MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0deabb80746cb8ebdec5671801426c6b2dd5862398ff79d3db94bb8a95a3a459. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0deabb80746cb8ebdec5671801426c6b2dd5862398ff79d3db94bb8a95a3a459
SHA3-384 hash: ce74fde78cfc738358ff93e3e55ca6aa095a238646da75d812b2ed90944e0f9be84ae561ba1bd0fd8c3c7f3a565eea7d
SHA1 hash: f67aba8fb305f7270f36fe8a240a593e6a471528
MD5 hash: b887da60188b2386090a37cc6e15566d
humanhash: nebraska-cardinal-mockingbird-quebec
File name:YOU2KHStqbMOqKH.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:887'808 bytes
First seen:2023-06-20 06:28:12 UTC
Last seen:2023-06-20 07:12:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:XNcuuqYtYq7J3At5iHOq+ZQO4bex50OZ2GFS8OFzr4e1Jsrz8YC0Kz2XZys75X9x:VQYqtm8OqKo8jONke1JsPC0x/75X
Threatray 5'422 similar samples on MalwareBazaar
TLSH T15015E0243A780F57E07D97F84151A63117BA6A6A783EE7584EC3F0DB2A52F410E91F23
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
256
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
YOU2KHStqbMOqKH.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 06:40:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5c11cc00-803c-4421-bbd4-2e8edf11a0dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400837/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67623322.10039.31138.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/649147313067ea15b6568202/reports/0892d3d3-c095-4ba7-a8ab-1abb03895ffd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0deabb80746cb8ebdec5671801426c6b2dd5862398ff79d3db94bb8a95a3a459
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71b1b103-65cd-40d2-ba20-e65afe201527
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258387
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0deabb80746cb8ebdec5671801426c6b2dd5862398ff79d3db94bb8a95a3a459/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 12:30:15 UTC
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxvlxaduns4oxxwfm4macqtmnmw5lbrdtd7xtu63ss5yvfndurmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b9a2dc6ca050349b9b0f180706742b64e734eb334c02afd87d7108eff1d4ec8
AgentTesla
466152ce57063783bc73fe86736ecebcd168335df5212c71f6a15cab3cc2b5ab
AgentTesla
50ac458169dd382176f04c26b8538ce829c903bf60cc2fa5ca7681feba1a7a98
AgentTesla
61c75c0d5321db299e58bf919860e9afa4471e4e97dddd00fad6a761cdd0a61e
AgentTesla
82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59
AgentTesla
868c32e8f0d323bf24fbb9c6d073198cdb50a072905ba1f43f3725dceac6863d
AgentTesla
885a126d8abff2e4d272e8df02fb03d836ba078053dc55257860780b0b4b05fa
AgentTesla
add5620949d2784c56b3fbd811a417a72318dca2f8eda9fbe2757c60f272040d
AgentTesla
aebd9abedf05d17f9fd3c7e3f5d35401ab52148f00b81e067f4688f84ed659f7
AgentTesla
b72c1734f74d8174d1feb0775148c56903fa6edd409d1598cccff025f30d6cc5
AgentTesla
+ 5'412 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230620-g8xlssbf2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
932f7f7c112a1c5d3e18bde407291f12b4f14fcb0bceb78db2258064abdbd59b
MD5 hash:
41ae4ea7ab26f10130440bc3c13857b4
SHA1 hash:
d7067632a92a6115745376762111ecdbbe276ad1
Link:
https://www.unpac.me/results/3b4a18a8-ab99-4f51-b3b5-b5b80468f680/
SH256 hash:
d2ebd3a6d8d4851e929ace6451b49e57113dd84f2d60c293f6e79b94a42183d4
MD5 hash:
02619cb58a6d438fde337cc313ca6db5
SHA1 hash:
cf7ce53022c1128d54ec45db8dba3d59f42a5137
Link:
https://www.unpac.me/results/3b4a18a8-ab99-4f51-b3b5-b5b80468f680/
SH256 hash:
5e2ae23b1d55bc3bca71b90bfb928214dbd2e5f6179525a13a6bec21bfeeec6a
MD5 hash:
9cb708eae788326e32117c14ee8bee45
SHA1 hash:
9ca155055ba4f360190f4097f57ce23792f13b47
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/3b4a18a8-ab99-4f51-b3b5-b5b80468f680/
Parent samples :
add5620949d2784c56b3fbd811a417a72318dca2f8eda9fbe2757c60f272040d
61c75c0d5321db299e58bf919860e9afa4471e4e97dddd00fad6a761cdd0a61e
50ac458169dd382176f04c26b8538ce829c903bf60cc2fa5ca7681feba1a7a98
aebd9abedf05d17f9fd3c7e3f5d35401ab52148f00b81e067f4688f84ed659f7
466152ce57063783bc73fe86736ecebcd168335df5212c71f6a15cab3cc2b5ab
1b9a2dc6ca050349b9b0f180706742b64e734eb334c02afd87d7108eff1d4ec8
b72c1734f74d8174d1feb0775148c56903fa6edd409d1598cccff025f30d6cc5
885a126d8abff2e4d272e8df02fb03d836ba078053dc55257860780b0b4b05fa
0deabb80746cb8ebdec5671801426c6b2dd5862398ff79d3db94bb8a95a3a459
339ae2cba0f3ce8bf4b3098daf78d5e4bfadeeae26762c697bdb63788927ee77
2af3e1758223c0432696bf2252d89659db6ea920b1c926fba92b3d327a4a7703
SH256 hash:
dbb7752f975a861f698223fc482a41d3c92035732b0f7478d2a792a5d1f27145
MD5 hash:
d667a978ad9434d6fc1d5c1edfd562e6
SHA1 hash:
3359488582aec5873fb8cf7fe40cc11653dcff8e
Link:
https://www.unpac.me/results/3b4a18a8-ab99-4f51-b3b5-b5b80468f680/
SH256 hash:
bbd2ed6ad2547fd8d745c55c51240f06c599dae9374b52fd4fac5b74daa86ce0
MD5 hash:
f3d896f7cfdda4ab71acdb0270647d59
SHA1 hash:
27eeb4499d3bf8fb6b6ece4f398b95f6b24eac2e
Link:
https://www.unpac.me/results/3b4a18a8-ab99-4f51-b3b5-b5b80468f680/
SH256 hash:
0deabb80746cb8ebdec5671801426c6b2dd5862398ff79d3db94bb8a95a3a459
MD5 hash:
b887da60188b2386090a37cc6e15566d
SHA1 hash:
f67aba8fb305f7270f36fe8a240a593e6a471528
Link:
https://www.unpac.me/results/3b4a18a8-ab99-4f51-b3b5-b5b80468f680/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0deabb80746c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0deabb80746cb8ebdec5671801426c6b2dd5862398ff79d3db94bb8a95a3a459

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar fab0d00f4e574755697ed6c09c3e7d4418f6dcd6c148ad97a5213e085f8ce853

AgentTesla

Executable exe 0deabb80746cb8ebdec5671801426c6b2dd5862398ff79d3db94bb8a95a3a459

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/400837/
  
Dropped by
SHA256 fab0d00f4e574755697ed6c09c3e7d4418f6dcd6c148ad97a5213e085f8ce853
  
Dropped by
MD5 1acb656af3fa8012b31dab6d92165e04

Comments