MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a4331bb70c63296d2f975bad0903c1c9c539c1f9d349a187bfaf2633b3c06e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a4331bb70c63296d2f975bad0903c1c9c539c1f9d349a187bfaf2633b3c06e2
SHA3-384 hash: 3d960ea1ba54f2f5ad70e0de765fce53623bddecfea0b697e036fbb20af88bf2deff1813416f1444d73f426a268b8075
SHA1 hash: 44e2961033d6dcf08c9eec519d4aba1f3f786f2c
MD5 hash: 8b0af96231dd7b5f99c1d51037dc0219
humanhash: speaker-mars-island-whiskey
File name:quotation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:685'056 bytes
First seen:2021-07-27 13:07:11 UTC
Last seen:2021-08-10 06:17:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:ZWkDWpXtKYqYXyWUeYobOkR/RaK6ctthNEEm7sUSAav8RSYJp7bHa1prG7mo5oFY:ZWkDWGJYXtCER5aK5GpjDRSYz7mo5oFY
Threatray 7'420 similar samples on MalwareBazaar
TLSH T15BE4BEF93539375FF493847E54B05CA2695060FACA2EC792F32341ABEF1C48BA940697
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
quotation.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-27 13:08:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a846eb87-eaa4-43ec-a249-16da370bb069

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174349/
Detection(s):
Sanesecurity.Rogue.0hr.20210727-0307.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc51ecca-c216-4a37-b62a-4e5186ba56df
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822354
Signature
.NET source code references suspicious native API functions
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 00:44:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bjbtdo3qyyzjnuxzow5nbeb4dsofhha7tu2jugd37lzggoz4a3ra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0285d35ec1a33b52bd1fddf3dd1a76d259b0a432640f72a25494392ad5ab7cc0
AgentTesla
09aef6f54bc8516f9bc1411925a7a5fa2b1cb22b0129dc5debe507121e845816
AgentTesla
4012c4289aa953f24fdc7e1e257f2d9b04f835a8d6bd1b8eb919271c46a7db62
AgentTesla
500c7992cee573057608d6cdb64958b16c4d6a8605be652dde71b579db731419
AgentTesla
75a25ca27415d7a318ed0cc5e36ef146b0ef0719a33efb6e6ae033422250dfda
AgentTesla
84aee29ff996e561873637b420aa3b03a80fea62b41cfae85159ee65969e34f2
AgentTesla
93709182d579b433aa5f5fe1e4eeba4de3b5e497f78a5ef34d35bcd981f49f15
AgentTesla
b915e46bfe27a03870fb223223ff2af61c15226a650031317d2acf558c55a3a9
AgentTesla
e352fd57db8a0670353e1c3caf02fd7d83fb315bb2e519b48dccd27eb3a2c456
AgentTesla
+ 7'410 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210727-rczzza7t9e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
CustAttr .NET packer
AgentTesla
Unpacked files
SH256 hash:
40131bdf5de6f6b60a566e4bfe9e97c98bc04daabae1f76ed7d70b35d5911e44
MD5 hash:
8cc6db3e3a55a12d4fab983cde7379e5
SHA1 hash:
c8c26a7494460b5508029bd3358c96553486b4e4
Link:
https://www.unpac.me/results/99c45728-aa0b-45c4-890f-1b267685b5a1/
SH256 hash:
556f4ee3b7eb0301ee72bbd14187949bcb5cc4c93db9217a6270b060b27ad974
MD5 hash:
d9640a8a065961c1cf59cf51eb2653f7
SHA1 hash:
bbaad2afd36deac7b77a0d5654c0c30e320cda25
Link:
https://www.unpac.me/results/99c45728-aa0b-45c4-890f-1b267685b5a1/
SH256 hash:
edc1e8c401116a7c8417162ce771c3d12ef4dc5d40368c45bd3d1ee06494e591
MD5 hash:
709a4b194fdc066719fe1092888e78ad
SHA1 hash:
7874e9a7ac1e6b48830066173f90c945cbdfaf7c
Link:
https://www.unpac.me/results/99c45728-aa0b-45c4-890f-1b267685b5a1/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/99c45728-aa0b-45c4-890f-1b267685b5a1/
SH256 hash:
0a4331bb70c63296d2f975bad0903c1c9c539c1f9d349a187bfaf2633b3c06e2
MD5 hash:
8b0af96231dd7b5f99c1d51037dc0219
SHA1 hash:
44e2961033d6dcf08c9eec519d4aba1f3f786f2c
Link:
https://www.unpac.me/results/99c45728-aa0b-45c4-890f-1b267685b5a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/0a4331bb70c63296d2f975bad0903c1c9c539c1f9d349a187bfaf2633b3c06e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/174349/

Comments