MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1f0549c87d8f85082139d291768119dd287b04eede4786516579901bfc261cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments 1

SHA256 hash:	a1f0549c87d8f85082139d291768119dd287b04eede4786516579901bfc261cf
SHA3-384 hash:	febc9a2714f66bc3efd05fed65eaa7af141d67562f7b4c3c7d59c9a29a3a3c26cd3c7c2c11c55015fd637c49cd0b9d90
SHA1 hash:	79d47a4beffc679efb4eb58867c78f1d1ba5c6c5
MD5 hash:	6f8cc1b562cfcc9ccf651b4e0070419a
humanhash:	jupiter-summer-salami-artist
File name:	6f8cc1b562cfcc9ccf651b4e0070419a
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	444'928 bytes
First seen:	2023-11-28 04:41:11 UTC
Last seen:	2023-11-28 06:17:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:43CQmbCpHrpw2LTgRRL2bgOpYP0Pt5NMb08J:afFXvIL0gFcPrNMb0
Threatray	561 similar samples on MalwareBazaar
TLSH	T13794126233688AA7D4FD55F5946006014BFB39E7A024E7DC2E91E4ED0CF27918B12BDB
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	68c4d2d2725a5252 (10 x Formbook, 8 x AgentTesla, 3 x SnakeKeylogger)
Reporter	zbetcheckin
Tags:	32 AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

334

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/460835/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/65656f9b2efa450749aad9d2/reports/a449e26b-4e45-472c-910b-e0774376d355/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/a1f0549c87d8f85082139d291768119dd287b04eede4786516579901bfc261cf

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8bd576f3-a70d-4d03-803d-2e3d7c39c3d1

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1349036

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a1f0549c87d8f85082139d291768119dd287b04eede4786516579901bfc261cf

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a1f0549c87d8f85082139d291768119dd287b04eede4786516579901bfc261cf/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-11-28 04:42:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uhyfjheh3d4fbaqttuuro2artxjipmco5xshqziwk6mqdp6cmhhq._file

Verdict:

malicious

Label(s):

agenttesla_v4

AgentTesla

19c50b3c8e3c4e074f378c9df1f484ca4f79c49fb2310880dad80eb09433f2fd

AgentTesla

499b9aba5bbcc6a66bc341089f9cf3debf205fc2ac3c9ee85862f395bc9eed66

AgentTesla

53ea1826e53406dcc0d0da1fccff25c5beb9deb6065cf554303aec609209bceb

AgentTesla

+ 551 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/231128-fbnrysfc37/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

c1ac32707800baca0853bb3c6d51e33bd0115561e3a6cd639a96b37f02fe3f9c

MD5 hash:

5b7d07170f5c04f1a3ea73d7e45d7b95

SHA1 hash:

dfb4f39fdd5983bc09f87be40a812700e3cd710d

Link:

https://www.unpac.me/results/25b41671-348c-468f-bd2c-6a3f905f5e9b/

SH256 hash:

f5a8f5ded618fd3989fa98a3c2d87c4853d6e10ecb1313cd5ddd7df375336b31

MD5 hash:

243f9990bb7d68a3f6e4d3999800da5b

SHA1 hash:

ba555175d12f19f6288a3574738bcd6c8b747e3b

Link:

https://www.unpac.me/results/25b41671-348c-468f-bd2c-6a3f905f5e9b/

SH256 hash:

ce1df40beb9b74e1a29165d1abca4df254d5f0908282357fbebc6d7e47a4b6fa

MD5 hash:

3d2c037c09b210625a3e90af8cbb6b2f

SHA1 hash:

98543901cf63151446544de317af06a69293d207

Detections:

win_delivery_check_g0

Link:

https://www.unpac.me/results/25b41671-348c-468f-bd2c-6a3f905f5e9b/

Parent samples :

a1f0549c87d8f85082139d291768119dd287b04eede4786516579901bfc261cf
f3822be58e564a1b2a398a19230c9c883db834f2728123af346eb7e74c3a86c7
fabea9a712e2a0ecb7c652950ff743c8d3c937fb3e24ad6c286f2c5cf6c00a45
218a25e7be2c3d9911cfe077fde0adc5679c7a30904707322d49952c03d24d36

SH256 hash:

c34dfbc328de247d25d670c3b7853f1dddd2ec2607d5dbb0480743b45a15ea64

MD5 hash:

85b87384830444e6ab86a4a692ce96cc

SHA1 hash:

0d7d4614cf31d27e68ebf48e76fb1d308cc08152

Link:

https://www.unpac.me/results/25b41671-348c-468f-bd2c-6a3f905f5e9b/

SH256 hash:

a1f0549c87d8f85082139d291768119dd287b04eede4786516579901bfc261cf

MD5 hash:

6f8cc1b562cfcc9ccf651b4e0070419a

SHA1 hash:

79d47a4beffc679efb4eb58867c78f1d1ba5c6c5

Link:

https://www.unpac.me/results/25b41671-348c-468f-bd2c-6a3f905f5e9b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a1f0549c87d8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a1f0549c87d8f85082139d291768119dd287b04eede4786516579901bfc261cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_delivery_check_g0 Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe a1f0549c87d8f85082139d291768119dd287b04eede4786516579901bfc261cf

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2735882/

Cape

https://www.capesandbox.com/analysis/460835/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-11-28 04:41:12 UTC

url : hxxp://china.dhabigroup.top/_errorpages/damianozx.exe