MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0da1306ca75347a4387079465ef83befc5027ca4943c08024504175da47301af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0da1306ca75347a4387079465ef83befc5027ca4943c08024504175da47301af
SHA3-384 hash: 8e14f621a0574debe6556f55a867a6d7bfd92cd97690eb0be8c6c729629f5f7a38a6a7e83c1b2ff2c4988081e906aab2
SHA1 hash: 2ba80b55532dfd090aaea137638d6a465c3c4bec
MD5 hash: da766386190f034e7441eb6f90e40d05
humanhash: uniform-angel-rugby-king
File name:2021091800983746_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:664'064 bytes
First seen:2021-09-20 04:43:32 UTC
Last seen:2021-09-20 13:00:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:gbOZAe6+wKx5PREHXg4XRBe/3ODL1KcANemXbUGFPw8:TzfrxFRAXhi/k1QemXbUkB
Threatray 10'024 similar samples on MalwareBazaar
TLSH T178E47B063398CF21C11F15B6D8A2C2F81327BE41DD449BDB76C9FF1A39B32A66951583
File icon (PE):PE icon
dhash icon 0f519373d9cc750b (107 x AgentTesla, 20 x AveMariaRAT, 5 x Formbook)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2021091800983746_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 04:45:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b44ed49e-e08f-4075-83e3-4a9f60c2647b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189191/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37606752.24790.13853.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/407411a7-d7b2-4f2c-adbd-ab6703cb75a0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853727
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Encrypted powershell cmdline option found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Encoded PowerShell Command Line
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0da1306ca75347a4387079465ef83befc5027ca4943c08024504175da47301af/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 20:03:55 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bwqta3fhknd2iodqpfdf56b357cqe7fesq6aqasfaqlv3jdtagxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
78af4e9c1f31817ce195cd77aea8659a75148c5a302b35e9c17f2ff93a696a0c
AgentTesla
7f3bc638d00a6b3fd61d768fd39047fc87b97942d809d16042770d42d0e0da24
AgentTesla
9122c256e01d8489721f5a124686ad014bb32fb9d058dc74d966d36381fe01c8
AgentTesla
a2f824423896d08cb0e39cdc6d7782eb2093b5cf6801baef759adb2ae65fbeb3
AgentTesla
b8c22189bd0dbb85f078d3d58774f7a1f7e28d0c304cb3f36de7328b4b4fc442
AgentTesla
cd21f313637dcce24e8ca5cb45937fcbaeade384bb435e215e6abcee06e44757
AgentTesla
ee38c337749db260f84ccad87db5245a2fae65f86d8cd57562c72081d3300f97
AgentTesla
+ 10'014 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210920-fctplacgh7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
76d849dc5faeda1bc6d43f3af553f03195cc1b5fbf82ecd8a5302d32e325fa47
MD5 hash:
5c97b57d9d3843bb9d576a45d9a44da7
SHA1 hash:
845c154c0e9389f9b8e1a0ac2cd38a9dcb93526b
Link:
https://www.unpac.me/results/5e8857f5-06d9-4009-aa3d-ffe3e953ef8e/
SH256 hash:
0da1306ca75347a4387079465ef83befc5027ca4943c08024504175da47301af
MD5 hash:
da766386190f034e7441eb6f90e40d05
SHA1 hash:
2ba80b55532dfd090aaea137638d6a465c3c4bec
Link:
https://www.unpac.me/results/5e8857f5-06d9-4009-aa3d-ffe3e953ef8e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0da1306ca75347a4387079465ef83befc5027ca4943c08024504175da47301af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 0da1306ca75347a4387079465ef83befc5027ca4943c08024504175da47301af

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/189191/

Comments