MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e98017a6018b750789e8b7f6f4a0ee880512d36496e503082799df228bfcc0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e98017a6018b750789e8b7f6f4a0ee880512d36496e503082799df228bfcc0c
SHA3-384 hash: 13669ddcb88ef0750faaa3776bc30ed5677a1e67a675dfa001b7c5e80d7ad6e4c4f57ba331dccf131b500f29d518223d
SHA1 hash: 1a6e87e4d9a0843da2fa15f840d33f7b4cbcd20a
MD5 hash: 89ab448998a91c5b800515522343a67b
humanhash: king-speaker-mississippi-seventeen
File name:0e98017a6018b750789e8b7f6f4a0ee880512d36496e503082799df228bfcc0c.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:696'832 bytes
First seen:2023-03-30 14:05:18 UTC
Last seen:2023-03-30 15:05:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'467 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:leJ/sIt3ehOoLVRhXcVVTJmk95wLoRfHP37z6ANHHK9+QzLAyVFuddlENnSimOM9:9wGlMxQ45wLoBdNHq9+8LAyStQnSimX
Threatray 1'758 similar samples on MalwareBazaar
TLSH T162E4011435ED912BC565863A80E4C1B0677ECCC1E66ACB675FCABD8BB3CE30A543518B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 646466eaf6726264 (9 x Loki, 9 x AgentTesla, 8 x SnakeKeylogger)
Reporter 0x746f6d6669
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
newXspainXorder.doc
Verdict:
Malicious activity
Analysis date:
2023-03-30 12:56:40 UTC
Tags:
exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/ce012ef8-1f94-4821-b384-ea03629a4ecc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378841/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6425974a84fe7631c302f3e5/reports/b8b6a08d-dfd6-40b1-b225-3c3e3aa57ffb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/0e98017a6018b750789e8b7f6f4a0ee880512d36496e503082799df228bfcc0c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2cae6fe5-11e4-40cd-9824-5e4396b8daea
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1205304
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0e98017a6018b750789e8b7f6f4a0ee880512d36496e503082799df228bfcc0c/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-03-30 14:06:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b2mac6tadc3va6e6rn7w6sqo5cafcljwjfxfamecpgo7ekf7zqga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e98017a6018b750789e8b7f6f4a0ee880512d36496e503082799df228bfcc0c
AgentTesla
594f1cd08290c1b1328dfbd78113d418794b2353e1557627f15d4f780097a0c8
AgentTesla
808bb32f710ae23d2a4b53b873f766bf56d905dbe8e51810edd15ff79538cd94
AgentTesla
a74fa0d307bc42f7118fb46c786b9f9bde4aa25826d6edea9b582b9174013b1e
AgentTesla
dcbf2a46595f5714137faa5d4950067eb1b1e5259c2bce2a75f853a73303d45f
AgentTesla
e5e242f8384500a304eb770bda1fa280c64c4a1e718c89826775d25341fc82c3
AgentTesla
ee361abd551977efe8d984071743ee90b31c06573f5b5f954f3aad9284c18552
AgentTesla
fb5b5d55ac9ee07c66add37354f42ad26308b493228641b76d5856ece8c8ec31
AgentTesla
+ 1'748 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230330-redxpsed51/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6258465660:AAFAPHkxw9lv-YgWk0oo5r_nv12k7nJhSWA/
Unpacked files
SH256 hash:
5062f99a5460cbd448d7f9c35d5c05aafa3ce36357be73268367d779dd92396e
MD5 hash:
c499b0e057f46db9f5ad9f0e9181830e
SHA1 hash:
fda2b448e6c7a411e1baed2a8bca7050b9b769ef
Link:
https://www.unpac.me/results/0c8abf9d-7f27-4dd7-a28c-30ca6c088280/
SH256 hash:
b59327dfa7b4d83ac8614b42b63c3f75fe12e251c25ed5342bacefe156ea4ac6
MD5 hash:
357bb6d83d42bbb0731451e09aa1012d
SHA1 hash:
87ff0f1555d43356192af16c3c225a196ba817fd
Link:
https://www.unpac.me/results/0c8abf9d-7f27-4dd7-a28c-30ca6c088280/
SH256 hash:
d7ec57d76e7e60e775814e5ffbf229391b6dfe3d43afba4e348366f129eaaab7
MD5 hash:
b94e26f471e45013e9d5d61cbb2d6c34
SHA1 hash:
517c8ec3f916d1ef5f2c335cb2f3d43b7449bdec
Link:
https://www.unpac.me/results/0c8abf9d-7f27-4dd7-a28c-30ca6c088280/
SH256 hash:
1da3f9b8b12e965ed51d1c160b8cc448c75cc975daf7796a1d9e66aeeab7e35e
MD5 hash:
ad0adffb69c0b45ff57c98dcb656510c
SHA1 hash:
2b6a5066797aef0a91f8abd0a97a71fd500fa853
Link:
https://www.unpac.me/results/0c8abf9d-7f27-4dd7-a28c-30ca6c088280/
SH256 hash:
29cef52b08112914a572439878c08769d3ae100c45b90fb74f7843051417a9fe
MD5 hash:
3deee2ca0cf54ece18fe36dc7366f8d7
SHA1 hash:
08c986725022e963bb666ab5c0fb6ba739b187ba
Link:
https://www.unpac.me/results/0c8abf9d-7f27-4dd7-a28c-30ca6c088280/
SH256 hash:
0e98017a6018b750789e8b7f6f4a0ee880512d36496e503082799df228bfcc0c
MD5 hash:
89ab448998a91c5b800515522343a67b
SHA1 hash:
1a6e87e4d9a0843da2fa15f840d33f7b4cbcd20a
Link:
https://www.unpac.me/results/0c8abf9d-7f27-4dd7-a28c-30ca6c088280/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e98017a6018/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0e98017a6018b750789e8b7f6f4a0ee880512d36496e503082799df228bfcc0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 0e98017a6018b750789e8b7f6f4a0ee880512d36496e503082799df228bfcc0c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/378841/
  
URLhaus
https://urlhaus.abuse.ch/url/2591294/
  
Delivery method
Distributed via web download

Comments