MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0d37b7122179cfae4d425e12918aceb21ebd354f526b16c82c1bb13ea89b939. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	a0d37b7122179cfae4d425e12918aceb21ebd354f526b16c82c1bb13ea89b939
SHA3-384 hash:	e40ba54514cbdcdc47dc43268aba410f10decef303429dfb22436769e2905227ba963f27148f31beb4380e3103276174
SHA1 hash:	eedbbcf355ec67674bad095e631476b37c36768d
MD5 hash:	029d277a3d2b6e0ba52561e0847e8e12
humanhash:	colorado-mango-fifteen-arizona
File name:	Spinner parts manufacturing.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	941'056 bytes
First seen:	2023-10-18 16:34:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'656 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:Tmtk9G4idtJYb6tzcjCFFOWWLhJR0Sshc3e:TG4uJYb8zOCitLzR0A
Threatray	705 similar samples on MalwareBazaar
TLSH	T1DD156A7D1DF98227B978DAA6CFA0C432F06296EFF5625D2AD0E746418702903B4C71BD
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a0d37b7122179cfae4d425e12918aceb21ebd354f526b16c82c1bb13ea89b939.zip

Verdict:

No threats detected

Analysis date:

2023-10-18 16:48:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d62ed50a-4af2-4232-88b2-76d2c8178f81

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.10506.4016.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/6530093a10dbe5fb92cde410/reports/8179526f-8492-4bb6-884f-3ae0a19ab7f3/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/a0d37b7122179cfae4d425e12918aceb21ebd354f526b16c82c1bb13ea89b939

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ccfd7e9c-057d-4055-8eb5-02f3e42e76d4

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

n/a

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1328208

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large strings

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a0d37b7122179cfae4d425e12918aceb21ebd354f526b16c82c1bb13ea89b939

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/a0d37b7122179cfae4d425e12918aceb21ebd354f526b16c82c1bb13ea89b939/

Threat name:

ByteCode-MSIL.Trojan.RemLoader

Status:

Malicious

First seen:

2023-10-18 16:35:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=udjxw4jcc6opvzguexqssgfm5mq6xu2u6utlc3ecyg5rh2ujxe4q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4c586bb1d1197451bf41ce8be61cfa82d237ddbfcaf3815303d8ff393803721b

AgentTesla

57a285820956c77b8f6c8720ad8f2612d00012991d002b975cbb14310d481956

AgentTesla

62534a146dc4b71bb4861d8924706ff594a92884257e540b6bd444e0b580f0f0

AgentTesla

6b569e9c815e33a762d6514f32c53524a34b104347624ad7cd4c4d591fc9986f

AgentTesla

7896b4cfc3a0bc24a6833164c934053575628c00473e3af848d361a6b8b02ca4

AgentTesla

c4b29cd7266136b56288230ab14f82baaa4b2196c402c6c994543246936005d6

AgentTesla

e4c2c8f842ce22820f548ebae96def1fff8f86ce6c92adc4ff801d4adf46e1c9

AgentTesla

f194c468d6650ca2579c1adfdb03ab2bfd5d0f6a0c324e97d5651e1514ea93b5

AgentTesla

+ 695 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231018-t3ng6agc9w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

79c0e449fe2519eb3616325819e71007e416ac79270cf9b1961f608ec538e51d

MD5 hash:

7222dac23c7761531ac7907b8505c0ab

SHA1 hash:

c81b65ae0d1ea7cedd75b4b05e721d297df93a00

Detections:

AgentTesla

win_agent_tesla_g2

Link:

https://www.unpac.me/results/b2b4198e-fe3e-4127-a41d-7eb873aa7884/

Parent samples :

6b569e9c815e33a762d6514f32c53524a34b104347624ad7cd4c4d591fc9986f
03c9e0678b9ea69e0db2bd15c7d010b6d6faaf30993acf9bea685b4658acb936
a0d37b7122179cfae4d425e12918aceb21ebd354f526b16c82c1bb13ea89b939
b75c597906ab84fbd28467fe85d0dd12bf06130f2c02c3e2eb265e725e4eb438

SH256 hash:

18581f567cae5dd61d12b110a24eeb23d3f1b04a58c05e74c5f91598db8b2927

MD5 hash:

cbd05be9fd20b8085c3aba9c53654c5d

SHA1 hash:

c2f1debf287aff4c8aea9c33b19b3d6168ebc81f

Link:

https://www.unpac.me/results/b2b4198e-fe3e-4127-a41d-7eb873aa7884/

SH256 hash:

de59c3246c72163cfc5d3b5a8aec72ec6a585893a6c7d80fbff35238aabe6027

MD5 hash:

c3b2bcacf04baacd6daae4cf4896872c

SHA1 hash:

b7815d4d77ea49e493898d9ce06061e2c9c83feb

Link:

https://www.unpac.me/results/b2b4198e-fe3e-4127-a41d-7eb873aa7884/

SH256 hash:

ed278807068709bcc74ef7d01ce46682b64d8ec9c8466dc8aaeb92ed75495aaa

MD5 hash:

51e85d063788811778e570139e28ac5a

SHA1 hash:

b3a9f24d4d25c91058e6c1f91e07219423b428fa

Link:

https://www.unpac.me/results/b2b4198e-fe3e-4127-a41d-7eb873aa7884/

SH256 hash:

e4b3da4112f6173fe0cd958d8eda6d829591e0083b7a687f406c56a5e52948e0

MD5 hash:

4e371e1dee861d7d66e38da0de8a1ab2

SHA1 hash:

289b12df2604e91e57eefe179091b93ed9648412

Link:

https://www.unpac.me/results/b2b4198e-fe3e-4127-a41d-7eb873aa7884/

SH256 hash:

a0d37b7122179cfae4d425e12918aceb21ebd354f526b16c82c1bb13ea89b939

MD5 hash:

029d277a3d2b6e0ba52561e0847e8e12

SHA1 hash:

eedbbcf355ec67674bad095e631476b37c36768d

Link:

https://www.unpac.me/results/b2b4198e-fe3e-4127-a41d-7eb873aa7884/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a0d37b712217/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a0d37b7122179cfae4d425e12918aceb21ebd354f526b16c82c1bb13ea89b939

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample