MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a8d6d0fa22d68a10f5533ea14ae76ad3106221d2de463a4171a26a004dd6360. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a8d6d0fa22d68a10f5533ea14ae76ad3106221d2de463a4171a26a004dd6360
SHA3-384 hash: a1de5506a170f9867588b86a74d13d525e0269a29eb0d1611b7649dba4115263b17e9d7540e91625821dd10795b3171e
SHA1 hash: 6cf113b89f19fbf5ad5e9c8758f5dad83b0d976d
MD5 hash: a2c9344266ea96783fc9aa5217865e9f
humanhash: oklahoma-twelve-apart-fruit
File name:PO 16122020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:308'736 bytes
First seen:2020-12-16 09:44:54 UTC
Last seen:2020-12-16 11:46:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e06d0f4fcf3872d57a0853ffeb036a8d (2 x AgentTesla, 2 x Formbook, 1 x Loki)
ssdeep 6144:NAT5yqEi/+8YcpsHLNtooYuA5fnniy8doGDUhBDjMbmiceWC4LdLv:NATnd/yciL8oQ56jkDjGmFL1v
Threatray 1'916 similar samples on MalwareBazaar
TLSH CE64230C0B5602F0D36194BC732B1A0C7F71B7E5176AAD24411FE8F8FE5846AED9236A
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO 16122020.exe
Verdict:
Malicious activity
Analysis date:
2020-12-16 09:48:48 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/288174af-44a9-4844-87cd-9352d1b7f2b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.ArtemisA2C9344266EA.5901.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a window
Using the Windows Management Instrumentation requests
Sending a UDP request
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/564080
Signature
.NET source code contains very large array initializations
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0a8d6d0fa22d68a10f5533ea14ae76ad3106221d2de463a4171a26a004dd6360/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2020-12-16 09:45:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bkgw2d5cfvukcd2vgpvbjltwvuyqmiq5fxsghjaxditkabg5mnqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
228fe441663bba29232efd41520bef1ab0d2edeed96e106526ba9193794eb394
AgentTesla
27645f1d148b659a43b23aff406fd0a354c0f4c5ad89eadc475cc5b58244c83b
AgentTesla
350d069225cb53bc0c3762da5cc170eac2737318377be141a5485651105914f6
AgentTesla
36ad174dc1219e4abe9fabbc138e47e218e83741101f6848de3d05af6528948b
AgentTesla
b4028a328ab3e533631461c92c11f0594dbc1311ccb259bfe7e37c325c31a1d5
AgentTesla
bee3c64a4d3862a54f11a05303fb39c9768891841673269e477d0d87ec1862e2
AgentTesla
c22dac65ca71dda0a712ea5bf6c959c2dcd620bc47172dc59cf1fb28a28dcbc2
AgentTesla
dc6a499c7c08de87d5d986fbaf33a59debbc355d00b04d69f340d6d7c346e98d
AgentTesla
ef91cdf4d2ae2a3dd427b89bf9a2e057ec1f6308aba537b7d808e999bb9815f8
AgentTesla
f550b174528b14a38ed8725fc03cf092de3e976a4287874c4fd5eb7fad33312f
AgentTesla
+ 1'906 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201216-a3ehncj77s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
0a8d6d0fa22d68a10f5533ea14ae76ad3106221d2de463a4171a26a004dd6360
MD5 hash:
a2c9344266ea96783fc9aa5217865e9f
SHA1 hash:
6cf113b89f19fbf5ad5e9c8758f5dad83b0d976d
Link:
https://www.unpac.me/results/31f34667-e520-41e0-bea2-c3753e0438c6/
SH256 hash:
444fe951846ef28dd63aa1c5be69fcaee5e2ac941a2454f4672a2d30589763df
MD5 hash:
e75e1657368c72da7f6a83fe8f3601d6
SHA1 hash:
80dfc5ba90b43bb098c27b690a17b7bac64ecf03
Link:
https://www.unpac.me/results/31f34667-e520-41e0-bea2-c3753e0438c6/
SH256 hash:
10dfb31020def84ca60fc7566d5bf58e9e541a1f78d436544f5a26dd45c9bf42
MD5 hash:
3c593fead98da6b15495367ea5490c80
SHA1 hash:
c62b059a23b0719c992c96389fc1143db16f146f
Link:
https://www.unpac.me/results/31f34667-e520-41e0-bea2-c3753e0438c6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a8d6d0fa22d68a10f5533ea14ae76ad3106221d2de463a4171a26a004dd6360

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a91d2a7249086c122bc1a7e697f70bfeec7a0575bbdc6801c710895148fae5cb

AgentTesla

Executable exe 0a8d6d0fa22d68a10f5533ea14ae76ad3106221d2de463a4171a26a004dd6360

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a91d2a7249086c122bc1a7e697f70bfeec7a0575bbdc6801c710895148fae5cb

Comments