MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d6a3c92315085cf70b5d0ee89b0db28a27ed40102cd12df9547e8d396eba733. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	0d6a3c92315085cf70b5d0ee89b0db28a27ed40102cd12df9547e8d396eba733
SHA3-384 hash:	d14bf055fdcd58689d3bf35ee54d7121c8dac2d7bc07e9db160d1c6d9053a58cdff4edf23e63ed65edcb035bfb2720aa
SHA1 hash:	04f6347af1d4332ecbd960ab74a93b08693f588f
MD5 hash:	d14116d8e1cc9a9c8f0d3051ffb5d0e2
humanhash:	twelve-delaware-asparagus-ack
File name:	SecuriteInfo.com.Win32.PWSX-gen.7388.31207
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	695'808 bytes
First seen:	2023-12-20 21:17:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:QOy7M1ze9QfoR/SgKfWO2lfSCKr0Zu7PjfuKprC1u11ShYXVPTNFTaCQ7bp9cp:jXhfoREWOOqVB7buKw1u9PaF9u
Threatray	4'280 similar samples on MalwareBazaar
TLSH	T125E401247AB94319C6764BB52C7562C023BA66A7BF05CB6D3848524CDD33B138B11FBB
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	006049569be66050 (1 x Formbook, 1 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

407

Origin country :

Vendor Threat Intelligence

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/468682/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

SecuriteInfo.com.Win32.PWSX-gen.7388.31207.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/65835a0bb2e45ed099c116bd/reports/8d557058-8977-4f72-bd6d-bb2a434e2dbc/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0d6a3c92315085cf70b5d0ee89b0db28a27ed40102cd12df9547e8d396eba733

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/2395bff7-885f-4861-ad3b-e243387eeb17

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1365288

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0d6a3c92315085cf70b5d0ee89b0db28a27ed40102cd12df9547e8d396eba733

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/0d6a3c92315085cf70b5d0ee89b0db28a27ed40102cd12df9547e8d396eba733/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-12-20 21:00:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bvvdzerrkcc464fv2dxitmg3fcrh5vabalgrfx4vi7unhfxlu4zq._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

4e77677a9a29e465f030c9a9695533c8dbde964ecc66585a0b9f26a1548ad3ff

AgentTesla

7f55066e20c9aa6f3568fb142a1a52af313005ae4739d5f378d61991fc2fce74

AgentTesla

a0af28c2998916fb7b8d403dc398c54f829e0f7a0768834fcb7b677048aa18c4

AgentTesla

b965df83cfeec960e1372166cd73d936ebfb3be2986db0bf953bf2b67b5209ce

AgentTesla

+ 4'270 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231220-z5ln8sedfp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

ef813cce70b769f347e9b244050f44aa97356d93c08726f7ccd2328910851627

MD5 hash:

fb6498f1ce5ddd8e4ba8caa90892385c

SHA1 hash:

eb4fc50a9a32d60b16085c97c769d6e7331839c8

Link:

https://www.unpac.me/results/b0d9f8ec-117a-454b-adb1-7b765671b572/

SH256 hash:

c25c3016be9c1a31e10bf1af75b19eae9d4c36d1545c328ed1dd9fb09f069b52

MD5 hash:

d970cc838d02fa04d1366385e685a7bb

SHA1 hash:

d828f916db236bfb3185f44f7929c59859226f47

Link:

https://www.unpac.me/results/b0d9f8ec-117a-454b-adb1-7b765671b572/

SH256 hash:

c88cbfd2a5bd5e6b46abef43056ab9e14af424de84239d3bff3e9654a5ccd34f

MD5 hash:

f105495e56459175bd7cecee0e96fd91

SHA1 hash:

94d6b482d7790931b6d5d12966ab0f7f8f06c64a

Link:

https://www.unpac.me/results/b0d9f8ec-117a-454b-adb1-7b765671b572/

SH256 hash:

26e45f403cdfe814e0bb0cfddb24c6e257c074ab7f1042ee1fc3d56f2f4c773a

MD5 hash:

1284934322e058996f102f49dc76fdf7

SHA1 hash:

81dad69bca70c3ae4d91dd22b452f64c87fb0a05

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/b0d9f8ec-117a-454b-adb1-7b765671b572/

Parent samples :

a0af28c2998916fb7b8d403dc398c54f829e0f7a0768834fcb7b677048aa18c4
128b915c058609131a3ae2ae25b26aea06b51a0001bb9b9794b9cf401f16668c
b965df83cfeec960e1372166cd73d936ebfb3be2986db0bf953bf2b67b5209ce
7f55066e20c9aa6f3568fb142a1a52af313005ae4739d5f378d61991fc2fce74
4e77677a9a29e465f030c9a9695533c8dbde964ecc66585a0b9f26a1548ad3ff
0d6a3c92315085cf70b5d0ee89b0db28a27ed40102cd12df9547e8d396eba733
dcfd5b0c16f4b58c12f71af5f546b06fbdf597b7a82d6c14b9799588551a5a9a
57653821b3827abd3779dcfc3a2d03f480eccf8beab8bc541ecda5aa9dc1bdcc
29f087438d46cf90b950d1013a74442b2f59854ff69b760616b9d14d6ac9a801
453a55e207726e7d46391d250ebb8be6b2f188c27ae597d49defeb8831f026dc
9ffb250a0fdf3f3cb6f1a0d9b4bf8b5b5693f2b4181e4b2c4373cfa64be5cea8
50493a0bad941676566a58131684cefe655e9913366257e8f25092f0914eb3fa
299b6a2c1ea140d514d858008cbc42425f7e580d203942d742f21ee6d307d90e

SH256 hash:

0d6a3c92315085cf70b5d0ee89b0db28a27ed40102cd12df9547e8d396eba733

MD5 hash:

d14116d8e1cc9a9c8f0d3051ffb5d0e2

SHA1 hash:

04f6347af1d4332ecbd960ab74a93b08693f588f

Link:

https://www.unpac.me/results/b0d9f8ec-117a-454b-adb1-7b765671b572/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0d6a3c923150/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/0d6a3c92315085cf70b5d0ee89b0db28a27ed40102cd12df9547e8d396eba733

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/468682/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample