MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c6846ca09d1a6476b4126ef69ddc5f212ec566c8e9cb76cbb320cb904542c28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	0c6846ca09d1a6476b4126ef69ddc5f212ec566c8e9cb76cbb320cb904542c28
SHA3-384 hash:	edcf28c26e66383d1576ed50ea85ece874ae449c595bbe0237cb70a0963ac440e47dac8614d8d28205cc51268f6a6797
SHA1 hash:	ed771db27498f138399004cbbd558a304e5894af
MD5 hash:	e9cd592d655f9bfb210ecbb86e7769e3
humanhash:	speaker-hydrogen-august-item
File name:	SecuriteInfo.com.Variant.MSILHeracles.47432.14347.5053
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	705'536 bytes
First seen:	2023-07-17 17:31:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:Pdw7GQIut7DjWmdc561oTOIYXFQzDbMIbTVW:Pdw7z7XrdGWjs
Threatray	1 similar samples on MalwareBazaar
TLSH	T14FE45E0739D11907D62E427E907C6A6CEAEEA61D117FD625302CC3E3B1F660CAA4D71B
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

318

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Variant.MSILHeracles.47432.14347.5053

Verdict:

Malicious activity

Analysis date:

2023-07-17 17:31:52 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/e25312e0-b9d3-4744-8341-2d418dfa19ef

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/422949/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.47432.14347.5053.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin masquerade packed replace

Link:

https://www.filescan.io/uploads/64b57b167a9c6ddebf0b2540/reports/ee95af94-8c3e-4350-ae81-3a36924d657a/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/0c6846ca09d1a6476b4126ef69ddc5f212ec566c8e9cb76cbb320cb904542c28

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/48b552f3-bb85-4028-938a-4de624d4822a

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1274619

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/0c6846ca09d1a6476b4126ef69ddc5f212ec566c8e9cb76cbb320cb904542c28/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-17 15:23:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 36 (55.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bruensqj2gteo22be3xwtxof6ijoyvtmr2olo3f3giglsbcufqua._file

Verdict:

malicious

AgentTesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230717-v397ladh45/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

7698ddef6ee4246f794e1c231e99093b7c83bd4eddd7a2564bc3e1256f078464

MD5 hash:

3abca0b8136335917489b32b5dcc6c06

SHA1 hash:

b201d72b90c2ade735df0b5db540c24b3042da7f

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/c2b47bb4-2c00-46f3-b1a9-f0c7ba9d66ee/

Parent samples :

41fa3f12b132569bfa21259f8880b11be191db8c820f0505e0128d0fa9df48a7
d78480d58e19a9732187f4764a747c23c9572d6b7e18b420254756173e9bbcbf
f4ab856bd56b75b7ebb8925ba5f880a539b398c9286a47c45ba0ff1a220a2f5a
0c6846ca09d1a6476b4126ef69ddc5f212ec566c8e9cb76cbb320cb904542c28
9c629d30ee820dec4c476fecee2be0ba23db86ad1de1eb989c33bc594b7ea21f

SH256 hash:

558ed89f73b626fac57b7e5ea4e006dbd8d2850780b23bbafb2c5a919665669c

MD5 hash:

064463583831163489d7ecf8cd58f3ac

SHA1 hash:

8d6ef9580eb1b9664c83acba8bb8532deac0f658

Link:

https://www.unpac.me/results/c2b47bb4-2c00-46f3-b1a9-f0c7ba9d66ee/

SH256 hash:

50b224aa5cbf278ebbd6735f82a453307fac9b9e1ac07f0d908761ced1480ada

MD5 hash:

95a555c0a90b9f7c8dccf5e413bda6fb

SHA1 hash:

e7cbc1cd65d9b80a89656eae39c53d4dfc92fd8a

Link:

https://www.unpac.me/results/c2b47bb4-2c00-46f3-b1a9-f0c7ba9d66ee/

SH256 hash:

0c6846ca09d1a6476b4126ef69ddc5f212ec566c8e9cb76cbb320cb904542c28

MD5 hash:

e9cd592d655f9bfb210ecbb86e7769e3

SHA1 hash:

ed771db27498f138399004cbbd558a304e5894af

Link:

https://www.unpac.me/results/c2b47bb4-2c00-46f3-b1a9-f0c7ba9d66ee/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0c6846ca09d1a6476b4126ef69ddc5f212ec566c8e9cb76cbb320cb904542c28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/422949/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample