MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c5191bdd545d9c2abb7809fa5a342adcf3e766bc4c4e320f5799b4430bbb203. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c5191bdd545d9c2abb7809fa5a342adcf3e766bc4c4e320f5799b4430bbb203
SHA3-384 hash: f9a97c2da88748a0e445b4a4b6c557af560d20cdea967b032e35c614d7d4dcaf7cbce7df69554b0961dfa2140c993467
SHA1 hash: a2e8338d121835e40707f62b794a9303c88ac615
MD5 hash: 19dcf8912bf618f99ed2b14a218abecc
humanhash: wyoming-vegan-dakota-jersey
File name:INQUIRY FROM ERWEKA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:726'528 bytes
First seen:2023-09-29 11:35:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:ycDAckj98RyVyXQEnq2jBUQj6ByMsHTzPHtH1DSxBEMPdzSd:fkuRlXY2uQjLMEzPHZ1DSxZF
Threatray 5'825 similar samples on MalwareBazaar
TLSH T189F402016B921591EABE73B49DB6013103B77A62DA39CF1D18CC60CD1BFB691BA01F63
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 229878f8b4f031c4 (24 x AgentTesla, 5 x Loki, 4 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451955/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6516b6abf1b40cb0d624615a/reports/9513f80c-557a-405c-9650-82ce7c1de1fd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0c5191bdd545d9c2abb7809fa5a342adcf3e766bc4c4e320f5799b4430bbb203
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3598363f-422e-4b60-8bd9-783f37ac013f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316533
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0c5191bdd545d9c2abb7809fa5a342adcf3e766bc4c4e320f5799b4430bbb203/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-29 08:38:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
10 of 38 (26.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=brizdpovixm4fk5xqcp2li2cvxht45tlytcogihvpgnuimf3wibq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0763c342c24ead7900fdc994102dd981fd66e0097bef7db0e665b791b24d00e0
AgentTesla
0a9c0028ca8e438ed316db1335b3a25af6d923fd25c61ce4c79a7bc41a843c76
AgentTesla
24302177dedad82f4cd086b6b2014c4832f356753968c97f80a42bdb00dad095
AgentTesla
3dc0ba891a9eb92c7264d339be2defe76aa995806602a23aea9f1e6c3f4da29a
AgentTesla
710fa86210820e8990d72fde020d01022c213ef03c036d1ed1ce96e8a07eb9ce
AgentTesla
793e60744aa163e0da636233df2fc83f43d447cddf4a89b28ff15a0ca95e69f9
AgentTesla
85080c93fed815e1de0896f7e79b99c9d6895572f9223f95ba6f52d132c52b26
AgentTesla
95dd113d2239a754fd3e2a8314429df25ae396aeeed43029292df04e830338f6
AgentTesla
d2fb9d582fc9194f578aa64d7b3c8c850ecae8b09da07b3dae555aee55e3a154
AgentTesla
f063fd1548945689a8b519daf454193e128bfca6c8b3b061f0ce7185b71412a8
AgentTesla
+ 5'815 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230929-nqlvxaab9s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1155851254833098752/vo7YFAKtXfOsqzCNUtNicDb-UATDDMk-I1yIVvfrhWq2PcNTiC3zk-xEzVbiwJTsDRuZ
Unpacked files
SH256 hash:
bc6e1487bee00a8fd2b639ee4e60867d7e409bd3cb6be1451f5ddbce26340766
MD5 hash:
fe233bfa89c7e26811c45fec198f7937
SHA1 hash:
6f0af0f155b841786f43b01e0c1c033aa277cdbd
Link:
https://www.unpac.me/results/47a62aa1-18be-401c-84fa-a3e5b01a277a/
SH256 hash:
7d451f7052e87d9c1e305565002f200d5e2e43fe04a773ad1d72f1f220fcff88
MD5 hash:
b23c837864ed6c0c0986b0de17ac063a
SHA1 hash:
44cd1740ff99efe039b0b9f23caa8158b46a9ed6
Link:
https://www.unpac.me/results/47a62aa1-18be-401c-84fa-a3e5b01a277a/
SH256 hash:
19f64b725669971015df86523d5f60f83ead5ae8ee82c2f9a3c05c10e38f0a28
MD5 hash:
0f4d4bd391eb177d82c19b3ddf2b90d8
SHA1 hash:
304b7f26612e2f2cade492785ac497619784f291
Link:
https://www.unpac.me/results/47a62aa1-18be-401c-84fa-a3e5b01a277a/
SH256 hash:
9683d35360b33f96c852654a3467a2a8291b6dfacf5f6d33932a690d0372ba71
MD5 hash:
e405da46e719c4576cac28c837b05c69
SHA1 hash:
13b479e25454be6dc382a7b1da0a656e2ef81f8e
Link:
https://www.unpac.me/results/47a62aa1-18be-401c-84fa-a3e5b01a277a/
SH256 hash:
9d82b529a45bc8b607bc5b4c6ee9bd2dc2022cdcb1cca444af0ebe9b46c2fbf3
MD5 hash:
5a6f5c961871c5971bd0bb43f6e576bd
SHA1 hash:
10a3eaab0721abf01e85907eb0d82bf3276e341a
Link:
https://www.unpac.me/results/47a62aa1-18be-401c-84fa-a3e5b01a277a/
SH256 hash:
0c5191bdd545d9c2abb7809fa5a342adcf3e766bc4c4e320f5799b4430bbb203
MD5 hash:
19dcf8912bf618f99ed2b14a218abecc
SHA1 hash:
a2e8338d121835e40707f62b794a9303c88ac615
Link:
https://www.unpac.me/results/47a62aa1-18be-401c-84fa-a3e5b01a277a/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0c5191bdd545/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c5191bdd545d9c2abb7809fa5a342adcf3e766bc4c4e320f5799b4430bbb203

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 0c5191bdd545d9c2abb7809fa5a342adcf3e766bc4c4e320f5799b4430bbb203

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/451955/

Comments