MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dd10180a7db757bfbde051f6c0f259c9f7be1adb8dc128cdf5135a923e74384. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	0dd10180a7db757bfbde051f6c0f259c9f7be1adb8dc128cdf5135a923e74384
SHA3-384 hash:	61190f5c01640afd9d4f6f4d0e49ea6cfc64de87f2892ddd205efe27b17711aa319362dbbfb95f9ef92066030c8b7753
SHA1 hash:	b61f4bd0b6865956497c84ec55594ebf1965d51a
MD5 hash:	00af68a6ce70763bfc520d17350640e9
humanhash:	dakota-uncle-gee-bakerloo
File name:	00af68a6ce70763bfc520d17350640e9
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	693'248 bytes
First seen:	2022-07-14 04:50:15 UTC
Last seen:	2022-07-15 03:40:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep	12288:LtJm2oYdbBa66AAzV7KHd0OxbvyDPAy7a236Dyeyz5y73jXyNPl4x8:Lfm2oYJtjAz5KHd0g2DPAY6Dgz5wXumx
TLSH	T191E40111EADAC238F5FB6BB91BC8B4F43AB5F2325205FD792AD10D4E4756E408D81236
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	openctibr
Tags:	AgentTesla exe OpenCTI.BR Sandboxed

Intelligence

File Origin

# of uploads :

# of downloads :

167

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/288038/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Stealing user critical data

Unauthorized injection to a system process

Changing the hosts file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

keylogger packed

Link:

https://www.filescan.io/uploads/62cfa0bf8dab2096b9978445/reports/447c9e16-39e7-4e81-8853-7865a68f00ef/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e9fc7f6c-8ffc-4336-9c8e-a73dde2d6134

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1032025

Signature

.NET source code contains very large array initializations

.NET source code contains very large strings

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/0dd10180a7db757bfbde051f6c0f259c9f7be1adb8dc128cdf5135a923e74384/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-07-14 04:51:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bxiqdafh3n2xx666aupwydzftspxxynnxdobfdg7ke22si7hioca._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220714-fgxl2sechj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Drops file in Drivers directory

AgentTesla

Unpacked files

SH256 hash:

5e97ccd8dafcb36b3cb772f6a2fd425abcf221ab9ea1930e8c2618c95332f2c6

MD5 hash:

01800f6b045def8d90c649842f56d752

SHA1 hash:

f8434a4636d0772d01aac44bb3f9753a41f01d34

Link:

https://www.unpac.me/results/7856c81b-e37c-4d48-97f8-b8ab3a8cb2e8/

SH256 hash:

65824816d92416c56ac373ecd1ae6e71864519ed28b2b3336493f201aaba5fa5

MD5 hash:

a44eba3224bd1ba5e44282ce5a1e718a

SHA1 hash:

cd0b83cdb24b719f3be1494d0747cd936b2510e4

Link:

https://www.unpac.me/results/7856c81b-e37c-4d48-97f8-b8ab3a8cb2e8/

SH256 hash:

9739d9b1af1a02710c840213a176af256b897e045e4f533fda17570c4c406b97

MD5 hash:

fc61a6b0fbfbc6db992d366596c9f4a7

SHA1 hash:

c4e40400e01e1aaa1866afea545ab6bee5639dec

Link:

https://www.unpac.me/results/7856c81b-e37c-4d48-97f8-b8ab3a8cb2e8/

SH256 hash:

0dd10180a7db757bfbde051f6c0f259c9f7be1adb8dc128cdf5135a923e74384

MD5 hash:

00af68a6ce70763bfc520d17350640e9

SHA1 hash:

b61f4bd0b6865956497c84ec55594ebf1965d51a

Link:

https://www.unpac.me/results/7856c81b-e37c-4d48-97f8-b8ab3a8cb2e8/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0dd10180a7db/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.54

Link:

https://yomi.yoroi.company/submissions/0dd10180a7db757bfbde051f6c0f259c9f7be1adb8dc128cdf5135a923e74384

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe 0dd10180a7db757bfbde051f6c0f259c9f7be1adb8dc128cdf5135a923e74384

(this sample)

Cape

https://www.capesandbox.com/analysis/288038/

URLhaus

https://urlhaus.abuse.ch/url/2245697/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample