MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f087e03e4814c2d5cf426c323247a224e3eb78af420b35c94dc407d604ba464. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f087e03e4814c2d5cf426c323247a224e3eb78af420b35c94dc407d604ba464
SHA3-384 hash: 1321a982e1da0611393952c6f7e1280360c64d8d521c00c175cc84774fab41d2bfe1c4f055077ff5851c9c4d2fee7a43
SHA1 hash: 9669b32e5040a6665c5b47b6d92c14e58c215453
MD5 hash: 83de927539523cf03b4228cbc2bf7f80
humanhash: low-batman-lamp-north
File name:83de927539523cf03b4228cbc2bf7f80
Download: download sample
Signature AgentTesla
Create hunting rule
File size:929'992 bytes
First seen:2022-03-03 09:51:01 UTC
Last seen:2022-03-03 12:17:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:Iy8n3mpYSjCY0zwe9GIpT/tJz6LEZpeQp4MLsOUtftTXrQ:H8n3mKWeZpT/7z6LEZpeBMLs1tftTXrQ
Threatray 14'970 similar samples on MalwareBazaar
TLSH T11C15255B38AA410DB6616D659FBCF171C15EEAF2187A5CF75DF3090A1012AF08B2DB23
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246925/
Detection(s):
SecuriteInfo.com.Variant.Lazy.145828.17534.22369.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/220f7572-bf69-4b15-a4d7-2df55e601991
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950041
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0f087e03e4814c2d5cf426c323247a224e3eb78af420b35c94dc407d604ba464/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 02:02:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b4eh4a7eqfgc2xhue3bsgjd2ejhd5n4k6qqlgxeu3rah2yclursa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4d662aa31227aa5a3d975fc14eba13cc85c328654852bda5587c69f24d14f8f2
AgentTesla
80229ebcf769df182c0354a82f076cb2f093d95a2bde0af3d9ef740c1aa038a6
AgentTesla
91d6b1ee61fc676affdcead674c1d17c2d62f7aacc1a757e4071af6134fc2847
AgentTesla
abd99e485e5c7b462f2dbaa2c8e3eae71faa79b15921fc94ec3827920f3b4a6a
AgentTesla
b5347abcba9dfc9bdcf610bd8feee1128d9703de3b46f81d3767b9570c9b1bab
AgentTesla
c57fe1ed5d41144d82c9892c688982e7a649e4c3be7c130b48fbd13949448e7b
AgentTesla
dcc30daa103f38a83d8f731cf1d6dccdfd53d20e27b6944fd328cd78149beba8
AgentTesla
f11ab395547ecacdcc66bd98f1006c3f9fd1ae42272ec5c9c9376a0657b58947
AgentTesla
+ 14'960 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220303-lvhb6sadf2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
http://agusanplantation.com/host/host/inc/3bf5ba6e6c7434.php
Unpacked files
SH256 hash:
cd73001a8a94ae5eaac2694da6dd6ced802dfc1e2ac863ca7b2a5e845d0e7a0d
MD5 hash:
631e6b8e076ee7c9678a39345cce9fa9
SHA1 hash:
9c04762ddb959ea792f8f6c19235bb208672e343
Link:
https://www.unpac.me/results/c5714625-aef1-4afc-8b70-451917b34a1a/
SH256 hash:
0eca1086a206398d9c5d24fcf5cbda95e380068db201096419b44c8de6fac73c
MD5 hash:
c300486501d448c0dfa967bad7bb665a
SHA1 hash:
7cea9dcfe72623834ce2741b9a9a7005dfd9338f
Link:
https://www.unpac.me/results/c5714625-aef1-4afc-8b70-451917b34a1a/
SH256 hash:
0f087e03e4814c2d5cf426c323247a224e3eb78af420b35c94dc407d604ba464
MD5 hash:
83de927539523cf03b4228cbc2bf7f80
SHA1 hash:
9669b32e5040a6665c5b47b6d92c14e58c215453
Link:
https://www.unpac.me/results/c5714625-aef1-4afc-8b70-451917b34a1a/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0f087e03e481/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0f087e03e4814c2d5cf426c323247a224e3eb78af420b35c94dc407d604ba464

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 0f087e03e4814c2d5cf426c323247a224e3eb78af420b35c94dc407d604ba464

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2073575/
Cape
Cape
https://www.capesandbox.com/analysis/246925/

Comments


Avatar
zbet commented on 2022-03-03 09:51:03 UTC

url : hxxp://103.89.88.117/savespace/vbc.exe