MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0aba674b0db534de4f52e8250710b173b697397cbbf0011a4a6a3e9127e77781. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	0aba674b0db534de4f52e8250710b173b697397cbbf0011a4a6a3e9127e77781
SHA3-384 hash:	cd6b1c0108c04954ce5f89bf4b08611391f57d95dfc095dddb3cf739d49de2a2b7948d471b4f563f0c4fbdb0b5fc55d8
SHA1 hash:	cf922d5be1cdb4686d3007faf906dd92737c8029
MD5 hash:	5efba56b5d08d560f3be33e8696f4d0c
humanhash:	solar-angel-don-river
File name:	Purchase Order.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	724'480 bytes
First seen:	2023-04-30 16:04:12 UTC
Last seen:	2023-05-01 13:20:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:HLV1fcwV8IalVlcNY0F7VR1qbdUYFbczPALf0KEUYRoi+nbdLjGj:3k0ElVlcFF771CJFbczPALwUianBk
Threatray	2'507 similar samples on MalwareBazaar
TLSH	T1F5F48D3815B87727D17AD378D9E15413B3E0A45FB321EA99BCC603EA0746E8179D322E
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

310

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order.exe

Verdict:

Malicious activity

Analysis date:

2023-04-30 16:06:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f321ab09-d6d0-46a9-9432-b9416bb8307e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/385726/

Detection(s):

Sanesecurity.Rogue.0hr.20230430-0135.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo jigsaw packed

Link:

https://www.filescan.io/uploads/644e91b016ef4c6656575e82/reports/ac42a3f5-82f2-45a3-b557-a854f0c22479/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/0aba674b0db534de4f52e8250710b173b697397cbbf0011a4a6a3e9127e77781

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8e006299-5375-4dbe-bf8b-5dbcb5b65e30

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1223742

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0aba674b0db534de4f52e8250710b173b697397cbbf0011a4a6a3e9127e77781/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-04-29 23:59:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bk5gosynwu2n4t2s5asqoefroo3jool4xpyacgskni7jcj7ho6aq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0aba674b0db534de4f52e8250710b173b697397cbbf0011a4a6a3e9127e77781

AgentTesla

2c5117280800871fbceb13a571a8d602c17f3c08247c8ccf546bb9dc8adda73e

AgentTesla

493781dc1d845e09f96742dfdc2edaef673ac5d4b2139875929166f2627dc161

AgentTesla

5453c16d0530e3bf32f870269a92db07188195005273c769b05752f4bb7c18e1

AgentTesla

729b3e10a37e42bba3f9999ce8a17bc69f8642d86420f05836a5d0271a718efc

AgentTesla

89ddd74ff391e9b89ca13cbd5f6d3b9568c1b5bfd1e7a0ff7b860444fc7e7a34

AgentTesla

d6c81069f8763d1bb3ee317188270f97b60271b52ab35bd92080dde6913ad2e2

AgentTesla

f4e535a66881a91014aa12b837175eb110849a0d387a925444576387aafd633b

AgentTesla

+ 2'497 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230430-tjgv9sac26/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

3aa9f12524e8f4ddee37d05669fd21e8994c34f38d0c609b2b47950d59b56902

MD5 hash:

5594bcfd04202590fdbc30f7c18afa9f

SHA1 hash:

cf9fdfb54b32bd54d722218b1a10035ae6a4a49e

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/e574c004-d3cd-4a7f-8167-54fa6019eca9/

Parent samples :

ff99df4d6553a40959fd0dfca9f24dd3476ab91ebb084f0fe1f2037491a9e3c6
0aba674b0db534de4f52e8250710b173b697397cbbf0011a4a6a3e9127e77781

SH256 hash:

7f0bb5ef863fe85e8fba6dda5d9dffbdb7479fb946e6189e7ead92c5849b1eb8

MD5 hash:

e7330c130813e35a56ad4367266a1667

SHA1 hash:

70f15df8302632f11f639bec2d629937a94e3553

Link:

https://www.unpac.me/results/e574c004-d3cd-4a7f-8167-54fa6019eca9/

SH256 hash:

ea8d4c91ec5bba5e1db6c17730d7ba5cdbb5ff3c1a777f70c90e91ce599d9b5d

MD5 hash:

27f5124bf8f451bca8d8a15c73c4f521

SHA1 hash:

5fd557e109b8fd1c3b362b64f0ba9f1600c07211

Link:

https://www.unpac.me/results/e574c004-d3cd-4a7f-8167-54fa6019eca9/

SH256 hash:

0aba674b0db534de4f52e8250710b173b697397cbbf0011a4a6a3e9127e77781

MD5 hash:

5efba56b5d08d560f3be33e8696f4d0c

SHA1 hash:

cf922d5be1cdb4686d3007faf906dd92737c8029

Link:

https://www.unpac.me/results/e574c004-d3cd-4a7f-8167-54fa6019eca9/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0aba674b0db5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0aba674b0db534de4f52e8250710b173b697397cbbf0011a4a6a3e9127e77781

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.