MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a86370c2e094aa16cf56acf57bcc15294e2a66a8c12c1c52794b1ce965cf31e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 8 File information Comments

SHA256 hash:	0a86370c2e094aa16cf56acf57bcc15294e2a66a8c12c1c52794b1ce965cf31e
SHA3-384 hash:	e659f3a90b874a5e3c34de67fd06091ae139e73e2baa78b3e8414b6d2e2e63de6ece61aa117202699c0e077090491ac0
SHA1 hash:	12ecaac835200895da816d452d3e458425080d47
MD5 hash:	16b5a74f0268d1782120797ca022e2ba
humanhash:	lithium-fillet-cardinal-venus
File name:	0a86370c2e094aa16cf56acf57bcc15294e2a66a8c12c1c52794b1ce965cf31e
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'413'400 bytes
First seen:	2020-11-16 10:48:59 UTC
Last seen:	2020-11-16 12:44:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:bg3Rih5YNtPqyQnOSA4CbtqTZGcyxrWTXr55eh8z4VbrTQNVkd:ThQtPqvnOJ4nZ7KVRrTgVkd
Threatray	84 similar samples on MalwareBazaar
TLSH	3A65F140FB1585A1EC3A8931D49F9D0906A23CBBD460E5EB38DA332629E3F73545F85E
Reporter	JAMESWT_WT
Tags:	AgentTesla Foxstyle LLC signed

Code Signing Certificate

Organisation:	Foxstyle LLC
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2020-08-17T00:00:00Z
Valid to:	2021-08-17T23:59:59Z
Serial number:	32fbf8cfa43dca3f85efabe96dfefa49
Intelligence:	7 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	30eb03cea734157e43f44a048d144cf8db38fbe310f986c9f46373f83801f3b5
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.29179.2403.19844.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Grandsteal

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/537524

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM_3

Yara detected Grandsteal

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a86370c2e094aa16cf56acf57bcc15294e2a66a8c12c1c52794b1ce965cf31e/

Threat name:

Win32.Trojan.GenCBL

Status:

Malicious

First seen:

2020-08-27 06:55:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Verdict:

malicious

AgentTesla

123765ca93c6c71f123934f0a1ea08487449d2bfab58f47f9c0a2d4cc645021b

AgentTesla

1a8d85a16bcc49b33c11489af823ff2f15caa31ecb616330bb54a4ca5b261769

AgentTesla

245deb1693e39d6340bcd2e8c9d8f5e78e4906e359172b150a066eb1678987f5

AgentTesla

29790388ca244a8fd3bb2448a59e45fba4dc715fec7a0bf09a7f6d4df79ef9a9

AgentTesla

4ccf916fe0d3173dc9e6da3de749b437ff651b13bc32bf0538c29fc30c594a8d

AgentTesla

60cbcdb415e08196418d8b319e4bd3e186ee78639363c5c1c92b0f73637dd581

AgentTesla

79c2240abb05bcad2847f6fe50ae69f6a3cbdeea82bdc659e75f85eb59f442f9

AgentTesla

9b629ce7607ee755d467e058cf51187d2ca5c095d5dc5708826f9c47b06c3c07

AgentTesla

9b915d2e5f70b859d8c2eafc94bd593d3e53255444a5b4b651dfb9c2523d83d7

AgentTesla

+ 74 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201116-wmv8e85c6j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

9577e7bd44a4e6234c49321f74acc763781a8b5b84f0f087dda341a6dd4be49d

MD5 hash:

87244046c6a667292042bd9953d31483

SHA1 hash:

8cb5bc3e3157d0a5e6b0b6f9c983125fea211c58

Link:

https://www.unpac.me/results/90ec34ac-8f68-4f8b-b1d0-8d2a08e1aa0c/

SH256 hash:

f96a520ccbf8c29667c743e6bc411d5d5e6b16a46b772395f75dd4138cf089b9

MD5 hash:

ae6b1102c2698f7618ba6e98fca53ecc

SHA1 hash:

8d3e442dbf7e198d0684f27eaf842c5ad62e4463

Link:

https://www.unpac.me/results/90ec34ac-8f68-4f8b-b1d0-8d2a08e1aa0c/

SH256 hash:

46cbd6af0386299611ab38a1f92afda132d6ebfb093bfeb3406aae49fc58260b

MD5 hash:

dd31dac2287b1de7a46f21ea23d4e243

SHA1 hash:

934e595180c8e4e077cde79128a0f5654d78bb14

Detections:

win_grandsteal_auto

Link:

https://www.unpac.me/results/90ec34ac-8f68-4f8b-b1d0-8d2a08e1aa0c/

SH256 hash:

0a86370c2e094aa16cf56acf57bcc15294e2a66a8c12c1c52794b1ce965cf31e

MD5 hash:

16b5a74f0268d1782120797ca022e2ba

SHA1 hash:

12ecaac835200895da816d452d3e458425080d47

Link:

https://www.unpac.me/results/90ec34ac-8f68-4f8b-b1d0-8d2a08e1aa0c/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	Choice_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Cryptocoin_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Telegram_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

Rule name:	win_grandsteal_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample