MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0f193101eb9a5a5a54c191dc7b3fafaf3126b7765faf885bdba255affce6e54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0f193101eb9a5a5a54c191dc7b3fafaf3126b7765faf885bdba255affce6e54
SHA3-384 hash: e55be0232ee3aee5870ed56c92bb86ccaff2df857dd89fe19e7aa9ec8e76cfb37fe7d63a92b244d742ef468e4c0d6d17
SHA1 hash: 1c3bc3d55a9e4721d16f267102f8bbaba180f9d7
MD5 hash: d13643311527ae483d36627d2447463f
humanhash: angel-network-carbon-kitten
File name:Purchase Order CT-7996.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:41'280 bytes
First seen:2021-03-25 13:10:45 UTC
Last seen:2021-03-25 14:34:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:g+WgyEIwvdOokcABF8Qd5JGfldki7YhxahxKBhxWhb:gOtlOzPBSmdi7YhxahxOhx2
Threatray 56 similar samples on MalwareBazaar
TLSH 3D03F7F64C443783FD087D34876C982FAA60F7369D01A62BD3476482DE46F9F6281AE5
Reporter James_inthe_box
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:sEJkyvsyjVqgcdGuaxQkdEqLyDqtKfHmMJZNpPDAQqhUe
Issuer:sEJkyvsyjVqgcdGuaxQkdEqLyDqtKfHmMJZNpPDAQqhUe
Algorithm:sha256WithRSAEncryption
Valid from:2021-03-24T23:08:45Z
Valid to:2022-03-24T23:08:45Z
Serial number: 2bcf00418621eda7b2b26d0a504d36f4
Thumbprint Algorithm:SHA256
Thumbprint: 450f32662d108398e27d5927f0b20435af32f1d0220f2bebe266b03e660615e6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order CT-7996.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-25 13:13:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3f4ec613-20ca-4fae-a2da-aa82eb930620

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.56601.19903.25018.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/653928
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0f193101eb9a5a5a54c191dc7b3fafaf3126b7765faf885bdba255affce6e54/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 13:10:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
15 of 48 (31.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dyzgea6xgs2ljkmdeo4pm727lzre23xmx5prbn5xisvv76onzka._file
Verdict:
suspicious
Similar samples:
0036f48bec73d5fa22ff748cfbba749eca799c26076c59800c9b56b8c99982d5
AgentTesla
2866f5ec70ebbefba6db86a947187a4d283b099e25cca3c25e4e9e21f821c713
AgentTesla
61ae998518441b3cc2de4761cb58b183fd403165fcc6a6e4c2ecea8686c20e26
AgentTesla
64f7230663961a028299cbdf42863e3402e6325864e453ad5ec743e05f3a5ce6
AgentTesla
750ac1c22fae6298acf85f62700ebbc8ccd8aff1f3ff20b28d8baa075a73c4bf
AgentTesla
7b4405a91c3efb1637ed21a1b2fc3ce965fcd2770513e71d6ba0f2b7608e5822
AgentTesla
7e27cccf7b35b0eb3092c56794510356fdea2326551b1c4c71256bc7d36ecffc
AgentTesla
9d126181ae2105143b0f752266dc20d36c76f5032e3c343df47c96977ec18026
AgentTesla
afd0e2a33836232d156324023353331d3dbc04364b85f61f7e01a7504cf14a18
AgentTesla
f01dbed6e7c2bdd717fc4fa8b8924e3ded176c2e7eb8171c5699e118c4f6b69b
AgentTesla
+ 46 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210325-y1slle8sdx/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
d0f193101eb9a5a5a54c191dc7b3fafaf3126b7765faf885bdba255affce6e54
MD5 hash:
d13643311527ae483d36627d2447463f
SHA1 hash:
1c3bc3d55a9e4721d16f267102f8bbaba180f9d7
Link:
https://www.unpac.me/results/4bb9360e-ee07-4e46-ac89-00fd5148932b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/d0f193101eb9a5a5a54c191dc7b3fafaf3126b7765faf885bdba255affce6e54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments