MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 0c250b21da631c5356630ff3d17f09a6da38a4c619f534b8f0be9d360707c9d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 16
| SHA256 hash: | 0c250b21da631c5356630ff3d17f09a6da38a4c619f534b8f0be9d360707c9d4 |
|---|---|
| SHA3-384 hash: | 33eb7548476f86a87f3d8089a48c9523d61cb73fd117f7425f6f14cae32cedd36be64fc8737eb5e067d586c099c3e3fd |
| SHA1 hash: | 197a1f5dedf523bbca3bb197cf6473c5ed907d15 |
| MD5 hash: | ea77a015c9e55ab7f3ed3619f1620394 |
| humanhash: | william-six-timing-wisconsin |
| File name: | TT copy.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 614'400 bytes |
| First seen: | 2023-10-06 13:35:23 UTC |
| Last seen: | 2023-10-07 11:07:12 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger) |
| ssdeep | 12288:O0iW7s9Gw72TI6DZxcLsirGpb1PRE9QdC3SVwk3+v0cB10bG9:O0iW7s9GeekFrGXKxUw7v0cB1t |
| TLSH | T11BD4014422AC0B36EBBA4BF55E72101067F17C4A0076EA1BCED521E705BAF391661FE7 |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Reporter |  cocaman |
| Tags: | AgentTesla exe |
Intelligence
File Origin
# of uploads :
16
# of downloads :
268
Origin country :
CHVendor Threat Intelligence
Malware family:
agenttesla
ID:
1
File name:
TT copy.exe
Verdict:
Malicious activity
Analysis date:
2023-10-06 13:37:06 UTC
Tags:
stealer agenttesla
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
10/10
Confidence:
100%
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Detection:
agenttesla
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2023-10-06 12:09:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
19 of 23 (82.61%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
agenttesla
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
85f3ce7156b8d5e885b5d3cc42d99793bf7f478102e64c1ebff2709da264555c
MD5 hash:
75a62078e01a0566293e65ccceee2888
SHA1 hash:
fe719a08ab8338db8268672119e2da4cd8ea6246
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
SH256 hash:
98038b763950f8de3efffa83da020669fbd376492deb24c75b25bbd4a1c2ce07
MD5 hash:
aa445eee133a93b202ea105e5de4e232
SHA1 hash:
c0968cfa259d38fb80af27465c314ba889b08296
Detections:
AgentTeslaXorStringsNet
Parent samples :
baaba65de7ee0a52274e439f9cfc6e1ad5e55f74dc43644c33c27863c99f9c4e
3c3e9ce2a4c9d2022601a66e6753d37cf92ae3940e87e62b46999eb4411264f8
3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b
91cdc121ddcc77ba9e01963b2ff1a92192cd4a7804915a67b598f69d457160b3
9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463
47438e1a176f18053c6a9de8c2834a3d5ffeb78bb7efa09c6dea99aa7da44991
a357b85560b1159abbca744e8226315663cfa2d3778046eaedfe82dc293446e5
16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e
fe304cb0925bffe7c7314fb8c4bc50c15b82e49c81fe176c8482ea1ed6f51bc8
b5b3f18d4a9208ec2a9b1b8e1d1e1e8dfa6f6b749223fcb021839038d015d92f
892887bf977985a7b3c64ac19d31facf3af7e783b25173665c8cc48d804cca45
9cd47c4593254f37eb5bef6b0d887f7132ce6d9678af33799da736d6073382fa
65cea55d24d19444f39704ab0836a07e7e89a99b244abfad347516b14f58af0b
12d37f94ebe64d74e7cc1a4290af6797832b512a223d03d410171f47cd979065
cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef
cc1214e080d2525cf0b00c622186d0f78a228d3f6dc933cad0f0114d505a73f7
e5dbce139ab26dc9f743ca4161894d49adddd7c9bd0f1ac4adf4177aec479b69
0501f9ee9fe9f858c159e067280b30badb60ce0e430abb1e60b3581edd8a971b
0725b0bb5b536502fd3a4593864bbf3b25dcacc3b3259162080909284c1348de
b79d3384f353bf024148b984f6d96e272c30b7547a00fb5d6f05524dbcc435a8
dc0e2395ee3f6a75876ca8cb0b8a876ac8494dc0d317a432ea5d1ba758296063
b1dd2f23a4e0925adcfe19c55bf701af33e6d3d66f3fd1537d30ea7ceddee9a4
cabf5777651e17c1d64384cefbf5f7ce2fc7abedff68901c96174dd16612caf1
f25d6018d3bab1f7651937b7b8e618979ea3c45b06e42e3d93e8b59cac9d46c3
be9496d0210e6343ea547889586015ab09bd8d25061f154a3f9f0922ea5a61de
37a72a158a2325b4967c6b2a9835fa722b6ca3789316c6120d3f263bfb6c15e7
26a294c50930c0cd9fbed08dd7fb63ea59bd2300eed46c452de0b4c5f7b95309
0828689925ecabda99bd3939a58b034387e6cd4c153c7652a0450d93010ccae3
0c250b21da631c5356630ff3d17f09a6da38a4c619f534b8f0be9d360707c9d4
83b11e62d88278fd953ef2496d6e6217d314defc55f7ba1fbb4d0a00ec6651b2
fb1c133bb4d681619adff92051b62f07da505ca6f15906b4fbb125bd65b1f190
9e2f5bad6acb0454f71026526cb9d5d78985ef6e566b433b04ba7aba5b277ddb
4316bebd7893238fab61d5cc2a4bdca1d65ad8f631347c949485b0c3a3b1353b
e2811e462b73fc7c62941b8472d9989a048509e8e6aed7012bc5f786d0f7bbe7
90d63293d26ff8d79d3cb130d63e4d69646527a8c61ea5308288980fcfd5189d
cbc632ae3dd2c72c24bd2b4ab8e53ff56aa2e742911ec9512432f0788b104e3c
93184419005707ae02f08ee38bf8381c4a87fc14a9715fb660ad48f6e1665f98
174e2237b3157582189f15393ba0a1771ac0fb62fb479690b46de1b61071b491
244ca73815a8c8303d9738bf0dd0fb859736fc69ea5103329ba2f6be2f9637eb
8c72d6594c46c605916cf3456b84810a1982c7f62f9c66d7eeb12bd0da0e82d0
e0a14b9acddbf73d270c2eabf671ce58e1c2aaa237ccf2de320efedc947b6ccc
69e82246e2a2444321ad9c8c84a445b8ec6b18702c2407565cae60e07b3823ef
4fb354ecdf9b230311b7b6bc60b1016f5f17653a1653e1c6fa1fbbbc92a08a30
e4319322a73a875512b80a2cc5bebf8c963f3e657258a6e7afd90919c8553fdf
40b4f0f7a724e1dc0abb235b73cbd1b50defaf387fb18b5535197607311056d2
a988d3605915b2f831729ebcde7d9ef7d169a549f3d3b7b1de604a9c07abee14
a81e919be20c26807dc7d775ccdc026d4a9daf0116661dff5e3fbdaf29effe19
8dd68257e8d07b2e0d25da886cdb7cb487085b99a469984369d486812596ea12
26794f7598febe976fb23ad9abe87ca823f65730957ce7821ce5bc9e6dbfab92
d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774
3c3e9ce2a4c9d2022601a66e6753d37cf92ae3940e87e62b46999eb4411264f8
3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b
91cdc121ddcc77ba9e01963b2ff1a92192cd4a7804915a67b598f69d457160b3
9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463
47438e1a176f18053c6a9de8c2834a3d5ffeb78bb7efa09c6dea99aa7da44991
a357b85560b1159abbca744e8226315663cfa2d3778046eaedfe82dc293446e5
16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e
fe304cb0925bffe7c7314fb8c4bc50c15b82e49c81fe176c8482ea1ed6f51bc8
b5b3f18d4a9208ec2a9b1b8e1d1e1e8dfa6f6b749223fcb021839038d015d92f
892887bf977985a7b3c64ac19d31facf3af7e783b25173665c8cc48d804cca45
9cd47c4593254f37eb5bef6b0d887f7132ce6d9678af33799da736d6073382fa
65cea55d24d19444f39704ab0836a07e7e89a99b244abfad347516b14f58af0b
12d37f94ebe64d74e7cc1a4290af6797832b512a223d03d410171f47cd979065
cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef
cc1214e080d2525cf0b00c622186d0f78a228d3f6dc933cad0f0114d505a73f7
e5dbce139ab26dc9f743ca4161894d49adddd7c9bd0f1ac4adf4177aec479b69
0501f9ee9fe9f858c159e067280b30badb60ce0e430abb1e60b3581edd8a971b
0725b0bb5b536502fd3a4593864bbf3b25dcacc3b3259162080909284c1348de
b79d3384f353bf024148b984f6d96e272c30b7547a00fb5d6f05524dbcc435a8
dc0e2395ee3f6a75876ca8cb0b8a876ac8494dc0d317a432ea5d1ba758296063
b1dd2f23a4e0925adcfe19c55bf701af33e6d3d66f3fd1537d30ea7ceddee9a4
cabf5777651e17c1d64384cefbf5f7ce2fc7abedff68901c96174dd16612caf1
f25d6018d3bab1f7651937b7b8e618979ea3c45b06e42e3d93e8b59cac9d46c3
be9496d0210e6343ea547889586015ab09bd8d25061f154a3f9f0922ea5a61de
37a72a158a2325b4967c6b2a9835fa722b6ca3789316c6120d3f263bfb6c15e7
26a294c50930c0cd9fbed08dd7fb63ea59bd2300eed46c452de0b4c5f7b95309
0828689925ecabda99bd3939a58b034387e6cd4c153c7652a0450d93010ccae3
0c250b21da631c5356630ff3d17f09a6da38a4c619f534b8f0be9d360707c9d4
83b11e62d88278fd953ef2496d6e6217d314defc55f7ba1fbb4d0a00ec6651b2
fb1c133bb4d681619adff92051b62f07da505ca6f15906b4fbb125bd65b1f190
9e2f5bad6acb0454f71026526cb9d5d78985ef6e566b433b04ba7aba5b277ddb
4316bebd7893238fab61d5cc2a4bdca1d65ad8f631347c949485b0c3a3b1353b
e2811e462b73fc7c62941b8472d9989a048509e8e6aed7012bc5f786d0f7bbe7
90d63293d26ff8d79d3cb130d63e4d69646527a8c61ea5308288980fcfd5189d
cbc632ae3dd2c72c24bd2b4ab8e53ff56aa2e742911ec9512432f0788b104e3c
93184419005707ae02f08ee38bf8381c4a87fc14a9715fb660ad48f6e1665f98
174e2237b3157582189f15393ba0a1771ac0fb62fb479690b46de1b61071b491
244ca73815a8c8303d9738bf0dd0fb859736fc69ea5103329ba2f6be2f9637eb
8c72d6594c46c605916cf3456b84810a1982c7f62f9c66d7eeb12bd0da0e82d0
e0a14b9acddbf73d270c2eabf671ce58e1c2aaa237ccf2de320efedc947b6ccc
69e82246e2a2444321ad9c8c84a445b8ec6b18702c2407565cae60e07b3823ef
4fb354ecdf9b230311b7b6bc60b1016f5f17653a1653e1c6fa1fbbbc92a08a30
e4319322a73a875512b80a2cc5bebf8c963f3e657258a6e7afd90919c8553fdf
40b4f0f7a724e1dc0abb235b73cbd1b50defaf387fb18b5535197607311056d2
a988d3605915b2f831729ebcde7d9ef7d169a549f3d3b7b1de604a9c07abee14
a81e919be20c26807dc7d775ccdc026d4a9daf0116661dff5e3fbdaf29effe19
8dd68257e8d07b2e0d25da886cdb7cb487085b99a469984369d486812596ea12
26794f7598febe976fb23ad9abe87ca823f65730957ce7821ce5bc9e6dbfab92
d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774
SH256 hash:
af10a81d30ea6c14a0857caa64697f78672a941419d679b34eedb82e080ad46b
MD5 hash:
ec0b80883f0b18fb75a48dd18795f514
SHA1 hash:
afe9537c27362b6769a1df0ad414b8e58d34ea40
SH256 hash:
0c250b21da631c5356630ff3d17f09a6da38a4c619f534b8f0be9d360707c9d4
MD5 hash:
ea77a015c9e55ab7f3ed3619f1620394
SHA1 hash:
197a1f5dedf523bbca3bb197cf6473c5ed907d15
Malware family:
AgentTesla.v4
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AgentTesla_DIFF_Common_Strings_01 |
|---|---|
| Author: | schmidtsz |
| Description: | Identify partial Agent Tesla strings |
| Rule name: | INDICATOR_EXE_Packed_GEN01 |
|---|---|
| Author: | ditekSHen |
| Description: | Detect packed .NET executables. Mostly AgentTeslaV4. |
| Rule name: | MSIL_SUSP_OBFUSC_XorStringsNet |
|---|---|
| Author: | dr4k0nia |
| Description: | Detects XorStringsNET string encryption, and other obfuscators derived from it |
| Reference: | https://github.com/dr4k0nia/yara-rules |
| Rule name: | msil_susp_obf_xorstringsnet |
|---|---|
| Author: | dr4k0nia |
| Description: | Detects XorStringsNET string encryption, and other obfuscators derived from it |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.