MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dc38fb20eeb05080b4d37c168b8d5df58ba97c283083cf012cc29ddbc7c51e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	0dc38fb20eeb05080b4d37c168b8d5df58ba97c283083cf012cc29ddbc7c51e7
SHA3-384 hash:	8f2a318413af189df761df472d2bc7654928e93600a7e2fcebb9de7ddf4450176f284013e1b4b3734c90ae18f3d7a855
SHA1 hash:	cfc0b85392654ff90a7d4c6a2e3b2405a1aea15b
MD5 hash:	337840b9bde8f4e316ea0b782db28024
humanhash:	bulldog-jig-virginia-helium
File name:	337840b9_by_Libranalysis
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	659'456 bytes
First seen:	2021-05-10 12:01:29 UTC
Last seen:	2021-05-11 11:00:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:XiSRIF+GJ8RM94OGGYPmlpiICM50kI4ax9Vvhs+rcc7:8F+a8RMdPYeCMdI4a9hhfrT
Threatray	4'602 similar samples on MalwareBazaar
TLSH	A3E4D02C7BE88944E9BE56BC9471412443F9B2161817F75E4EE160FC2CB7B12CF42A9E
Reporter	Libranalysis
Tags:	AgentTesla

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/153975/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/779387

Signature

.NET source code contains very large array initializations

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/0dc38fb20eeb05080b4d37c168b8d5df58ba97c283083cf012cc29ddbc7c51e7/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2021-05-10 11:37:37 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bxby7mqo5mcqqc2ng7awrogv35mlvf6cqmedz4aszqu53pd4khtq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0bde3651b28acbd70a77d6832f86a5370cba32f0f213b1062dec071112166128

AgentTesla

119515dce3e47142f5dbc2ced6d7ef92458e1f9d4d104141e9c068413db1552c

AgentTesla

2360d00fabefc2e52aedea07c1298902b757c48d62e4a6177408fb17c806ce93

AgentTesla

237b1286cffac0882ec074c40dad1325cd0b25c8c548c7cc76566d2eed4b99a4

AgentTesla

3fa40179e35abee79981eaad63f79962d9fdaad9685fea8380f04b98384e070f

AgentTesla

490d077b95439b181a68d695fe8496653bf3dd42d6e4baef1e7132b550e278d4

AgentTesla

96abbdc6d2b0db258fca1d72a5b471bb7948e4fa083c29856a8091ab58102d59

AgentTesla

ad0ee0f333050747c487196146dbdc43a4c59817120ed78b73835b3fc0f372b3

AgentTesla

e27c7feb3112b0f8d3aa4195962fc2c430074179cbf6811874b49691c486e26f

AgentTesla

+ 4'592 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210510-t3fa6e558s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.88

Link:

https://yomi.yoroi.company/submissions/0dc38fb20eeb05080b4d37c168b8d5df58ba97c283083cf012cc29ddbc7c51e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/153975/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample