MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0b1d6f5cf28c2c898a171fc9ee03ad187101ecc26fcd9c184fd925a006c7524. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0b1d6f5cf28c2c898a171fc9ee03ad187101ecc26fcd9c184fd925a006c7524
SHA3-384 hash: 67f89ac21569b78f1dfe447008c63de8190d46e9f38b6f28393bf45185bcbe5520488e877007b6525218a2c96bf6a3f4
SHA1 hash: 819e19181a737729f190a9bab367f28b81a899d5
MD5 hash: bd55f70fb2b3e6a3b87a0f169c10f93e
humanhash: south-carolina-may-mirror
File name:Halkbank_Ekstre_20230920_073809_405251-PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:896'512 bytes
First seen:2023-09-22 14:58:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:itHiMJrD6Hu33GRDtCoGAZdnnrlsvM1vT8yEQ2WANvW+xzDtBq2jcD1YiP7r9r/q:chDcx/CuBxhoDlNvW8D62Sf1q
Threatray 1'440 similar samples on MalwareBazaar
TLSH T1C715DFC5E98416A0DC69AB71A632CD3582237EFD6874A52D28EE3D273BFB3D35021453
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe geo Halkbank TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Halkbank_Ekstre_20230920_073809_405251-PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-09-22 15:03:38 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/d874dc31-3991-4e8b-8bef-40c6d718edfa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/450634/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.23098.13483.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/650dabbc8a37001eb1d74d69/reports/2bb9d1eb-5e16-4670-9097-562608b7524e/overview
Verdict:
Malicious
Labled as:
Ransom.CryptoJoker.Generic
Link:
https://www.hybrid-analysis.com/sample/b0b1d6f5cf28c2c898a171fc9ee03ad187101ecc26fcd9c184fd925a006c7524
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7b336628-5be5-40bf-b9af-33167ea32dc6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1312974
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1312974 Sample: Halkbank_Ekstre_20230920_07... Startdate: 22/09/2023 Architecture: WINDOWS Score: 100 36 windows.msn.com 2->36 38 browser.events.data.msn.com 2->38 40 5 other IPs or domains 2->40 46 Found malware configuration 2->46 48 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 11 other signatures 2->52 8 Halkbank_Ekstre_20230920_073809_405251-PDF.exe 7 2->8         started        12 NLHFnrjTxfmDn.exe 5 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...32LHFnrjTxfmDn.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\tmp4EBA.tmp, XML 8->34 dropped 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->54 56 Uses schtasks.exe or at.exe to add and modify task schedules 8->56 58 Adds a directory exclusion to Windows Defender 8->58 14 Halkbank_Ekstre_20230920_073809_405251-PDF.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        60 Multi AV Scanner detection for dropped file 12->60 62 Machine Learning detection for dropped file 12->62 64 Injects a PE file into a foreign processes 12->64 22 NLHFnrjTxfmDn.exe 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 42 api4.ipify.org 173.231.16.77, 443, 49766, 49767 WEBNXUS United States 14->42 44 api.telegram.org 149.154.167.220, 443, 49768, 49769 TELEGRAMRU United Kingdom 14->44 66 Installs a global keyboard hook 14->66 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->68 70 Tries to steal Mail credentials (via file / registry access) 22->70 72 Tries to harvest and steal browser information (history, passwords, etc) 22->72 30 conhost.exe 24->30         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b0b1d6f5cf28c2c898a171fc9ee03ad187101ecc26fcd9c184fd925a006c7524/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-09-22 11:28:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
40
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wcy5n5opfdbmrgfboh6j5yb22gdrahwme36ntqme7wjfuadmousa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1fa1508619e68627140eaffb803b566bf5123fedf75b1954185f8ea2459b6e53
AgentTesla
218eedeec9c3485bce17c4b42331bd00fc0a43f9975e5902c997b0c6509f4f51
AgentTesla
2ba5d8e1c77dac550fd1b7d19174670a30da616780dbad4d386f6b9dc2121e9c
AgentTesla
3096973acd0408ca6115b08d3e7968a5f029e353878991a39c22cc3f9d60683d
AgentTesla
4e1b1d2b65eb422808f2ef3d8ea6c548310bea1681efd33a9f3a8abce71cfb2a
AgentTesla
8c9aaf55abdaf2a893d56dc0ff3f3e37ec100a6e0ad0adf82f2cff4997112e12
AgentTesla
c0e472a9146a7975b5908ee8974d49f83426627cb074189268959a432cb61ea7
AgentTesla
c933c12f035a75bff0e7e6fd57cd8a3d72580e530a1940dec2d14acf9e313132
AgentTesla
e81e149121e331b139ff0943675ed8b7bd41fe9441b02e887b77d912537f6220
AgentTesla
fec13aa5cd5a5f883361b1192f68fe5f76da2e01437d99d767c383f5137da618
AgentTesla
+ 1'430 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230922-scqzxsgg71/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6315598701:AAF2CsdeWHvEuw0HSURtUQQu4FuqwvM5AOA/
Unpacked files
SH256 hash:
d4d5678b670977ae70f3797f601836b21e98bbbc875de0509943abd243c046c3
MD5 hash:
d39bd0c2eafcdca7ec6d692631d52ae0
SHA1 hash:
c0f1f6d03116044e3ca7ff8f5425f14b7dd0ac8c
Link:
https://www.unpac.me/results/c8b14f99-64ce-4b2c-92c9-a01a2f060d8b/
SH256 hash:
5801aa72b9866f7930149bed21f5d70c4f146923619b5c6012c55901506828f3
MD5 hash:
e263332e7fea7fb49d2fa852689a19a9
SHA1 hash:
80cbd0a2612f18f3e57452035d76c9c7742902d1
Link:
https://www.unpac.me/results/c8b14f99-64ce-4b2c-92c9-a01a2f060d8b/
SH256 hash:
48a35a4b67fea62998ec417a3b0f0ce2069b2c1f6811c167ceb3b52636ea4dd0
MD5 hash:
078ef631602c3f1ed57ed199e2128831
SHA1 hash:
26e69cb133800979ab882a6ece5ddf5f29c777f8
Link:
https://www.unpac.me/results/c8b14f99-64ce-4b2c-92c9-a01a2f060d8b/
SH256 hash:
631c38cf652447128f262e600cc8783bdcb6d36f77e1d86b37f9fad749f6e997
MD5 hash:
c22c5bef73b2740fc1ccdf0e5a1cb7ea
SHA1 hash:
216ae0a5f45a184d3f62175703183277d93b87b6
Link:
https://www.unpac.me/results/c8b14f99-64ce-4b2c-92c9-a01a2f060d8b/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/c8b14f99-64ce-4b2c-92c9-a01a2f060d8b/
SH256 hash:
b0b1d6f5cf28c2c898a171fc9ee03ad187101ecc26fcd9c184fd925a006c7524
MD5 hash:
bd55f70fb2b3e6a3b87a0f169c10f93e
SHA1 hash:
819e19181a737729f190a9bab367f28b81a899d5
Link:
https://www.unpac.me/results/c8b14f99-64ce-4b2c-92c9-a01a2f060d8b/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b0b1d6f5cf28/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b0b1d6f5cf28c2c898a171fc9ee03ad187101ecc26fcd9c184fd925a006c7524

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b0b1d6f5cf28c2c898a171fc9ee03ad187101ecc26fcd9c184fd925a006c7524

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/450634/

Comments