MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bad4225836db30f6301e890e4da0fe01d9178cabf7be6f62bdfa4f590050346. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bad4225836db30f6301e890e4da0fe01d9178cabf7be6f62bdfa4f590050346
SHA3-384 hash: 37c18d8144967d6bd3da7fd1de0c2d827fa7822cd02177613b9a7987806f3056bad61fafea53316db46f0b9926a5240d
SHA1 hash: 52e32d5e69e55684fc910c3ce2848a8e77a1ff71
MD5 hash: 1d331340b05f57913bb0724a15bb75b9
humanhash: moon-snake-vegan-lake
File name:PR-009848.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:388'576 bytes
First seen:2022-09-27 11:40:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:zh8qBAoB+ptSQ3gD9VVCEqr4nu7TGF0MFCfaKxJldfD/kP/Zo0/hRwRygkO8g9/y:VAyQm9VVCSz5yaKxj1D8PR1fJShKi
Threatray 123 similar samples on MalwareBazaar
TLSH T1F684F7E0317C93CFD0A28DB15FC98A7079F135AC98C0560EA0FA9B2D93D6395189D5FA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon d4a6a494a48484a4 (65 x AgentTesla, 39 x Formbook, 8 x RemcosRAT)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313960/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.50.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6332e14f18a36c641c87400b/reports/ee381131-ce77-40ce-9c13-e705db1ee18f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73ff6d8e-806b-43ca-902e-28d7e9ca2c13
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078274
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bad4225836db30f6301e890e4da0fe01d9178cabf7be6f62bdfa4f590050346/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-27 02:12:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
25 of 40 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bowuejmdnwzq6yyb5ciojwqp4aozc6gkx556n5rl36spleafanda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
405e27a7f920551ec2f07607ea3a8b186880306c5176ca7fe8a1edeebc7a5ff9
AgentTesla
53867ae1994d09f07b882ff96d80fc9d38b50e3aae70054985e07b20634ac14f
AgentTesla
5706d730a58d4d29d100059bb955e681dde3060f26f17b2d2ee4eb9d9f0f9ee1
AgentTesla
6f65bc7ad58ce2f17dec79d9dda14c31d73587552b72e7d90b5b827c1a80c9c6
AgentTesla
84e9f33b682944d11444e1ddd0f27f2fa6c1d0ca29ed8a6a620b406233ef82a0
AgentTesla
96c459f3f71ca66620515448f8dfa12c67d8b3e020776c93ccda641cce782ad6
AgentTesla
ba51afdb597f570e1914c3253b219b6397f9df8f6448a33991dafe561706f2db
AgentTesla
bdaf2cc27694475beaef6b0945e952e41e3ab6972bae7243b3656c6a87d2bb0e
AgentTesla
+ 113 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220927-nte7jaeecm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Gathering data
Unpacked files
SH256 hash:
da09ab96ecade7c6109d865976ceb2162bcf3015f3a14674e2831ddd5bc8d9e4
MD5 hash:
d47da29669aef761253e161e25f73c52
SHA1 hash:
7201a1d735cd441d7bc749d8c610a5ad997ebb05
Link:
https://www.unpac.me/results/6759ffe4-1be7-4105-a572-d2ee769278f2/
SH256 hash:
15e65902dda2ad4a5bcec22a1107493188c704354d506d8053d84f55596b3249
MD5 hash:
a8f90e52d2c14a2e445f4fb9e52b56e7
SHA1 hash:
6c76ea6cf3a070eacb9044d3e0df70a3faf8c589
Link:
https://www.unpac.me/results/6759ffe4-1be7-4105-a572-d2ee769278f2/
SH256 hash:
aacfcfd37f57c743641a9f2276dd361e959009883265ab6dca7675adaf024b1f
MD5 hash:
039b79d2567ebb1c1b57acb34c91ba78
SHA1 hash:
1e000b3a149eb1dc3b698c45995b9abe582f933b
Link:
https://www.unpac.me/results/6759ffe4-1be7-4105-a572-d2ee769278f2/
SH256 hash:
0bad4225836db30f6301e890e4da0fe01d9178cabf7be6f62bdfa4f590050346
MD5 hash:
1d331340b05f57913bb0724a15bb75b9
SHA1 hash:
52e32d5e69e55684fc910c3ce2848a8e77a1ff71
Link:
https://www.unpac.me/results/6759ffe4-1be7-4105-a572-d2ee769278f2/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0bad4225836d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0bad4225836db30f6301e890e4da0fe01d9178cabf7be6f62bdfa4f590050346

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313960/

Comments