MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0df2de5afd0cf3df1240846e3d6d16d189673137a08364cd3d6ae962692bf167. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	0df2de5afd0cf3df1240846e3d6d16d189673137a08364cd3d6ae962692bf167
SHA3-384 hash:	8978f5048ba614a6649e9d8a66bada0cec2774ea61271d01c81f44c6a503265b42cea585dcb1d54f56cfe8509bdd9234
SHA1 hash:	542ba7db101386154aa71ee5fd04b7ae3c1ab945
MD5 hash:	0b1dcb8cb3d3cd9d6f1499efa79cb044
humanhash:	oranges-dakota-illinois-arizona
File name:	SecuriteInfo.com.W32.AIDetectNet.01.22343.9092
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'113'088 bytes
First seen:	2022-07-14 16:42:26 UTC
Last seen:	2022-07-14 22:05:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:y0KJABTqKjCetsBJx0hRZ2WII94zUIMIZbENnr5EZsER:gA4KOetthRZ2sxIZbE9ty
Threatray	20'925 similar samples on MalwareBazaar
TLSH	T18B35F1AD365075DFC81BCD7289952C24AA206877470BD243A24736AD9EAE7CBDF041F3
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13101/52/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

308

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.22343.9092

Verdict:

Malicious activity

Analysis date:

2022-07-14 16:50:04 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/72acd195-154b-4a05-b487-fab70288ddc8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/289143/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.22343.9092.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62d0479c3c475438b547fc52/reports/9aa0161f-ab27-4bdc-8042-36d286ec6b6a/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1031632

Behaviour

Behavior Graph:

n/a

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/0df2de5afd0cf3df1240846e3d6d16d189673137a08364cd3d6ae962692bf167/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-07-14 15:55:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bxzn4wx5btz56esaqrxd23iw2gewomjxucbwjtj5nluwe2jl6ftq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

200a8761ad54a3eeb3039a37d654f3be76efcdd5a51b1f6f9f4b9584dc998e1e

AgentTesla

5a3834895f08aff701a029275074d4ab47aff4951d6f75e8393b0a97cb8f6031

AgentTesla

71432bb8e8d9b504e4822b4e2b24903b1f28c65e17c1d3f0aedecaafdfc1635e

AgentTesla

98fc829dfe226972ab5ef313fc593c427656737ccd0a72dd99cc3c340ea6d226

AgentTesla

d9b0a3a0da83bf55dbf106483f9edb03ead5bc16e0216770ec7c18c8c5e63c59

AgentTesla

+ 20'915 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer suricata trojan

Link:

https://tria.ge/reports/220714-t78znacec3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

suricata: ET MALWARE AgentTesla Exfil Via SMTP

Unpacked files

SH256 hash:

1b711d289b755ed89375774a3d886d4ec31cfa1a2f025e7b3fef6ae09ae69246

MD5 hash:

4a7b1d7e4b113860097dcaad95191125

SHA1 hash:

ed92126b887e1decacc9b61d776d4dedf8e57add

Link:

https://www.unpac.me/results/742b5cbe-16a2-4521-b9cf-82c54b49e8fe/

SH256 hash:

ac9139f6843f5630933e7b63ea8e05134c86222c5c7ba85ff7a6715205b777d2

MD5 hash:

3b1e451e7d27b694bd7a6a22d42b9138

SHA1 hash:

9e33b60c3fe1dbc6a87462f4a2485f4dedc6c18e

Link:

https://www.unpac.me/results/742b5cbe-16a2-4521-b9cf-82c54b49e8fe/

SH256 hash:

b25b8a8e8299d324886ae5009ae63a45a111a80213f03838d4dcc2d5622e9277

MD5 hash:

5fc03e1244158f5e1c96146016b71eeb

SHA1 hash:

899228348349f4b6553c93504626fb7173130144

Link:

https://www.unpac.me/results/742b5cbe-16a2-4521-b9cf-82c54b49e8fe/

SH256 hash:

883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15

MD5 hash:

ecb3f27eb8279c51608c8ea8f8050655

SHA1 hash:

82385d75444ab5fccacf37e2746c7dce73faa7f3

Link:

https://www.unpac.me/results/742b5cbe-16a2-4521-b9cf-82c54b49e8fe/

SH256 hash:

2776e15139dcc72a0db065ed6197a09ff25401a6bc73411bca801f9fb32f77b0

MD5 hash:

c9ccd47e30646ed4e6293e1d72824643

SHA1 hash:

1c9cce49252e8a471acbee2aeec7f3324fc1eb8e

Link:

https://www.unpac.me/results/742b5cbe-16a2-4521-b9cf-82c54b49e8fe/

SH256 hash:

0df2de5afd0cf3df1240846e3d6d16d189673137a08364cd3d6ae962692bf167

MD5 hash:

0b1dcb8cb3d3cd9d6f1499efa79cb044

SHA1 hash:

542ba7db101386154aa71ee5fd04b7ae3c1ab945

Link:

https://www.unpac.me/results/742b5cbe-16a2-4521-b9cf-82c54b49e8fe/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0df2de5afd0cf3df1240846e3d6d16d189673137a08364cd3d6ae962692bf167

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/289143/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample