MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9f736db3605228043d1d98f0a3e56d853336d25d06aec27b720c82dac015c57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	a9f736db3605228043d1d98f0a3e56d853336d25d06aec27b720c82dac015c57
SHA3-384 hash:	49c2af89d9099b4186e4a6df89529b817239703e51b30d660acd0904d80c0b7392504a61e0197b61902f33a600bb3efb
SHA1 hash:	1e7df1d1bfd37cb32b2c436a672a6efcde3571b1
MD5 hash:	492755b80d1081ba131a439da2ccfa06
humanhash:	carpet-low-happy-steak
File name:	oLfc11oOvIyJ9el.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	978'944 bytes
First seen:	2023-05-30 14:19:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:AwLaVUH999mR7JsQ8B40dyc8S6AX2NI5j0ZpgWa:PBH9mR7J7C4HcFl822O
Threatray	4'465 similar samples on MalwareBazaar
TLSH	T14B250180B1BB5B2BC4BB53F58904A3341BBE699CB972E30A9ECBF4D72551F005681B13
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

289

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

oLfc11oOvIyJ9el.exe

Verdict:

Malicious activity

Analysis date:

2023-05-30 14:21:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/595a397d-a886-47d4-94c8-c1a34df6659d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XorStringsNET

Link:

https://www.capesandbox.com/analysis/393614/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.7981.29355.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin packed

Link:

https://www.filescan.io/uploads/6476061377041814be671bb3/reports/dacd4e0f-72e3-4d8a-af78-0bcc7c1e732b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/a9f736db3605228043d1d98f0a3e56d853336d25d06aec27b720c82dac015c57

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/edeabb69-8521-4d17-87de-f87bc5da5869

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1245384

Signature

.NET source code contains potential unpacker

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a9f736db3605228043d1d98f0a3e56d853336d25d06aec27b720c82dac015c57/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-05-30 14:18:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 37 (64.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vh3tnwzwauriaq6r3ghqupsw3bjtg3jf2bvoyj5xedec3lablrlq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

6606e8e5dbcaf4e3c38620c97849f456c0bac6999a075575d7f24ed742c4ebef

AgentTesla

697c1f0051fe7230dd1cd8c8a23867cb69912ffe09e0d71950de153b19f41133

AgentTesla

6ba348dfac24550cca10be771bafa25a19f9baca0651f4467c71b8974a163061

AgentTesla

70eaca68c13178818bb56a31bfc2ce4395a14e198a78cc1caf991480e19ea939

AgentTesla

77dd08fac6833c6ef555e84c2ef5599ed10b7e6dad2da324e4ad643e843709d0

AgentTesla

c8f4d475fb49c545a0cf3137ba0078a30f668fd5f638d3d5a4744c76f3db74b5

AgentTesla

d7300cfd284114c32015ed2c8d711f8d5c204428e85addd79fc73539c024ca7e

AgentTesla

e28f5580f49499fbe090745eb426fce6b027c44a07f9319dd239826aad4f6d8b

AgentTesla

f98336b0cea5ed7b10aaf0b76b63d5f88cb61c2d492974a1fd22b8f1fb0b9e8b

AgentTesla

+ 4'455 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230530-rnfsnaad4v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

606c6ec95eb659ea4dad3f370bad254865434dfbc55e2e5b14ef2aaf169bc7c7

MD5 hash:

41829b8f83d156bbf26ef2ba9070f1aa

SHA1 hash:

a21b46cdd50b45a127ba71dd16e4d6a88fc0fa5d

Link:

https://www.unpac.me/results/5ccaf88c-d410-4a68-8ec9-277e880627a5/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/5ccaf88c-d410-4a68-8ec9-277e880627a5/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

8d588e840facf0a7ad90b18eedf92d42aba91807e3b42ae4b35f1077b6acb222

MD5 hash:

b611caa104b200e1f2d77f11bb610348

SHA1 hash:

4f3e021da7976b787f57f62a5c4236c2f188c1ae

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/5ccaf88c-d410-4a68-8ec9-277e880627a5/

Parent samples :

f98336b0cea5ed7b10aaf0b76b63d5f88cb61c2d492974a1fd22b8f1fb0b9e8b
a9f736db3605228043d1d98f0a3e56d853336d25d06aec27b720c82dac015c57

SH256 hash:

75c5831a3411fab9348204df417c419a3efde0db168ec2597254532a3df1f8db

MD5 hash:

673061d01f875fd1c3891a6351866ceb

SHA1 hash:

3c1986a7bcf078251cdd4f9224ab7c6f0cfe2095

Link:

https://www.unpac.me/results/5ccaf88c-d410-4a68-8ec9-277e880627a5/

SH256 hash:

f65d6c87102a18d7897c08ba82697e0b4808a8307b584d25a42aea016a41e7f8

MD5 hash:

7299310139d8fd6d9f2c067d13b3824e

SHA1 hash:

3bbc1160b82f289b5e8683d790a2ec1263998930

Link:

https://www.unpac.me/results/5ccaf88c-d410-4a68-8ec9-277e880627a5/

SH256 hash:

a9f736db3605228043d1d98f0a3e56d853336d25d06aec27b720c82dac015c57

MD5 hash:

492755b80d1081ba131a439da2ccfa06

SHA1 hash:

1e7df1d1bfd37cb32b2c436a672a6efcde3571b1

Link:

https://www.unpac.me/results/5ccaf88c-d410-4a68-8ec9-277e880627a5/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a9f736db3605/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a9f736db3605228043d1d98f0a3e56d853336d25d06aec27b720c82dac015c57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/393614/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample