MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0c6ca3de3ef4d363fd459c2dcd529b8bd7dc3c1b6196e1a913314d89209bd7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	d0c6ca3de3ef4d363fd459c2dcd529b8bd7dc3c1b6196e1a913314d89209bd7a
SHA3-384 hash:	8d07beae51784da56049da9b1a0b82aa1e48054ca6ea0bc4a2a179eac1ae65d6699d871aec8073b1c9b1d02c33617ae3
SHA1 hash:	302f140cf91141c82d76271dfd908b5cbc93c3ee
MD5 hash:	0f0d60bf0f405388efb113c7d774a841
humanhash:	music-uranus-bluebird-delta
File name:	SecuriteInfo.com.Scr.Malcodegdn30.18601.20591
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	974'336 bytes
First seen:	2022-04-14 16:40:18 UTC
Last seen:	2022-04-20 10:23:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'603 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:uJTk9303rJ1Xr8v9yo1tFx8UVtHjCLIsV3P888:uU3O/lwtgUVtH8IY/O
Threatray	16'277 similar samples on MalwareBazaar
TLSH	T16725124936BACB77D6B897F94A62A40043F115BE7539E2454CCA71CB3B91F010E9EE0B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	00e8f0f4f0fedc00 (1 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

378

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Scr.Malcodegdn30.18601.20591

Verdict:

Malicious activity

Analysis date:

2022-04-14 16:52:08 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/aba2b3af-b817-49ef-845d-8a40e6dfb336

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/263826/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.11054.31879.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed update.exe

Link:

https://www.filescan.io/uploads/62584eb8eab80a7a6c147dae/reports/e3f2b865-7343-4072-8688-30ec338b26ee/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6d9303a4-5109-46c2-908f-f9ce8c28d0f5

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/977064

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/d0c6ca3de3ef4d363fd459c2dcd529b8bd7dc3c1b6196e1a913314d89209bd7a/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-14 16:41:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 41 (46.34%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ddmuppd55gtmp6ulhbnzvjjxc6x3q6bwymw4gurgmknreqjxv5a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

29098c0f72436c39ec0e7e567dc00bb5f78353f3b9c71e22901b19178e2b6748

AgentTesla

980b3cbd822808ce9bcf9acf21c0cb4f1ca1106c47e0533e18669ade27f9ccac

AgentTesla

9d24e8126703ce8965912d84f1551d49a66bb45bdb593c3a45185d67fa76d9cd

AgentTesla

ce6df966091d0a4c305d5629d789f7ed072d01b8b4559d6356ed1643454e2427

AgentTesla

defbeba113680db4e014a2b34be77a64529d1e0d5fb837e732eec92b842d364d

AgentTesla

ef85f9069eb8f860d143a599a3fe891ddff4341b3f6da959c69e6b6b22d3f53e

AgentTesla

+ 16'267 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220414-t63q9adcfp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5279095555:AAE4HwAzPbUle9whPqEu6faWeNRU-6BRHps/sendDocument

Unpacked files

SH256 hash:

76b86d7de4efabef1804ea115c98f9814a8718afb8087a63bf44784743726b04

MD5 hash:

ca2cf52b27db9e498479f45ee22686d3

SHA1 hash:

daac533fc575cb0dbf6d015807f9b06e24bc08fd

Link:

https://www.unpac.me/results/762d7224-35bc-437e-bfac-ec17bc328627/

SH256 hash:

c14ea4bdd27d729f044bf4e83e0bdb1e1cfcc92c987036fdbc439283c1022211

MD5 hash:

0587f7540c5eefae2bb042a11ff155d5

SHA1 hash:

24ca734b95fe93790c053f748791de56e66ebc1e

Link:

https://www.unpac.me/results/762d7224-35bc-437e-bfac-ec17bc328627/

SH256 hash:

d0c6ca3de3ef4d363fd459c2dcd529b8bd7dc3c1b6196e1a913314d89209bd7a

MD5 hash:

0f0d60bf0f405388efb113c7d774a841

SHA1 hash:

302f140cf91141c82d76271dfd908b5cbc93c3ee

Link:

https://www.unpac.me/results/762d7224-35bc-437e-bfac-ec17bc328627/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d0c6ca3de3ef/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d0c6ca3de3ef4d363fd459c2dcd529b8bd7dc3c1b6196e1a913314d89209bd7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/263826/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample