MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6
SHA3-384 hash: ae826c5d67a182b96f9cc8d8173350ebc83333198256fcd4d858f294d023da644844f8da57209e48a4a16d63ab88029f
SHA1 hash: 157a39b6cc0bf291ae562de3375ef1b6ecfde68f
MD5 hash: d881b25107c15e6a403533b2fded497f
humanhash: quebec-skylark-comet-undress
File name:d881b25107c15e6a403533b2fded497f.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'267'760 bytes
First seen:2022-10-21 08:43:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:gAOcZXQOsoYKjqsM3RwfksQU8OIgibj5HHeg/cbGOSMIKB4p:+boisM3afkXU8H335HdYGOSMji
Threatray 2'585 similar samples on MalwareBazaar
TLSH T196451202B7CD84B2C47219315936671D6D3F7E201EF4CA5FE3E0596FAAF11906221BAB
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8463e0e9e9e06204 (3 x AgentTesla, 1 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.botswlogistics.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
d881b25107c15e6a403533b2fded497f.exe
Verdict:
Malicious activity
Analysis date:
2022-10-21 08:46:57 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/6405c979-2136-4298-924d-3f4d23550ba5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322248/
Detection(s):
Win.Dropper.Nanocore-9974287-0
Create hunting rule

Win.Dropper.Nanocore-9975167-0
Create hunting rule

Win.Dropper.Nanocore-9975168-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Adding an access-denied ACE
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/44094/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63525bd6b87ce1b32f791714/reports/f6403bfb-2021-429f-91fb-3c0a4f07f3cc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/057fde55-f318-4f32-8c11-b887f14e107d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1094751
Signature
Contains functionality to hide user accounts
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 727388 Sample: lJlrqKPZs0.exe Startdate: 21/10/2022 Architecture: WINDOWS Score: 68 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected AntiVM autoit script 2->40 42 Contains functionality to hide user accounts 2->42 14 lJlrqKPZs0.exe 3 85 2->14         started        process3 file4 36 C:\Users\user\AppData\Local\...\njigc.exe, PE32 14->36 dropped 17 wscript.exe 1 14->17         started        process5 process6 19 njigc.exe 4 17->19         started        signatures7 44 Multi AV Scanner detection for dropped file 19->44 22 wscript.exe 1 19->22         started        process8 process9 24 njigc.exe 1 22->24         started        process10 26 wscript.exe 1 24->26         started        process11 28 njigc.exe 26->28         started        process12 30 wscript.exe 28->30         started        process13 32 njigc.exe 30->32         started        process14 34 wscript.exe 32->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-20 20:11:34 UTC
File Type:
PE (Exe)
Extracted files:
211
AV detection:
27 of 42 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bq4lksekfrzkrg4lxt4rctmuk6fmwffuil72fvlrlzo2torkjpta._file
Verdict:
unknown
Similar samples:
2e37d7372a97df9e3955837eeae856489541aab815dffabc00bbc72af6483e9b
AgentTesla
303bd4a9a4f522900dcb9af3030f9683b64cb904e12e75ed06723c43215ef438
AgentTesla
3827089557640841eb045db12c46140166d9cd2824e82ef66af1fbd52f2c7855
AgentTesla
83327640b003bbdb759074d1e9925381bcb661a35b531b3d9832435ae80298ac
AgentTesla
b0c5a3e2456d9df495e299db88e2431ab0133ea2327d885f6234ecf8ba5805e9
AgentTesla
ba921e5bd4687eec051d4e646756bb2930ec900abf061b94761d6944f906afba
AgentTesla
effc707b7461da9f23cfdf850c4cea3c175cb4d2a91ce1cb3a0562369ab52494
AgentTesla
+ 2'575 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221021-km58labhf9/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
AgentTesla payload
AgentTesla
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2a1be022-06a9-4af7-970b-918a4023934e
Unpacked files
SH256 hash:
56c4c7a24b62db84d7526b6ce4d3af20dcaf55026876303dfd05c3eb26e2587e
MD5 hash:
37ccbad3794b6adcf532a7b6d7170014
SHA1 hash:
ae10547a4a61e78e34a689a1bf80024369d0a919
Link:
https://www.unpac.me/results/747403e7-eb03-46a1-9c0e-872b532d6380/
SH256 hash:
9f58924393f01313e85784a47b77e4d5a737ee43cd5eecb701f0141dc8187f82
MD5 hash:
bc7d03ee36ccdd40e53f8e512b379f3b
SHA1 hash:
66d0cf3e67f4fafc7a5508165d96895d8a7cf894
Link:
https://www.unpac.me/results/747403e7-eb03-46a1-9c0e-872b532d6380/
SH256 hash:
0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6
MD5 hash:
d881b25107c15e6a403533b2fded497f
SHA1 hash:
157a39b6cc0bf291ae562de3375ef1b6ecfde68f
Link:
https://www.unpac.me/results/747403e7-eb03-46a1-9c0e-872b532d6380/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0c38b5488a2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_ab4444e9
Create hunting rule
Author:Johannes Bader
Description:detects Agent Tesla
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2379534/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2378411/
  
URLhaus
https://urlhaus.abuse.ch/url/2379236/
Cape
Cape
https://www.capesandbox.com/analysis/322248/

Comments