MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d011a11f56bfb02dc45fc5784231377cdb06af659cb7416862e7f9240947d9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d011a11f56bfb02dc45fc5784231377cdb06af659cb7416862e7f9240947d9a
SHA3-384 hash: 383119b11be9800e0f44fa7c1d8662bfd5d4b204fc64635877c18f6fc7aa3598d0f2bdad39d3860c65fe54044f5ead50
SHA1 hash: 4628c2f1b5b9eec067fbf4d4bbdd729d1b4c726b
MD5 hash: 31dd0e800cbe022ed6aa1dd0e19ed7c5
humanhash: hydrogen-washington-bakerloo-lamp
File name:Quaotation - DES 0468.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:945'152 bytes
First seen:2021-05-24 16:43:36 UTC
Last seen:2021-05-24 17:01:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:w7vy/tBsPZxj4UdhIAU2aEBV9I3Gb15DAZVkwrrSA/K0n/ga6AwH76ysz:GCbGxHPIF2F9pbDDAUuK0n4H7bWz
Threatray 5'665 similar samples on MalwareBazaar
TLSH B0158C2C612EF122C1A8C27A4AC5983BE451DF373031BD69ECD77B585739E81789227E
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quaotation - DES 0468.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-05-24 16:48:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f7f583c1-0b74-4d77-88cc-f1aabcb9bd35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/790595
Signature
.NET source code contains very large array initializations
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 423001 Sample: Quaotation - DES 0468.pdf.exe Startdate: 24/05/2021 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 14 other signatures 2->62 7 Quaotation - DES 0468.pdf.exe 7 2->7         started        11 kprUEGC.exe 5 2->11         started        13 kprUEGC.exe 2 2->13         started        process3 file4 36 C:\Users\user\AppData\...\ZzPRNwCRPrGqw.exe, PE32 7->36 dropped 38 C:\...\ZzPRNwCRPrGqw.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmpF9B1.tmp, XML 7->40 dropped 42 C:\...\Quaotation - DES 0468.pdf.exe.log, ASCII 7->42 dropped 64 Injects a PE file into a foreign processes 7->64 15 Quaotation - DES 0468.pdf.exe 2 5 7->15         started        20 schtasks.exe 1 7->20         started        66 Multi AV Scanner detection for dropped file 11->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->68 70 Machine Learning detection for dropped file 11->70 72 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->72 22 kprUEGC.exe 2 11->22         started        24 schtasks.exe 1 11->24         started        signatures5 process6 dnsIp7 44 medicalperu.com 66.225.201.69, 49727, 587 SERVERCENTRALUS United States 15->44 46 mail.medicalperu.com 15->46 30 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 15->30 dropped 32 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 15->32 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->48 50 Tries to steal Mail credentials (via file access) 15->50 52 Tries to harvest and steal ftp login credentials 15->52 54 4 other signatures 15->54 26 conhost.exe 20->26         started        34 C:\Windows\System32\drivers\etc\hosts, ASCII 22->34 dropped 28 conhost.exe 24->28         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0d011a11f56bfb02dc45fc5784231377cdb06af659cb7416862e7f9240947d9a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 16:44:09 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=buaruepvnp5qfxcf7rlyiiyto7g3a2xwlhfxifugfz7zeqeupwna._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03d0c28c82537bc47e03f83532cdfd576b1524451a4dc7ea69f150b30cfaf65e
AgentTesla
3cb53846ce84b84a3c38a4b4e542fd08b30be6c160e2594b9e6e01752bd0a043
AgentTesla
a2f1773e4b9146563dbf711ca1462448a7a847f8b6660424f72faaa5fa9b20d4
AgentTesla
a89fb0409ae1c4b7693d58b270738a2e36d0e2f5b099550fe27353876cba6b6b
AgentTesla
c8b1422e0faff76b67b7cdfe2e9be0ba799522e729aba5cd191b1809740a7fd1
AgentTesla
d04a849e7e6fdf8b031ffe8db276f8dd315cd38f622ae9dc9fbf2168a9183f51
AgentTesla
d174e57a97b4bccb71d49b9f9005940829c6ed542e3cc534cd13dd8568fb28f4
AgentTesla
d3f8e4451246f36e47a5f5d2624e5b6b1ec08b5fc2fc4df6080b40f5e13edec8
AgentTesla
da292ea9e3cda3911d3e6023e9ead0e663a14a1d089cabe7830d46f9c27caeaa
AgentTesla
e99bae3896aa527b7e77c3ecda493364d913cfa2ddf1ef0b1a072d9f4289764f
AgentTesla
+ 5'655 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210524-1hr2jkkaza/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d011a11f56bfb02dc45fc5784231377cdb06af659cb7416862e7f9240947d9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 0d011a11f56bfb02dc45fc5784231377cdb06af659cb7416862e7f9240947d9a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments