MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cdf3f70618d7d304ea20a4319eb6a56173b3e46134aec966f55b20f5505eb94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash:	0cdf3f70618d7d304ea20a4319eb6a56173b3e46134aec966f55b20f5505eb94
SHA3-384 hash:	b2c2bbd37fdcef0af2d6d71687d6e0e6e6da16b3782f6af5d34f7d71c486070c47394278ad2b31dcc8d0a1ccea53ce96
SHA1 hash:	c68788c4364fce787f78bb228ab02db3c3ddc226
MD5 hash:	8fb5ca22085eabbe78929ffacb78cbd9
humanhash:	eleven-johnny-lemon-oscar
File name:	swift Copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	639'488 bytes
First seen:	2023-09-27 13:12:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:twx+Uw+MMMDMMMBCUyaJ5GUbT+4aqGvjYUbJ1NFIu5qVMjW28Myv:qMMMDMMMBCKJQUbT+BqcbHItVMj98P
Threatray	5'799 similar samples on MalwareBazaar
TLSH	T18ED4AE1531EB1816E777EBB787ABF941C7BEF2A0266B721A401A03D686D3D42F702474
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

287

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

swift Copy.exe

Verdict:

Malicious activity

Analysis date:

2023-09-27 13:15:29 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/bca92868-9583-4c0e-93b2-eb9e0030b299

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/451591/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.61429.32121.25239.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a file

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin packed

Link:

https://www.filescan.io/uploads/65142a6033582f234e049416/reports/13abfb4d-5e48-462f-ab9c-8aedf8e933ab/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/0cdf3f70618d7d304ea20a4319eb6a56173b3e46134aec966f55b20f5505eb94

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/363f7d6d-31bc-427d-a616-05e4bec7a8ab

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1315269

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/0cdf3f70618d7d304ea20a4319eb6a56173b3e46134aec966f55b20f5505eb94/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2023-09-27 03:17:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=btpt64dbrv6tatvcbjbrt23kkyltwpsgcnfozftpkwza6vif5oka._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

493b2ded607633e6df0d1b272a717d12adee8171a49b736e006754ca4645567a

AgentTesla

674a748111a6ce0179d7282aec3a9b3da359f024c4206f61876a78261e65c19d

AgentTesla

6da250db07d57180aef37a2cb036940a5c9f533a14ab7b64ac05a4c494f04ca9

AgentTesla

727a759fed6228f9794f4fdf08fd351705631e2a32bdb4ad60230cace276adf3

AgentTesla

8cbd4c3b44b01f2cf5887f3ae447c4a2b72b042a25403095d5b72e900335c116

AgentTesla

e78c8648218f38b73143f2db83c972448cbebf6018e3d74f99622a84f3aff875

AgentTesla

eb47fa04d84b315142efd50e7bbee163d5cf49de82c961022f4199847e111d78

AgentTesla

+ 5'789 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230927-qf33jsba2z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

36d22f7ca8292cba56f51511527d2a2d9c3560790a3be33f4a78eadba1c5b4f8

MD5 hash:

9a0feb91469bee80a725fa29dadb7775

SHA1 hash:

f9ee40d6f787c3109951bd87f0972e43ae94b74c

Link:

https://www.unpac.me/results/09a154ea-b81d-4e1c-9b09-823c19db2a9e/

SH256 hash:

5cf51d1a8d4bd940740e90e3962cea8e939e791ef7c5bd88d1a0cb574af25b70

MD5 hash:

9407c2206b85c7cb0949ef623fa614d8

SHA1 hash:

df6e3ec48a4e673d93fc6818db52460ce8fadd9a

Link:

https://www.unpac.me/results/09a154ea-b81d-4e1c-9b09-823c19db2a9e/

SH256 hash:

4c582359ec776acc296a56d3b18a5e51f7a4e00f5fbd8fd4a3e42add7ba9753f

MD5 hash:

ae7a538471533b77178d722d73d7385d

SHA1 hash:

45f099ab188a6cb8cb3c79dbdf812b905d73d616

Detections:

AgentTesla

Link:

https://www.unpac.me/results/09a154ea-b81d-4e1c-9b09-823c19db2a9e/

Parent samples :

493b2ded607633e6df0d1b272a717d12adee8171a49b736e006754ca4645567a
e78c8648218f38b73143f2db83c972448cbebf6018e3d74f99622a84f3aff875
8cbd4c3b44b01f2cf5887f3ae447c4a2b72b042a25403095d5b72e900335c116
1e58093d8f9fbd98920435ef868b14e507c33b137b2f9d415f250334db8c2d65
7c6290e3655029c44efe34d131645a716c892194cbe501514927d90350fee4f7
0cdf3f70618d7d304ea20a4319eb6a56173b3e46134aec966f55b20f5505eb94

SH256 hash:

0cdf3f70618d7d304ea20a4319eb6a56173b3e46134aec966f55b20f5505eb94

MD5 hash:

8fb5ca22085eabbe78929ffacb78cbd9

SHA1 hash:

c68788c4364fce787f78bb228ab02db3c3ddc226

Link:

https://www.unpac.me/results/09a154ea-b81d-4e1c-9b09-823c19db2a9e/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0cdf3f70618d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/0cdf3f70618d7d304ea20a4319eb6a56173b3e46134aec966f55b20f5505eb94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/451591/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample