MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d05c9ec5cbccc7252bfa4f1fe3da5ac89c431fb9aba15fcbf28621cf2f2a48d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d05c9ec5cbccc7252bfa4f1fe3da5ac89c431fb9aba15fcbf28621cf2f2a48d
SHA3-384 hash: 872806b8f701299140bd7b2f041f39aaa3cdd764cc3598292b7e2c6cb7f97b822798495766938a7ee0308889a5b032d8
SHA1 hash: 5b2fe2aabce1066ac5fb20e60c94591272ecccf7
MD5 hash: 8a14dacb5b4e3171d64dc4cee7c541eb
humanhash: kitten-king-foxtrot-saturn
File name:rDPO23-I-086GARDEXFLOWMETERiv.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:812'032 bytes
First seen:2023-10-04 16:09:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'739 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Y8zS55mFzv8PqWOv3NlQyyTcF5BujcbiMq4hB/OBjwQt:Yf55qT8Pqp/NGyyT81biMJ/OBj
Threatray 53 similar samples on MalwareBazaar
TLSH T10105F1D37221C155DEE94279CA66CEFCCF79ED02BD42956725843ECA3B3BB040A05A8D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 8ef2f600840082ba (1 x AgentTesla)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
BR BR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.16240.20528.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/651d8e5b7e001f82cf779b83/reports/9ea2bdb6-5fb7-45bc-895e-c37933abf834/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/0d05c9ec5cbccc7252bfa4f1fe3da5ac89c431fb9aba15fcbf28621cf2f2a48d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/950e78ce-196b-46dd-8999-a39a1ed2cb2a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1319612
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0d05c9ec5cbccc7252bfa4f1fe3da5ac89c431fb9aba15fcbf28621cf2f2a48d/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-10-04 14:09:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 23 (82.61%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=buc4t3c4xtgheuv7uty74pnfvse4imp3tk5bl7f7fbrbz4xsusgq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00dc35f39503924bff98f40ac52100ab2882ed22cdf8a3e4a9ec2f1797736aaa
AgentTesla
18a48731b148e59ecffa75b392d72963d1a7e386201e9745eb1f06169cd37d00
AgentTesla
3be6612501472572fdc009d75567cb83d4f2f54a7628c2b95b48adb6bdc43b9b
AgentTesla
63efc3445014bdf5bc7c990e30c279a5f1ef3aca8760335c91e5c774aac13d73
AgentTesla
7266208dc8fb418f47fef760b7c35196336e8f2e3822108df59636d125d3568d
AgentTesla
8192f84102d9071fc922c436f69660b5be0bdb300adaa212295f84f985bbc5ea
AgentTesla
af5181b58209a8a6e973d806ba6e2321e7aba08b3bd56012d4f159a7b2f51ac2
AgentTesla
ec50c4dbfaf63807aa7eab2af9c1bc46b66553bc1da16f1aede4dd8096b8bcd5
AgentTesla
eded555a7a575a6335ccc1c59ac51b58eb00ba3f43a0d5ed66f2af28f4d3bcf6
AgentTesla
f4467d8859d174c9edf5b596e96c4456a6aa0259bdee1d72697a76aab5f2f899
AgentTesla
+ 43 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231004-tmcqqaeh77/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/172b62cd-1094-4142-b481-9b06868214db/
SH256 hash:
af10a81d30ea6c14a0857caa64697f78672a941419d679b34eedb82e080ad46b
MD5 hash:
ec0b80883f0b18fb75a48dd18795f514
SHA1 hash:
afe9537c27362b6769a1df0ad414b8e58d34ea40
Link:
https://www.unpac.me/results/172b62cd-1094-4142-b481-9b06868214db/
SH256 hash:
0ea61e8e5c426bf84e4b8f2ab9a072739eaf890100cb4d7c0849c2cce4cc825f
MD5 hash:
ffd2e127d566e2d2fb3eb8455733f101
SHA1 hash:
5798b442c5382dd03deafc0c01ab11946ba154b1
Link:
https://www.unpac.me/results/172b62cd-1094-4142-b481-9b06868214db/
SH256 hash:
f9df5f5830d26d1870d3bda5e6456056853cc9bbca4457ba4a6bbd1fcad88c19
MD5 hash:
0ee534871b4d36a1dac1a43f01bd616f
SHA1 hash:
1fbe1c6c069d02428e7b78aa924966d8716747ff
Link:
https://www.unpac.me/results/172b62cd-1094-4142-b481-9b06868214db/
SH256 hash:
0d05c9ec5cbccc7252bfa4f1fe3da5ac89c431fb9aba15fcbf28621cf2f2a48d
MD5 hash:
8a14dacb5b4e3171d64dc4cee7c541eb
SHA1 hash:
5b2fe2aabce1066ac5fb20e60c94591272ecccf7
Link:
https://www.unpac.me/results/172b62cd-1094-4142-b481-9b06868214db/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0d05c9ec5cbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/0d05c9ec5cbccc7252bfa4f1fe3da5ac89c431fb9aba15fcbf28621cf2f2a48d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_bytecodes_sep_2023
Create hunting rule
Author:Matthew @embee_research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 0d05c9ec5cbccc7252bfa4f1fe3da5ac89c431fb9aba15fcbf28621cf2f2a48d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments