MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0ccc4fe9ce9e08e5cba330fdb9e824c4712b9388c035e2caac957d64580db37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0ccc4fe9ce9e08e5cba330fdb9e824c4712b9388c035e2caac957d64580db37
SHA3-384 hash: 237d0cdcdcf897dc4871fc9186665a0bc7c5c15fa120e50e69f1a24464119d8ea3e731068818f409abb7a233187510e5
SHA1 hash: f53a1887dc201ff3b0ac0b564db855a710c2b27b
MD5 hash: c956495d2aa790c005f2532efb1fcbe8
humanhash: fourteen-fruit-cold-snake
File name:c956495d2aa790c005f2532efb1fcbe8
Download: download sample
Signature AgentTesla
Create hunting rule
File size:653'824 bytes
First seen:2022-06-13 20:12:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:21xBafvIK2iNq2iNq2iNq2iNk9KFp2dHXMiAUgpRV7yBHQ6V5HUrfOKKw:21qf51I1I1I1aKFgHXMiAUaRyye5qBl
Threatray 18'026 similar samples on MalwareBazaar
TLSH T126D4F1C4E367EE78F028A2B7B551C01C2BA95A1D81E1C13B5EACB69E34B274705F0E57
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
c956495d2aa790c005f2532efb1fcbe8
Verdict:
Malicious activity
Analysis date:
2022-06-13 20:21:04 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/2adf3b17-5956-459f-b8f5-6f1aa8b0586f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/279528/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.1364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62a79a8f040517c34795d1bd/reports/999f6f61-0425-4c0e-834e-f055d1726834/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d4e15a4-b459-402c-a794-e85f474adc8b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1012399
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a0ccc4fe9ce9e08e5cba330fdb9e824c4712b9388c035e2caac957d64580db37/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-13 13:59:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=udgmj7u45hqi4xf2gmh5xhucjrdrfojyrqbv4lfkzfl5mrma3m3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
38c2596306c9ac38bbcb81b4184edcb0008a7d4b42dee80396a304b1e5735990
AgentTesla
3c0482a1e2c12cfe48e51540ceeead945909eb8af8c62e36f7ffad1d58c8f4b0
AgentTesla
58c4b64412b4dd61472d6df712f5ec38b7b2f8d88d6607b90804c4253b6400f4
AgentTesla
781a63f173507bbaf99c4937f324e8b1e746f807583f48328e6005ce6aae003b
AgentTesla
ccaa83564fadff981961b0098a3cdeccc8f46800892fe00110b40562506a7e1b
AgentTesla
e2b6d03b8580b415e56ab917eb2f131d1b1086bbcc9fee88c390ec3469ed12e6
AgentTesla
fb1afa6e7bae619514d7d2ff10a9cc96a03b5e10640059f592c7e5f3d6093d31
AgentTesla
+ 18'016 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220613-yzdwrsega9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5234386705:AAFiSLC9LfuAgHY3n_wouo8kIj9kYTJNey8/sendDocument
Unpacked files
SH256 hash:
7127f4dd1c19d24080d4b5ef2c400100871f2c0418cb9971c030914ba96662cb
MD5 hash:
36877dbc50b4e49aa97c7a7c654ba57c
SHA1 hash:
fd6e9834738a392275ecf4b8931dce2eb8943f8e
Link:
https://www.unpac.me/results/d9e8b5d5-45dc-40cc-91b2-4e9a660b4f5b/
SH256 hash:
5f1cb9487ef67e0b1c339e7a89738ba2770925ee2271afcc1cfda90e8edbecbe
MD5 hash:
9ae65d2ee6c6f8c84502af378cf14b92
SHA1 hash:
42e4eed6d2e3c747333ca25b5ac164eeb51226ff
Link:
https://www.unpac.me/results/d9e8b5d5-45dc-40cc-91b2-4e9a660b4f5b/
SH256 hash:
edc49ce9524d726d7cee2373194b545dbd3939866b3c4489dfc5868e00915828
MD5 hash:
223675753e4aa1fd11ec74974c405528
SHA1 hash:
248bcffb784f94c04edb7ab90d066a7bd5c3830d
Link:
https://www.unpac.me/results/d9e8b5d5-45dc-40cc-91b2-4e9a660b4f5b/
SH256 hash:
dec15271d422cf3b82c0a94cf147312bb5a4a4f262da4b698ffe7e6bdaf18053
MD5 hash:
79c5c39e29ebe233cd13a50987e64609
SHA1 hash:
0560314716e6519158009159c017d2b52116608e
Link:
https://www.unpac.me/results/d9e8b5d5-45dc-40cc-91b2-4e9a660b4f5b/
SH256 hash:
a0ccc4fe9ce9e08e5cba330fdb9e824c4712b9388c035e2caac957d64580db37
MD5 hash:
c956495d2aa790c005f2532efb1fcbe8
SHA1 hash:
f53a1887dc201ff3b0ac0b564db855a710c2b27b
Link:
https://www.unpac.me/results/d9e8b5d5-45dc-40cc-91b2-4e9a660b4f5b/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a0ccc4fe9ce9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0ccc4fe9ce9e08e5cba330fdb9e824c4712b9388c035e2caac957d64580db37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe a0ccc4fe9ce9e08e5cba330fdb9e824c4712b9388c035e2caac957d64580db37

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2236840/
Cape
Cape
https://www.capesandbox.com/analysis/279528/

Comments


Avatar
zbet commented on 2022-06-13 20:12:58 UTC

url : hxxp://2.58.149.200/mbo.exe