MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b6fe08b7961d9d73a00310338fcf785c2568d1a843b58aa468ca94cfb7154f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b6fe08b7961d9d73a00310338fcf785c2568d1a843b58aa468ca94cfb7154f1
SHA3-384 hash: 3598a95741cbf9953104afc2b1c38875113f3c78e4056dae5935cc08100c1af03ef76cee7583fa4940cf9911146febf2
SHA1 hash: 9c5172a2152f0a778abec96b0d54fa2903c705a5
MD5 hash: c44bc4f3e51865e9fa7d8f7eb37a8130
humanhash: bluebird-sad-foxtrot-ack
File name:400000.CasPol.bin
Download: download sample
Signature AgentTesla
Create hunting rule
File size:170'496 bytes
First seen:2023-01-24 05:11:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:YLMsBrcQ5+7mvvb1D+1eGz8W+OJ3dM0yovr4hcCnaDMWQUDStdL:iMspQ7E+Fz86J3vyokcwaDMQS3
Threatray 20'247 similar samples on MalwareBazaar
TLSH T1FCF32A6852C5C951C71D40B4C4A011DB0AB2A947661BEB5E3EB0DCF63E4A7D33E2F8A7
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter JAMESWT_WT
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
400000.CasPol.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 15:05:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e414b662-8bb1-4a11-94bf-d9419424228f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356219/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Reading critical registry keys
Creating a window
Creating a file in the %AppData% subdirectories
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool packed
Link:
https://www.filescan.io/uploads/63cf68a42b351a3d0ea81c14/reports/ef706f39-dd76-45de-a37a-54a2c492c4e9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c53149a-89c4-42a7-9639-6a3824ec50e4
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157622
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b6fe08b7961d9d73a00310338fcf785c2568d1a843b58aa468ca94cfb7154f1/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bnx6bc3zmhm5ooqagebtr7hxqxbfndi2qq5vrksgrsuuz63rktyq._file
Verdict:
malicious
Similar samples:
011c5a93fcf5f1fda343e254b6be02737381be4df4bdec1aa07c8ad23b540599
AgentTesla
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
AgentTesla
1326d9172aa0687e037a43b532cf2fb0e2ba90bff2e35efdebac87c3b06560f2
AgentTesla
24902a43196fd02d2939443510181c165980bd71e889dcff559ca25153c76d81
AgentTesla
2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478
AgentTesla
2a890802046e55c856e2a6be5a2268fb8ba4410c15ac51415a1c30b0cd2336b2
AgentTesla
5a64665bdc77f9386891c1a251064decfdce7e9782bb4b47d95e2c14238d46f2
AgentTesla
a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8
AgentTesla
cf5a9106d284d163a0a2ffabcaaf6dabce8e767523f55849808e65ca536878b5
AgentTesla
+ 20'237 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230124-fvvdvagg52/
Behaviour
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
0b6fe08b7961d9d73a00310338fcf785c2568d1a843b58aa468ca94cfb7154f1
MD5 hash:
c44bc4f3e51865e9fa7d8f7eb37a8130
SHA1 hash:
9c5172a2152f0a778abec96b0d54fa2903c705a5
Link:
https://www.unpac.me/results/f59fc134-3b6a-4183-90e0-a4ab5c5371f0/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0b6fe08b7961/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/0b6fe08b7961d9d73a00310338fcf785c2568d1a843b58aa468ca94cfb7154f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356219/

Comments