MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c936d73adc2c1447811069ba770eb07c8e94fe8ab298d1e79388ae8a6716311. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	0c936d73adc2c1447811069ba770eb07c8e94fe8ab298d1e79388ae8a6716311
SHA3-384 hash:	587236ef4873714541e2485ce09eba7e229950c3551d0381a29d87347ce543c2f80fe0ecfe1fbe45de28ccdea98f4b78
SHA1 hash:	bee8d6fb13aba7571ecf1e341ef416d6a4a58aec
MD5 hash:	aa6a376890a972604d1ddb7e5bb0c5bb
humanhash:	johnny-south-nebraska-massachusetts
File name:	0c936d73adc2c1447811069ba770eb07c8e94fe8ab298d1e79388ae8a6716311
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	406'578 bytes
First seen:	2020-11-14 18:25:06 UTC
Last seen:	2020-11-14 19:42:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d444820d9facb23288061674446775bb (6 x AgentTesla, 4 x Formbook)
ssdeep	12288:d4Pc291E7IkP8p3Yk+Ml5ikmUikXcV2b:ePcE1WIZp3Y/MOkmUvZ
Threatray	9 similar samples on MalwareBazaar
TLSH	41841205BAA1E0B1E85000F6855E9B6365BA783BA9FC9583BBC4530C5EB1BC41D27FD2
Reporter	seifreed
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Inject4.4520.16845.10798.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a file

Running batch commands

Launching a process

Creating a window

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/535239

Signature

.NET source code contains very large array initializations

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: MSBuild connects to smtp port

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0c936d73adc2c1447811069ba770eb07c8e94fe8ab298d1e79388ae8a6716311/

Threat name:

Win32.Infostealer.Stelega

Status:

Malicious

First seen:

2020-11-14 18:29:34 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bsjw245nylaui6ara2n2o4hla7eost7ivmuy2htzhcforjtrmmiq._file

Verdict:

unknown

AgentTesla

371dc3399511270ac4a84b08bc10d26e90f051bf1bd1e920650b28e097faaf91

AgentTesla

41d6db15778fc9471f66fe1ffa327fdb4ad7397d12f1e9bf330cb59b368f116b

AgentTesla

44e616211d93980b914bc40d74bb3a2738f5575609607bfb0635abbfdf378d18

AgentTesla

4f34ebc9996cf03118076beeb126c439e3dc355718ab85159ec3639a21ae638e

AgentTesla

519b0005450c43e7b4e7d93ec34230419c309b04f4df414313283258c1716036

AgentTesla

5df302032fa38879552d9a916c18d5e019fcddbed9447b53f75f9e4b1b08e7ab

AgentTesla

95432d34acb3db62d167b6ca78cf9e1f4508e692f1f4f124278dc07c552f4445

AgentTesla

c0dcc5b0f51d926bbe95fc37e56919780fe3ad05e93ecc2ccf59099ff30429cd

AgentTesla

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201114-t6msxkcs7x/

Unpacked files

SH256 hash:

0c936d73adc2c1447811069ba770eb07c8e94fe8ab298d1e79388ae8a6716311

MD5 hash:

aa6a376890a972604d1ddb7e5bb0c5bb

SHA1 hash:

bee8d6fb13aba7571ecf1e341ef416d6a4a58aec

Link:

https://www.unpac.me/results/5064f936-65e2-4704-beab-05936af39ac6/

SH256 hash:

9b0b6cfe220cbc5f74b35b1f8b9e7725ef459f37610fee32332817763ead1474

MD5 hash:

b87461acf9131a6c2382b39273ae2b1c

SHA1 hash:

56d72560655202295e0bd7d53685db8c058ffe62

Link:

https://www.unpac.me/results/5064f936-65e2-4704-beab-05936af39ac6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tinba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0c936d73adc2c1447811069ba770eb07c8e94fe8ab298d1e79388ae8a6716311

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample