MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d5aa091a3ebf8d537d2da61e2c9c05f70bfff16eda241a89e583c05ea6164e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d5aa091a3ebf8d537d2da61e2c9c05f70bfff16eda241a89e583c05ea6164e3
SHA3-384 hash: 0a6d572543d511a9dd99a6108866930dc3cf98f3880f1148698b1041e84bf65ee9ef142a80983414889656e39e0e8660
SHA1 hash: cc4df9ab50ca45b666ec79b3f8198ed9d2f7b4c7
MD5 hash: 735a1d3fd9bccd7202e77bf3240a05ec
humanhash: alaska-vegan-magnesium-whiskey
File name:12192022_Bank _Report.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:675'328 bytes
First seen:2023-04-06 10:53:49 UTC
Last seen:2023-04-11 13:14:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:TKEGQiTKvx8FeKCav2WCndQxt1a/6ROJKisx52QKPiES6Mbxb804aemnar56e4dA:TKEGQdKFpv2WC6z1a/6R8KisxUPmnbxe
Threatray 1'925 similar samples on MalwareBazaar
TLSH T1E5E49E521A624BD6D6B90D6407787A881678AF42D710633E7D83BC3F8CFBB8B50953D2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
267
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
12192022_Bank _Report.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-06 10:57:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/838e37aa-7118-4b8f-a5e8-3eff69fb2138

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380616/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/642ea4ca612ecb08a4caddf3/reports/41bc9dbe-b421-4f72-9a43-9712243be2a8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0d5aa091a3ebf8d537d2da61e2c9c05f70bfff16eda241a89e583c05ea6164e3
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/64d05933-daa2-492a-99b5-3c2fd60b3ef3
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209596
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d5aa091a3ebf8d537d2da61e2c9c05f70bfff16eda241a89e583c05ea6164e3/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-04-06 09:28:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 35 (48.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bvnkbend5p4nkn6s3jq6fsoal5yl77yw5wredke6la6al2tbmtrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09da622ef3e5d5a12d5b51075e06a1ed054ac21d37eadb07cd901366150895a7
AgentTesla
1d0a3d165801a8cc1afce2a96c47e613927f5e1e2dbb11ed4e896f8bb31a3322
AgentTesla
348ac0dba533f7b93f6ef883c95ebe47da2d03201bccf71f364611f64fd44cd2
AgentTesla
4097ec9b7e47872f529451d84c79c68d22016553e63c95162306354a1b15a9d1
AgentTesla
5df3a5073fc1a14936a0227e2674ecdc580c804e117463a40b417a54334e04cc
AgentTesla
6dbd277a53e2c621a778a18ed9fc38ed556afc145683481aeb55301d1a574961
AgentTesla
ae9f0a09b1f95cb4ef05dc51e749a6b33e641a67cbf7cafc6fef41dbbd5b7671
AgentTesla
e829720bbe99c3071e0019a2ab941bda898a81d78b9813597467f6cf639a9a88
AgentTesla
f9e83b0a37210c05f53c608019e724d00a92a4addb4f7c21b024897fd121ec1c
AgentTesla
+ 1'915 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230406-mzjapscg23/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
592e0a9cdb79c050d6bf7fefaa373f574f747d7e8681045ae5e2b61a6f092cc1
MD5 hash:
2782ac5414fd1c12f40491577c186cf5
SHA1 hash:
9c98473e00df5e2b7f9c75a4bb0f507140264723
Link:
https://www.unpac.me/results/1d1e11b5-5c75-4c7c-82c5-12389d08cd97/
SH256 hash:
6bc5ac62b841bcad582f52d70acd35be7f9bc5ec647ce9a0fecef719d11fb95c
MD5 hash:
5181f19726089ae10947f5c76ac113db
SHA1 hash:
89b6f4bf6db98e90ec8b1b962fe04eeaedb33710
Link:
https://www.unpac.me/results/1d1e11b5-5c75-4c7c-82c5-12389d08cd97/
SH256 hash:
bcb79be04776aa5600513c6a05332826e5e5707eaaaad8431966b44f05757459
MD5 hash:
f65576fc447ff732798fc2bdb6d79638
SHA1 hash:
47bec89756df7c634c02a57a36f951674626e538
Link:
https://www.unpac.me/results/1d1e11b5-5c75-4c7c-82c5-12389d08cd97/
SH256 hash:
02821702902b6adf55b683efadde660600b9be3eeaf17f69cff3ba711c7a5e57
MD5 hash:
58a2fb640382d8947f6dabb030c8fd33
SHA1 hash:
a877220dc4693795f88ca0195168597aa051c493
Link:
https://www.unpac.me/results/1d1e11b5-5c75-4c7c-82c5-12389d08cd97/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/1d1e11b5-5c75-4c7c-82c5-12389d08cd97/
SH256 hash:
0d5aa091a3ebf8d537d2da61e2c9c05f70bfff16eda241a89e583c05ea6164e3
MD5 hash:
735a1d3fd9bccd7202e77bf3240a05ec
SHA1 hash:
cc4df9ab50ca45b666ec79b3f8198ed9d2f7b4c7
Link:
https://www.unpac.me/results/1d1e11b5-5c75-4c7c-82c5-12389d08cd97/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0d5aa091a3eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d5aa091a3ebf8d537d2da61e2c9c05f70bfff16eda241a89e583c05ea6164e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 0d5aa091a3ebf8d537d2da61e2c9c05f70bfff16eda241a89e583c05ea6164e3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380616/

Comments