.26934.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Forced system process termination

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Dragonfly

Gathering data

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

hacktool masquerade packed packed packed upx

Link:

https://www.filescan.io/uploads/651e8223a71d9f843c2c2ee2/reports/39d47f2e-cb0b-4aea-b2e4-b5768ba8bfc5/overview

Hybrid Analysis Win64/GenKryptik.GOLV trojan

Verdict:

Malicious

Labled as:

Win64/GenKryptik.GOLV trojan

Link:

https://www.hybrid-analysis.com/sample/0a1dcba0bacf1df52c396bb63052e7e867e567067be6785ab057fc9ffe35f2f8

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/8631393e-8252-402e-a211-e17b85ac861c

Joe Sandbox AgentTesla

Result

Threat name:

AgentTesla

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1320097

Signature

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB agenttesla

Detection:

agenttesla

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/0a1dcba0bacf1df52c396bb63052e7e867e567067be6785ab057fc9ffe35f2f8/

ReversingLabs TitaniumCloud Win64.Trojan.Casdet

Threat name:

Win64.Trojan.Casdet

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-10-05 09:30:10 UTC

File Type:

PE+ (Exe)

Extracted files:

23

AV detection:

17 of 23 (73.91%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bio4xif2z4o7klbzno3dauxh5bt6kzygppthqwvqk76j77rv6l4a._file

Threatray malicious

Verdict:

malicious

Similar samples:

02e565314622beca0b16e1c731549262b2b22e4bf3bef691d23991cebf94bfab

AgentTesla

40d0a5c663f59b7454e4e8535918b57ccba56e5f445d02e384debb16b868ebce

AgentTesla

4a699a693c63228aebd3e0bc98d92fe2d8bb7ae487992e81cfee767f0b9ed1bf

AgentTesla

8438ac5745f37292a9c36993ae4ff00fb3f3e52abd075d2efb0e3581ce1b8e94

AgentTesla

85c5c6fed46b400cf505aad5c84bc1ac76e74488b73d9951e3cda4db18f148e6

AgentTesla

89bc9fdb7d1d93a49c7cf3ccfff8ec5c174a44dd580e63e3cb47de448e9daefc

AgentTesla

c7825ac17db3d7a4fca371b94a6bc4aa7d22e40bfa10e24b0c3ef063c82de7d5

AgentTesla

e1588fa2fbba71b436afb6df74166ffc100c422257b8c259debb07f3201bffeb

AgentTesla

f4467d8859d174c9edf5b596e96c4456a6aa0259bdee1d72697a76aab5f2f899

AgentTesla

f94a62b2332593b4de3797cb1fb3127a682f2623d12e5f731157190526f6ef5c

AgentTesla

+ 80 additional samples on MalwareBazaar

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan upx

Link:

https://tria.ge/reports/231005-lgg49aab2w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

UPX packed file

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot6599370963:AAHYVLyUgd9Le0k5YAQvMSjM72cBftugiL8/

UnpacMe

Unpacked files

SH256 hash:

0a1dcba0bacf1df52c396bb63052e7e867e567067be6785ab057fc9ffe35f2f8

MD5 hash:

287a30aad331a64bafbdeedabe3c0d5b

SHA1 hash:

c14382a56e771c6c9e7cda257c47aed2c2dcabca

Link:

https://www.unpac.me/results/d5c243bb-a70a-40b7-bc1f-d424d1c42b3b/

VMRay AgentTesla.v4

Malware family:

AgentTesla.v4

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0a1dcba0bacf/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI AgentTesla

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/0a1dcba0bacf1df52c396bb63052e7e867e567067be6785ab057fc9ffe35f2f8