MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c00f0f3395e4d5756612d481f361d9450bcb56b3a528001da0b4649d9c0313e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c00f0f3395e4d5756612d481f361d9450bcb56b3a528001da0b4649d9c0313e
SHA3-384 hash: 597d441bc576838c29110d0f1c437c14f25085e11bbe3803fe3b6aba56d8e846a22e4d3f5f38ddedfecf20bcd4c95b7f
SHA1 hash: 24b1280484f4d8f3e7cefdfce6cee5ea6d07093e
MD5 hash: cf96aa3b2ffdc3cded291b70dd098648
humanhash: king-west-tennessee-six
File name:PU Request Form Hardware.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:877'056 bytes
First seen:2021-04-07 19:53:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:MpR434FyNPazsbts+3jBeYTQGVBXI13GATS:MpR4ZPxjBMGVBXIQA
Threatray 3'765 similar samples on MalwareBazaar
TLSH 8D151272B354DA20C86E47F6941344478332F2C8A913EFA5461C93D5395AB8DECEADC7
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PU Request Form Hardware.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 20:00:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6fb5862b-e384-422b-9288-48e058b6a308

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132955/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.10342.6257.22292.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/669203
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0c00f0f3395e4d5756612d481f361d9450bcb56b3a528001da0b4649d9c0313e/
Threat name:
ByteCode-MSIL.Infostealer.DarkStealer
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 19:54:10 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bqapb4zzlzgvovtbfveb6nq5srilznllhjjiaao2bndetwoage7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a730a1310ede38cd0698606ccbe1a8bbd46c15308a735b1fbfe984a123bbe8d
AgentTesla
1a5421663abc706ce1c326cd443f5aba56108c99ef8e885261366aabf2e2f915
AgentTesla
29890b01a73b6721cf2e80232cc366b95be2eeb81bd7beb72372cd3ae4f05293
AgentTesla
3ad6ce8aaf456bd0cfd4ea3f7be02d9d08b5e74249e1bb49be61ff58ed61f675
AgentTesla
40d61be66d3c16485ba1276b6dad8756c3e51dd1957246cefee101e42cc07f5d
AgentTesla
4c482b22456df2e37106d59a8afeccdeb736ee89b13b3de6968acee2f3ce9f25
AgentTesla
53dcc6b98d2356c9a5f68b314edb8b819b99cec4ef2f6db0cfba72fb86a55d25
AgentTesla
55dee6475ed6ea1cfb43a31212f428175352d010544945ad7cdc5341cc388da4
AgentTesla
672a61ad27f7bafa74b86dffa95262a18256d48cf3f1aa74c5b6907cefd9cad1
AgentTesla
93bb62774d2359778e34985d5c7fc6be51f91e48706509b8698714f0b5f46a46
AgentTesla
+ 3'755 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210407-exyd2we6zx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
def41159f9af4bd5086105bf78dff3abba85e5dd1ec2279fec588ba1dd7bafa3
MD5 hash:
35d0bd7f841219e93a8a698ccf743833
SHA1 hash:
c929fae377f8f1f232a8ef4bcd4b1bf5db347127
Link:
https://www.unpac.me/results/68b0ce95-e232-4e8f-9830-3db4646316a6/
SH256 hash:
33f6910ef6772505dc2a7a086ec1519ea97444220adbb7736f466290e16d819e
MD5 hash:
3380a30d26236f4468026f9d0356b5d7
SHA1 hash:
8b96298a26f07a9c92be6377d41ab6fe599deb2a
Link:
https://www.unpac.me/results/68b0ce95-e232-4e8f-9830-3db4646316a6/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/68b0ce95-e232-4e8f-9830-3db4646316a6/
SH256 hash:
0c00f0f3395e4d5756612d481f361d9450bcb56b3a528001da0b4649d9c0313e
MD5 hash:
cf96aa3b2ffdc3cded291b70dd098648
SHA1 hash:
24b1280484f4d8f3e7cefdfce6cee5ea6d07093e
Link:
https://www.unpac.me/results/68b0ce95-e232-4e8f-9830-3db4646316a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/0c00f0f3395e4d5756612d481f361d9450bcb56b3a528001da0b4649d9c0313e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip fca0e8af9a91e1c055259e1546bd1e164602ffc6973cc3ae877a1a29045561ca

AgentTesla

Executable exe 0c00f0f3395e4d5756612d481f361d9450bcb56b3a528001da0b4649d9c0313e

(this sample)

  
Dropped by
MD5 c74c39fb99c0a0d7d85fd45c49c1da07
  
Dropped by
SHA256 fca0e8af9a91e1c055259e1546bd1e164602ffc6973cc3ae877a1a29045561ca
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132955/

Comments