MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b0203248a9c024b4faa835a5b1968805f203b35484ac7b938fe2ce36a182dab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	0b0203248a9c024b4faa835a5b1968805f203b35484ac7b938fe2ce36a182dab
SHA3-384 hash:	08f5d038b1ba032d02b3f988816f32ef6203e8061adb97a95f1841a35541dd99998fb0da1f71e5fd76f5a53d6a8658ff
SHA1 hash:	a1bff3584190eb864cef46e15b9b69388fb404d2
MD5 hash:	189649fa8cf45fec112adc36baae421c
humanhash:	kilo-music-august-yellow
File name:	SecuriteInfo.com.Win32.PWSX-gen.8687.23257
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	635'904 bytes
First seen:	2023-01-12 07:34:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:gAfCDolghIk0SUbphRXdKV0umxvVzCaHuItZxIn2Cd2QfnM:gt/0SUbpxumfCjItZxq2CQQf
Threatray	24'735 similar samples on MalwareBazaar
TLSH	T12DD4F16472A4D697D1BB27F1F8231DF18375AD62E221D2871C837DE838B0B11AAD5713
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	120933332b3b0a10 (6 x AgentTesla, 3 x Loki)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.8687.23257

Verdict:

Malicious activity

Analysis date:

2023-01-12 07:37:37 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b6d7324c-aab8-4f54-89fc-af555fc7ed8c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/352183/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.8687.23257.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63bfb82d7620de0149a33227/reports/0ae29e37-0363-43f6-a23b-4d220658ad72/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e17b8c4a-eb88-4b94-8160-03d1579800ae

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1150121

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0b0203248a9c024b4faa835a5b1968805f203b35484ac7b938fe2ce36a182dab/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-01-12 07:35:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bmbagjektqbewt5kqnnfwgliqbpsaozvjbfmpojy7ywog2qyfwvq._file

Verdict:

malicious

AgentTesla

3e61d72e8e7853b7c4a966cdee9339bfe33b7ae33577c408cdfbca1d951335b9

AgentTesla

5c46c800ec8a689b837f7c808b4a9bd81079b7aca9106d1a9cc45bfe2cae2db5

AgentTesla

6532e16d04ebfc98395b0e06fb2c1210d5064dc242c2c374beccb6b561a58f6f

AgentTesla

d548bfcde55e09b8314b273b6fc1eff79563961b965cb83a763f4bb1b6c424ac

AgentTesla

d896aeab1ada4fc3029f6b8ce8f9852775e3b0e30d7b13582208c052f8e8e20c

AgentTesla

e19bcbf0c3ca0fe5e246cede2ef4ee264d0908faf4ca4b39aeb687c443f85f91

AgentTesla

f2b319e1d2fdad6549ad9f56894221d7c3f8706d96012316dae1b52231a46247

AgentTesla

ff22717e9029e6216a77e312cc38af5aa1df822e9c41396ac10bd192ea11952f

AgentTesla

+ 24'725 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/230112-jeqbqsbc5v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0fe9095e-f85b-424b-b87c-e34d1cbb6624

Unpacked files

SH256 hash:

35635a633d4403f114f3404656fdbf1f2620367470016fff7d77a58d095a6791

MD5 hash:

81c471c7c7a266c031b5f1a357d2536f

SHA1 hash:

c3b53a5da7869edce501c0a925698cf320d5d1cd

Link:

https://www.unpac.me/results/9838dab4-ff72-42f8-91d8-b523dcecb022/

SH256 hash:

ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c

MD5 hash:

77ab42f4bbbf4565846eb8953192d71f

SHA1 hash:

3c662c756cc31867c0473716a74e777a65ced550

Link:

https://www.unpac.me/results/9838dab4-ff72-42f8-91d8-b523dcecb022/

SH256 hash:

7e5e204cffd332794305af4d55081b88f469570d73413a215cef7e5022b41dbf

MD5 hash:

d46a0dabff1f872498f13a88ca259e54

SHA1 hash:

3a8778050187343ef72b2e5899dd5f8a6d15c2a2

Link:

https://www.unpac.me/results/9838dab4-ff72-42f8-91d8-b523dcecb022/

SH256 hash:

844db6d64cb9e4189e328b27f09249edccfe1379c3b857e1fdfd1519afa0eef9

MD5 hash:

536a3d0a555d8bc55428175c2fd50b84

SHA1 hash:

149647e593ffc7c06290229e315ba21bfcd55a7d

Link:

https://www.unpac.me/results/9838dab4-ff72-42f8-91d8-b523dcecb022/

SH256 hash:

6bc358e81d24d3d8f5a7431c817e4d53141b0f341e5f690b34e3e2c28316711f

MD5 hash:

866caf3d3d42b2950141d63e10c41e33

SHA1 hash:

12198bef2651b1bf88ff4bdce13cd605deb5e71f

Link:

https://www.unpac.me/results/9838dab4-ff72-42f8-91d8-b523dcecb022/

SH256 hash:

0b0203248a9c024b4faa835a5b1968805f203b35484ac7b938fe2ce36a182dab

MD5 hash:

189649fa8cf45fec112adc36baae421c

SHA1 hash:

a1bff3584190eb864cef46e15b9b69388fb404d2

Link:

https://www.unpac.me/results/9838dab4-ff72-42f8-91d8-b523dcecb022/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0b0203248a9c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/0b0203248a9c024b4faa835a5b1968805f203b35484ac7b938fe2ce36a182dab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/352183/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample