MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bbef01e3922dfd1c78a50b98fe6af64419a483a9db9ec9acb03d9a93166585f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bbef01e3922dfd1c78a50b98fe6af64419a483a9db9ec9acb03d9a93166585f
SHA3-384 hash: 52b10e94a17ce620076dac73427edc097489e6f7bdd641f4bcbd3ae71eb70ced42f5d56d891fda78311b380926a0f78c
SHA1 hash: be0e132b04e7976d4b4d58e0bd2fb0d14e2ec3ea
MD5 hash: 2b3a8e2af5354f41a2479cc79a9da892
humanhash: foxtrot-apart-xray-uranus
File name:SecuriteInfo.com.Trojan.PackedNET.928.27157.16266
Download: download sample
Signature AgentTesla
Create hunting rule
File size:872'448 bytes
First seen:2021-07-15 07:41:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:rg/7cXmfJdcpQ0d/ahYxkaoq3iIEldqa:UI8NLaxka9M
Threatray 6'851 similar samples on MalwareBazaar
TLSH T1E50502217B40EF0CD67B0E3F45A55920A3F8C5664B43F2A72EF625FC488DB9A867114E
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.928.27157.16266
Verdict:
Malicious activity
Analysis date:
2021-07-15 07:42:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8e88d7a5-64aa-4fa6-a030-607afe92c04e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171884/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.928.27157.16266.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/675dbc87-e9ca-4d69-981f-accbb95e39fa
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816717
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449128 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Multi AV Scanner detection for dropped file 2->40 42 8 other signatures 2->42 7 SecuriteInfo.com.Trojan.PackedNET.928.27157.exe 7 2->7         started        process3 file4 28 C:\Users\user\AppData\Roaming\YipeVqQC.exe, PE32 7->28 dropped 30 C:\Users\...\YipeVqQC.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\Users\user\AppData\Local\...\tmp8502.tmp, XML 7->32 dropped 34 SecuriteInfo.com.T...T.928.27157.exe.log, ASCII 7->34 dropped 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->44 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->48 50 3 other signatures 7->50 11 SecuriteInfo.com.Trojan.PackedNET.928.27157.exe 7->11         started        14 powershell.exe 25 7->14         started        16 powershell.exe 22 7->16         started        18 2 other processes 7->18 signatures5 process6 signatures7 52 Tries to steal Mail credentials (via file access) 11->52 54 Tries to harvest and steal ftp login credentials 11->54 56 Tries to harvest and steal browser information (history, passwords, etc) 11->56 20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 18->26         started        process8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0bbef01e3922dfd1c78a50b98fe6af64419a483a9db9ec9acb03d9a93166585f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 20:29:34 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bo7pahrzelp5dr4kkc4y7zvpmrazusb2tw46zgwlapm2smlglbpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b122d90ecb306cc9067c1ec1623a19aadc0005cb1d31f49120a902d4f26d5df
AgentTesla
70674069969b2ce934604004d648a59e7d5460589f6415f93ad5a070fb8e7910
AgentTesla
759c67a815022fb8b185236d3b2f25c2d009c8e9ff8bf3571e339dc2e2473d93
AgentTesla
a29b791498d9f70014bfa85d9254c95c3f06ff0e00f2787d61e1d8f634b9eb23
AgentTesla
a3a2ad325fcc84f63b237101a71e7ebe6dbfd52c9fd44fa076700777d8969659
AgentTesla
ad9ae0356fae8f4a43fec15aceebd060f28bfbbba90fdf2f67087f8d55edfbc8
AgentTesla
bf411b461237ce0b5f1cf021af00bf94c0f31a8aac095c9d36581c5095fcc2a7
AgentTesla
df5e40d1e917f0bd4c424f65c8e2557d094f5eff22b4ba6f63f093333ebbb8a9
AgentTesla
ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b
AgentTesla
ff30ebf52489bc096912d3d89259f8f6e44ec3ced1d124094d10f2fbfaa18590
AgentTesla
+ 6'841 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210715-5h9ze8v64a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4
MD5 hash:
b0e14c3526d6623ae9b7b5f5e0efde76
SHA1 hash:
f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc
Link:
https://www.unpac.me/results/429fdd62-afb0-448c-8713-b6816734fecf/
SH256 hash:
63ca7bcf36336bdf5ca3223aea78952a41247372da54ec09e87b3d6deda2786f
MD5 hash:
bfb0726ca1d08fc84196d653aabb9c34
SHA1 hash:
881b3e36ef6fd15ce7702579cccc2cd1dfa7d22d
Link:
https://www.unpac.me/results/429fdd62-afb0-448c-8713-b6816734fecf/
SH256 hash:
6dc76e10358805c117595139f9c8ae90a9cda21d718d1b3e8d44c8068e8b622a
MD5 hash:
fdf0d76fdf2271d8996a429630aad820
SHA1 hash:
7285499d89f064b026f7565d5ed34a2fdada983b
Link:
https://www.unpac.me/results/429fdd62-afb0-448c-8713-b6816734fecf/
SH256 hash:
58b640267e5adb048d274f242c787afb311472e48d274f9cb8de9ab17e1197d5
MD5 hash:
fd4009ba68d1c1709609340d7518a236
SHA1 hash:
2d7ce29720d629023ee1b224b84b8a2449d31740
Link:
https://www.unpac.me/results/429fdd62-afb0-448c-8713-b6816734fecf/
SH256 hash:
440d4e84704b89fe380f8cc89db15abeff882e5f2c02cdb4f3267fb14449c5b1
MD5 hash:
8ed79dced09e69db67bc89b34a237b00
SHA1 hash:
03b1e014d514595b693a5090653da2312fc59da9
Link:
https://www.unpac.me/results/429fdd62-afb0-448c-8713-b6816734fecf/
SH256 hash:
3588accfd94ff7b0bd5bab6487be28f56288c6de2d8281b57b2a181d84ed53a4
MD5 hash:
92ba767559842b44a9ccda13236274e3
SHA1 hash:
35577a4bfe4134a1cebe68af11c1f2e0a15141d9
Link:
https://www.unpac.me/results/429fdd62-afb0-448c-8713-b6816734fecf/
SH256 hash:
0bbef01e3922dfd1c78a50b98fe6af64419a483a9db9ec9acb03d9a93166585f
MD5 hash:
2b3a8e2af5354f41a2479cc79a9da892
SHA1 hash:
be0e132b04e7976d4b4d58e0bd2fb0d14e2ec3ea
Link:
https://www.unpac.me/results/429fdd62-afb0-448c-8713-b6816734fecf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0bbef01e3922dfd1c78a50b98fe6af64419a483a9db9ec9acb03d9a93166585f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171884/

Comments