MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f15aec57a52535ae678c8b3e900a4e2bab105d1676eb097ebecde04914aee1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f15aec57a52535ae678c8b3e900a4e2bab105d1676eb097ebecde04914aee1d
SHA3-384 hash: 51f9c2f9cd843807e2e92e7810bc5e27d27dd1871894d2fb1eadfc0fff67baa20f59fb1b5829edb8ad87042573798178
SHA1 hash: 102b606193b7cc50010b4f84d338ea9a1eef4651
MD5 hash: c6dba1d72dbf440d3fbf4e2729d80b85
humanhash: friend-florida-washington-william
File name:PURCHASE ORDER (2).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:389'632 bytes
First seen:2020-11-05 14:08:53 UTC
Last seen:2020-11-05 16:10:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a2e488bb8211c84ecadafdfe470552d (6 x AgentTesla)
ssdeep 6144:9n4ilitk9V1Nap254gE5/JhKy7890s/9Japg/5pPdou15TVsLQWN6wIO8ePz2l7y:VtlWI1gg4h5/J8908JapGb2ulsEsRIOx
Threatray 972 similar samples on MalwareBazaar
TLSH A38423F9D09A3132EE0ADA38063B63F2CC155B41679667B9CE64FC703E384C5AB1475A
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/83264/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Changing the hosts file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521534
Signature
Contains functionality to detect sleep reduction / modifications
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the hosts file
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309867 Sample: PURCHASE ORDER (2).exe Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 7 other signatures 2->42 6 PURCHASE ORDER (2).exe 2->6         started        9 NewApp.exe 2->9         started        11 NewApp.exe 2->11         started        process3 signatures4 44 Maps a DLL or memory area into another process 6->44 13 PURCHASE ORDER (2).exe 2 5 6->13         started        18 PURCHASE ORDER (2).exe 6->18         started        46 Multi AV Scanner detection for dropped file 9->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->48 50 Machine Learning detection for dropped file 9->50 52 2 other signatures 9->52 20 NewApp.exe 2 9->20         started        22 NewApp.exe 9->22         started        24 NewApp.exe 2 11->24         started        26 NewApp.exe 11->26         started        process5 dnsIp6 34 mail.radianthospitals.org 108.167.136.54, 49736, 587 UNIFIEDLAYER-AS-1US United States 13->34 28 C:\Users\user\AppData\Roaming\...28ewApp.exe, PE32 13->28 dropped 30 C:\Users\user\...30ewApp.exe:Zone.Identifier, ASCII 13->30 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->54 56 Moves itself to temp directory 13->56 58 Tries to steal Mail credentials (via file access) 13->58 60 4 other signatures 13->60 32 C:\Windows\System32\drivers\etc\hosts, ASCII 24->32 dropped file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f15aec57a52535ae678c8b3e900a4e2bab105d1676eb097ebecde04914aee1d/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 02:47:52 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b4k25rl2kjjvvztyzcz6safe4k5lcborm5xlbf7l5tpajekk5yoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0233c43ce1cf759e1d8c8d343b03bfbad84652b12fe32b0e54b7fc7c08bdcc88
AgentTesla
308ff6f4141951ceb5332c273a6bb6782443482b229f47bc32a8ebd0cb57fbfc
AgentTesla
3944c8a551e1b51be2f29adf187b63497c7dab93f88755bc086f4e7fc30a759d
AgentTesla
3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa
AgentTesla
3f643208ad4025825d073c43dc40f4453df1cae39be3cc31b647236d76657fa1
AgentTesla
590d1a6a1fa00812284d4f5e4f47cb34d4965c79bfc9ec1741f2a8e14967719b
AgentTesla
9a8d62fa3b66f6afa63911f0e456899199f80686435ac3253a18214ed27460c2
AgentTesla
be9f5e6022d9789d876755aec74c292164c2a751ddc977db7a0f9c800967b56d
AgentTesla
e4ef5297d417e9facedcefdc568d9f09deb3df0217d94a69dfa23c1238e1eced
AgentTesla
feb639dabb33ddc8d08dc3065a7a869225419d52be2aa0ec247377607a426ef3
AgentTesla
+ 962 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201105-qfp858mnxe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
f495db4be8f366c4d7dfa61315c3ac1bc8a5afec060e12d9f5fec6429436e086
MD5 hash:
f0e8481969ae4bb079a02a060c3623cf
SHA1 hash:
47154a7d4c732f0389bbce80d5e54db2f14496e7
Link:
https://www.unpac.me/results/6031c329-122c-4480-875d-94f7e3b9650f/
SH256 hash:
83cc4a08fe13de09073d9b0b76446c95a563edee536a052ad45005b3b3844cbe
MD5 hash:
19f1e6c686bbe4791a417ee571fc8dc7
SHA1 hash:
99e909ce26507f95f42b0a18c99e042be4b47686
Link:
https://www.unpac.me/results/6031c329-122c-4480-875d-94f7e3b9650f/
SH256 hash:
9b9814ec6d0dc9880e4758bc25e96f5ab38826ffad69d443743f40d95e6e5ce7
MD5 hash:
82a33c3fe41ca65ea2ede547298780f2
SHA1 hash:
56f705f1eb4d8a9c862773dcc3ba9894976cfcf1
Link:
https://www.unpac.me/results/6031c329-122c-4480-875d-94f7e3b9650f/
SH256 hash:
0f15aec57a52535ae678c8b3e900a4e2bab105d1676eb097ebecde04914aee1d
MD5 hash:
c6dba1d72dbf440d3fbf4e2729d80b85
SHA1 hash:
102b606193b7cc50010b4f84d338ea9a1eef4651
Link:
https://www.unpac.me/results/6031c329-122c-4480-875d-94f7e3b9650f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 7ab4b6a7725e62396a6d3bb4c5f58d166defc02fb7c2e85607df493ca2ced541

AgentTesla

Executable exe 0f15aec57a52535ae678c8b3e900a4e2bab105d1676eb097ebecde04914aee1d

(this sample)

  
Dropped by
MD5 61dc54a53c4bfa140a67da852fcef122
  
Dropped by
SHA256 7ab4b6a7725e62396a6d3bb4c5f58d166defc02fb7c2e85607df493ca2ced541
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83264/

Comments