MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0aa6fc743d5bc7f1e32187887accb9cd1120372b644d4cd046e1fbb7814ab37a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0aa6fc743d5bc7f1e32187887accb9cd1120372b644d4cd046e1fbb7814ab37a
SHA3-384 hash: b2dff7fa9be87278921678fdeacc5fa5de0d2a32cd2eab83c9e5220c28f00fe48b5b5ee28a8c3c8282edd00ba075083d
SHA1 hash: d35720a1b0b49379a37dd94aba65364300f9e363
MD5 hash: 70129737cc2cd212320bda63a32105f5
humanhash: lactose-avocado-neptune-utah
File name:Accessories Required.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:810'496 bytes
First seen:2023-02-08 11:54:03 UTC
Last seen:2023-02-08 13:34:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:pwawHRr/CB06KuLpbhRQWijEjuTR3mv/HfSzErDPBLPdKhPTnfJ4ncUKPPUHI4FI:pwawxO5dNQjEOR3mPSiFCnh4cR+FZ
TLSH T18905221C2BBEDB28D97C0EB67474057147729431B523F31D4EC6B1EB2DAABA04642B47
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Accessories Required.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-02-08 11:55:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b35932e6-d9e5-4f70-816a-604d67e083c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361945/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65399278.15759.1989.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63e38d971c9cbf7d6256c112/reports/feb236a4-9045-4db5-a024-6fefec9fb0e4/overview
Verdict:
Malicious
Labled as:
TrojanS.C5A2F73F
Link:
https://www.hybrid-analysis.com/sample/0aa6fc743d5bc7f1e32187887accb9cd1120372b644d4cd046e1fbb7814ab37a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c184ea4b-308b-4037-b425-7287715d9d65
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1168736
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0aa6fc743d5bc7f1e32187887accb9cd1120372b644d4cd046e1fbb7814ab37a/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-02-07 11:49:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
23 of 39 (58.97%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bktpy5b5lpd7dyzbq6ehvtfzzuisanzlmrguzucg4h53pakkwn5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230208-n2v8qaaf44/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef
MD5 hash:
f759d70f3bbee3865d9ba45b70c59bea
SHA1 hash:
f07ca29866cf8b0d92f18904860c40a284a5f550
Link:
https://www.unpac.me/results/4d243e6b-69d9-4d7b-82bd-8f53bee480cd/
SH256 hash:
8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7
MD5 hash:
7f225c69df031bf0560aed3847a1221a
SHA1 hash:
4d5f3ccdb2c6015d2b2a73326c0f32b173af2819
Link:
https://www.unpac.me/results/4d243e6b-69d9-4d7b-82bd-8f53bee480cd/
SH256 hash:
a342a9767e2815ef79862ef4e9f58782b28ded7ce4b80025b9aa895218864121
MD5 hash:
230a46414609bbe47252c924f0014164
SHA1 hash:
40406c68b1f74c46a41c72b865f881438e252b8c
Link:
https://www.unpac.me/results/4d243e6b-69d9-4d7b-82bd-8f53bee480cd/
SH256 hash:
f59e76b22119a67a7f8f37976b4454c4a553952e9ebd56550a136204f5dac3c6
MD5 hash:
9716201a02c86900d620a93b90acf1f2
SHA1 hash:
382fedba3e45749ec323bb8c62175f35664dab95
Link:
https://www.unpac.me/results/4d243e6b-69d9-4d7b-82bd-8f53bee480cd/
SH256 hash:
79de01f5a546db8a1a57fbafdd2e44e9518987f6de7b1369080d0b0b1779af78
MD5 hash:
cd7b56830edfcec478caeb457342f041
SHA1 hash:
2c2c80f8b8cbd3e4bd12176d5d699215ca55e6b3
Link:
https://www.unpac.me/results/4d243e6b-69d9-4d7b-82bd-8f53bee480cd/
SH256 hash:
0aa6fc743d5bc7f1e32187887accb9cd1120372b644d4cd046e1fbb7814ab37a
MD5 hash:
70129737cc2cd212320bda63a32105f5
SHA1 hash:
d35720a1b0b49379a37dd94aba65364300f9e363
Link:
https://www.unpac.me/results/4d243e6b-69d9-4d7b-82bd-8f53bee480cd/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0aa6fc743d5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0aa6fc743d5bc7f1e32187887accb9cd1120372b644d4cd046e1fbb7814ab37a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 1bf8b62a62829783a157a1d6c92f5535edf7acd57adea8611d5a6077d0bcfe5f

AgentTesla

Executable exe 0aa6fc743d5bc7f1e32187887accb9cd1120372b644d4cd046e1fbb7814ab37a

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1bf8b62a62829783a157a1d6c92f5535edf7acd57adea8611d5a6077d0bcfe5f
Cape
Cape
https://www.capesandbox.com/analysis/361945/
  
Dropped by
MD5 3af76621e40c36665c48e334efd15f75

Comments