MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 0f59ae24c5d8a02526fa039f3e03889984830a59ad179dc266c76577a7f30b67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 12
| SHA256 hash: | 0f59ae24c5d8a02526fa039f3e03889984830a59ad179dc266c76577a7f30b67 |
|---|---|
| SHA3-384 hash: | dce51a7834036c8159e19a56899c7229e23ca51691da75db98cbf6f29f5f9a437ff79cb8434ed5e2f4a83e85489dc1ca |
| SHA1 hash: | 5c0c4fa9d24fe19a33e8ef429ae89b11f07ae658 |
| MD5 hash: | 800ace3210e3dc6689dcb2b48bb27233 |
| humanhash: | fillet-juliet-pluto-minnesota |
| File name: | hesaphareketi-01.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 775'168 bytes |
| First seen: | 2023-03-15 15:32:05 UTC |
| Last seen: | 2023-03-15 17:28:42 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 12288:/CdlwMCemEiiPx8/nr/Cb1N1o6iIQpSXlLR2eslh4kT57eW62Ba54pJK+3JGRTw:/CxCLEi8irA0SlQeS4kTNNC4plJT |
| Threatray | 102 similar samples on MalwareBazaar |
| TLSH | T1F0F4010FB69D075DC65F76BA91B51A588324AE0B8221E66E3DC5743F0DF2BC8E442DC2 |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| File icon (PE): |  |
| dhash icon | 0f2f0f1f271b6931 (13 x AgentTesla, 3 x StormKitty, 2 x Formbook) |
| Reporter |  abuse_ch |
| Tags: | AgentTesla exe geo TUR |
Intelligence
File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hesaphareketi-01.exe
Verdict:
Malicious activity
Analysis date:
2023-03-15 15:35:37 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
packed
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2023-03-15 12:48:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
20 of 24 (83.33%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 92 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
740e7b7c52b009a96ac47a0cebe652c6aa97803f0f2b73ace74aa4aa16d59cbd
MD5 hash:
d78a9d6094814337deec16d021405148
SHA1 hash:
ff2acaf75cbb3db9b7e1752e635a19ee19eceb16
Parent samples :
b1bf6e4993200202d88ce1ad2a2eaf60f8a1b5665b1873eee7f4220f9a31eb4c
fb012706e028ca770d05ae4580045de7450d40b069bc8f8a250e292746b45b90
8838925ac19a77ed2817ed8e52b6b9db02d58987dd10774eac576f839df1c5f5
c336b24aeca365ef88005a1bdf4daeee797b2ae2c0976b3db1fa4cd7c9290b87
8e3f656f70978440245c238870f316ccdbfbadff73350dd6d204c9035cc00357
3706066f775904b6ac4d07b179d3f7846c15c085ddeff5633c72a555d9529748
43b2d95b4ca603f5007a2d5a389b02d19df2103077146ba3aef9fbd82f2e0770
99fb5779f548068f16297af0c00a4d67ba8c32555a608d22b6b4f66dd420e5b7
fd7a04ef2040fb5bc9216fe5deebd9cf7d1190e7fbdc0e15a42a6c8b639de167
af4fbd837568e98c2a396d6f678b2ac9844653278c191af886c939844f9f2f3b
62d84fe295553d606c20def616280682b67dac3747ffe3ff4eb2337d2d01a4e8
2ac859e404e799bec8c46de362bc5af79bfb5ba455b9dd8832f4198f05692d7a
dcc8f01c079ede8b283839c41ab3eb1668d7a37183d3af2dce5d962ef0835e05
1a90138e87d6691efc22705cfd6b4003a434a5b55125b0c6663ef39206a501f1
9ffbaa54e1ce485cafb5c9eba276d6d18be8d95511838d3e65a4e08cdbdf0a4c
2f8c73b98c4878c743b2e0d5ec8e67ee1b6a0cf931d1ac69fa48a9600d869510
67aa6dd3cfc208be2bf9bc11b9e2ab4dd59f594653f4f073c8b96b5f5872c286
8086b51ee5ff64002102bf80e36b81650ba576903fc00965e1a947ae013aa9c0
05ec15a8743d17229f8749eefbd23092870a62b8befad9881b2d4dc63b0b194b
2eff68c23c7347d6a7614ae78fb7860aa81cebc0037d9c2a95fb795c2e2b3d6f
c533150826bd6cd5b29cc1ec1b552091e976f7ec10044796f947bc262023d9bf
3dcb0606b40e8a5d64da878ee28ae32fcb1c6072aa9a238057548f34c8cdc59b
80975a26a4f83ef73e1ea0280bb003b7f64daec835bf476077eda08c756a5671
b3fac580e11f2a319aa3a2122fa47f08dee0d8c8bb1967cc5b0a548493de7781
f94d390deeb6e7c8738fc693de22e0a49e4d57681759dde58102ebeea443463c
43e9db6b9ba0f48665e26a37880216e9b9135177bbb280b1b0143d2295b9a53d
0bf1609dcbb7c573bfce2b0333c56ff2db52dd54fe98a278e57a99b46dbfbe68
4a1731baffae0aeb7576bbe744f7c4bec60f3a8865fb6f9ed597f50f6c9e4c09
ec138fd03e6239e84fa8751411c8dfec0fb3ebff47e0deb9f7aad7e3b3cfd744
a4d917b6696ddef08d0f4ea5a2dcaa8de85e639684a5f869e353c2c80315e2d7
a83423d3a684c1defbb7b445d0594e8074f803fbb4b170a3450e3879aa619886
06b2ab16e068ff058fd7b142d331ca7b694c4a311320c6a6aaee7acdd38b2402
8b9f62091a55888570c94edca554a69a8b28909113b022021372e936e2c567d9
7cdadb18edcd84c6223b48a00dc074dfec26f8416b754acc87f1231ede8bc42c
ca779382008cbe0bc0ed6b46f21edcb095d7e3ff6cd56e192b5c7259a60a3729
e77034ca0f5612915367f7d97ba20d7452594622ce20078eee74df276173ef47
3d9b67b5dc857a2663548b9335d48dde0a880f6b61490f0cced767399a166f2b
a3646df57e935938fdf32f977fe40f1cff32a25ecfb8d086c08cedff9f7d7f1d
b750afd55ac6a1bb83126243c9fee3c8fb3ea328f3ef7dbed27d25572e374eb5
b5e595f70f317fc0c3916b7f0294681db744ec05ab7013cfb770c1f656018c8e
912e8de60b256356d9d56d77bd1441e5b7692af26fb320e7645bf5edde861baf
c1c41ec1f495a0b825d766f3cbff298777033bb1447d7ccbec6a03bbe0bd54ca
62804130bd52854d369a3586de018287087aa07d7b5d5e3e851122be331b1200
1b6b62b3f96553b8800f1c2c38ef1dde521a149715534f1fa19d02a9df8722bf
dd48767cfb22ef37bba35b4e630122994f00f156e2bdc63d59bbae9a8c36d6f1
fa89df8e9ce2ef14867f975a2fa4f9e3153f02ddbe261c33922826683482b3be
f6ef6dd1439771a20f55663c0b199a57f16da75e9249731916db75aca2265d50
e81901a970e6242560a0a44bc37bfa54a19174920f1f1ea032aeecc2008f2884
6b64730d26c6e0c4ec3db4e89ac886fbaf8cd4decf695c44201a8dc45b3d9f5a
94a5965ad18abb09e0e0e2ea434c021c0c4dbc20df6381196ac41b4ef356fe8a
b7ae1c2109159bbab425688f0735a3fc8c9d623c78ef409f3bebace05bb1ecab
c443575783b8c82cbbcf60290fe58b8093bb2be9e71dfe3abca851efc08519cf
8c36d1b83a2d060b222898c7b06c04b2b316db233dd58e6551bba8096520592d
348adfb8653e9a39c662e8bb76909d27fd2b79430826658ae8166140006391f3
40a3aac33840e3fa650b9a42daa9ecabaf27f36dbc94b41ce1620817ff188b67
d81ba294e8f5bd20984715efb925abe3df619def7254f554afd09242bea903e6
73efb6c1b43b24a695e351ae599855ecc01e30a90c4999c6f6c93bcfb8329291
000518a2ac056e4e5907aa1eab5b5c4e61b728583a4f77322a6c85190993f4df
c719c3f4ed747b4f467656f57a3eebcfbdaf116e86e78581038607e5830bbd15
80ce21fcc805697cd3d617fb8599d9e20a300a7e1428c0b160db85f166db5be3
fb012706e028ca770d05ae4580045de7450d40b069bc8f8a250e292746b45b90
8838925ac19a77ed2817ed8e52b6b9db02d58987dd10774eac576f839df1c5f5
c336b24aeca365ef88005a1bdf4daeee797b2ae2c0976b3db1fa4cd7c9290b87
8e3f656f70978440245c238870f316ccdbfbadff73350dd6d204c9035cc00357
3706066f775904b6ac4d07b179d3f7846c15c085ddeff5633c72a555d9529748
43b2d95b4ca603f5007a2d5a389b02d19df2103077146ba3aef9fbd82f2e0770
99fb5779f548068f16297af0c00a4d67ba8c32555a608d22b6b4f66dd420e5b7
fd7a04ef2040fb5bc9216fe5deebd9cf7d1190e7fbdc0e15a42a6c8b639de167
af4fbd837568e98c2a396d6f678b2ac9844653278c191af886c939844f9f2f3b
62d84fe295553d606c20def616280682b67dac3747ffe3ff4eb2337d2d01a4e8
2ac859e404e799bec8c46de362bc5af79bfb5ba455b9dd8832f4198f05692d7a
dcc8f01c079ede8b283839c41ab3eb1668d7a37183d3af2dce5d962ef0835e05
1a90138e87d6691efc22705cfd6b4003a434a5b55125b0c6663ef39206a501f1
9ffbaa54e1ce485cafb5c9eba276d6d18be8d95511838d3e65a4e08cdbdf0a4c
2f8c73b98c4878c743b2e0d5ec8e67ee1b6a0cf931d1ac69fa48a9600d869510
67aa6dd3cfc208be2bf9bc11b9e2ab4dd59f594653f4f073c8b96b5f5872c286
8086b51ee5ff64002102bf80e36b81650ba576903fc00965e1a947ae013aa9c0
05ec15a8743d17229f8749eefbd23092870a62b8befad9881b2d4dc63b0b194b
2eff68c23c7347d6a7614ae78fb7860aa81cebc0037d9c2a95fb795c2e2b3d6f
c533150826bd6cd5b29cc1ec1b552091e976f7ec10044796f947bc262023d9bf
3dcb0606b40e8a5d64da878ee28ae32fcb1c6072aa9a238057548f34c8cdc59b
80975a26a4f83ef73e1ea0280bb003b7f64daec835bf476077eda08c756a5671
b3fac580e11f2a319aa3a2122fa47f08dee0d8c8bb1967cc5b0a548493de7781
f94d390deeb6e7c8738fc693de22e0a49e4d57681759dde58102ebeea443463c
43e9db6b9ba0f48665e26a37880216e9b9135177bbb280b1b0143d2295b9a53d
0bf1609dcbb7c573bfce2b0333c56ff2db52dd54fe98a278e57a99b46dbfbe68
4a1731baffae0aeb7576bbe744f7c4bec60f3a8865fb6f9ed597f50f6c9e4c09
ec138fd03e6239e84fa8751411c8dfec0fb3ebff47e0deb9f7aad7e3b3cfd744
a4d917b6696ddef08d0f4ea5a2dcaa8de85e639684a5f869e353c2c80315e2d7
a83423d3a684c1defbb7b445d0594e8074f803fbb4b170a3450e3879aa619886
06b2ab16e068ff058fd7b142d331ca7b694c4a311320c6a6aaee7acdd38b2402
8b9f62091a55888570c94edca554a69a8b28909113b022021372e936e2c567d9
7cdadb18edcd84c6223b48a00dc074dfec26f8416b754acc87f1231ede8bc42c
ca779382008cbe0bc0ed6b46f21edcb095d7e3ff6cd56e192b5c7259a60a3729
e77034ca0f5612915367f7d97ba20d7452594622ce20078eee74df276173ef47
3d9b67b5dc857a2663548b9335d48dde0a880f6b61490f0cced767399a166f2b
a3646df57e935938fdf32f977fe40f1cff32a25ecfb8d086c08cedff9f7d7f1d
b750afd55ac6a1bb83126243c9fee3c8fb3ea328f3ef7dbed27d25572e374eb5
b5e595f70f317fc0c3916b7f0294681db744ec05ab7013cfb770c1f656018c8e
912e8de60b256356d9d56d77bd1441e5b7692af26fb320e7645bf5edde861baf
c1c41ec1f495a0b825d766f3cbff298777033bb1447d7ccbec6a03bbe0bd54ca
62804130bd52854d369a3586de018287087aa07d7b5d5e3e851122be331b1200
1b6b62b3f96553b8800f1c2c38ef1dde521a149715534f1fa19d02a9df8722bf
dd48767cfb22ef37bba35b4e630122994f00f156e2bdc63d59bbae9a8c36d6f1
fa89df8e9ce2ef14867f975a2fa4f9e3153f02ddbe261c33922826683482b3be
f6ef6dd1439771a20f55663c0b199a57f16da75e9249731916db75aca2265d50
e81901a970e6242560a0a44bc37bfa54a19174920f1f1ea032aeecc2008f2884
6b64730d26c6e0c4ec3db4e89ac886fbaf8cd4decf695c44201a8dc45b3d9f5a
94a5965ad18abb09e0e0e2ea434c021c0c4dbc20df6381196ac41b4ef356fe8a
b7ae1c2109159bbab425688f0735a3fc8c9d623c78ef409f3bebace05bb1ecab
c443575783b8c82cbbcf60290fe58b8093bb2be9e71dfe3abca851efc08519cf
8c36d1b83a2d060b222898c7b06c04b2b316db233dd58e6551bba8096520592d
348adfb8653e9a39c662e8bb76909d27fd2b79430826658ae8166140006391f3
40a3aac33840e3fa650b9a42daa9ecabaf27f36dbc94b41ce1620817ff188b67
d81ba294e8f5bd20984715efb925abe3df619def7254f554afd09242bea903e6
73efb6c1b43b24a695e351ae599855ecc01e30a90c4999c6f6c93bcfb8329291
000518a2ac056e4e5907aa1eab5b5c4e61b728583a4f77322a6c85190993f4df
c719c3f4ed747b4f467656f57a3eebcfbdaf116e86e78581038607e5830bbd15
80ce21fcc805697cd3d617fb8599d9e20a300a7e1428c0b160db85f166db5be3
SH256 hash:
00453b431844d710bfeb241096f60f52e0f5020a7ebc80f3ee739b8de9133597
MD5 hash:
7f5651193a586a2e5d1e64f847ccd725
SHA1 hash:
ae140945024ec16fe2aeb63687627b2dd68af3f3
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
SH256 hash:
f2d17f6825eedf911cafd3e58a62d9f07e02f417644cfe16e73084ec20f06b6b
MD5 hash:
a30527be5c501162fd59e0a980f59ed6
SHA1 hash:
194994ca2a2f3718e229f95fc27f8b0b1d788df9
SH256 hash:
2de7705c57725d9525162aac79d05671a611e525d9d2eb0e55cdb0b57c819936
MD5 hash:
27951d91957efe36aa0382f2e6c878cb
SHA1 hash:
0241dff1abf180e5c719fa220e9f09f9c5dac398
SH256 hash:
0f59ae24c5d8a02526fa039f3e03889984830a59ad179dc266c76577a7f30b67
MD5 hash:
800ace3210e3dc6689dcb2b48bb27233
SHA1 hash:
5c0c4fa9d24fe19a33e8ef429ae89b11f07ae658
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.