MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d193c8b8860a618afefaa527a7dda935fff2176f5976d506f658bd93c2c04e08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d193c8b8860a618afefaa527a7dda935fff2176f5976d506f658bd93c2c04e08
SHA3-384 hash: daa3f1740b2285d230f1a7d2f4fa7139b94aa574698546455f72bb8865a7f8833fc197b2301dede8eba7d96bbb6cbbf6
SHA1 hash: cdd026b699fcfb7fb1c0521852d70c77b58d254e
MD5 hash: 4f233c11385759c7590b9b2e27162d5c
humanhash: golf-hydrogen-michigan-shade
File name:SOA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:750'592 bytes
First seen:2023-05-25 08:35:59 UTC
Last seen:2023-05-29 09:53:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:y2N8jiZ4zypIPsTtPplTY6RhKuLRiqQt+2vqfRx3WGvBFihBV1tX5/xw6a1aph1Y:y2N8jiZ4zypIPsTJTDEiQtZ0xGGLg71m
Threatray 4'234 similar samples on MalwareBazaar
TLSH T14DF4DF40A5EA56C5E5BB67F14F26F774433D2CADA1B2EE063D8BB1E651307010932A2F
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 416318990b218c4c (1 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA.exe
Verdict:
Malicious activity
Analysis date:
2023-05-25 08:36:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ca52ad4c-7b53-4fe7-8007-24d45481e944

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/391498/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/646f1e125ce396d092140e48/reports/08a8d092-5fbc-4ed1-9835-c08e81ff558d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d193c8b8860a618afefaa527a7dda935fff2176f5976d506f658bd93c2c04e08
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a9c4ba7-373d-4334-bcb0-e4d94125bb87
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1242259
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d193c8b8860a618afefaa527a7dda935fff2176f5976d506f658bd93c2c04e08/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 10:29:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gj4roegbjqyv7x2uut2pxnjgx77ef3plf3nkbxwlc6zhqwajyea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
35bac7b8798c166302e93664c027dc312d0f956e4b9091c8b6c43ea7afbf4977
AgentTesla
41250765ce8be9fb830cfd0ca91b82a7018d7859b6cd90a80de2f83eb365cc2b
AgentTesla
63b5c9b4340cab3bacf97fd686e3990fef6f00eb6e2f75770d2d8711d09c2464
AgentTesla
6852d72daa3cb833ad7303422696b68b2df654acab26f54f36732c3e97822cd9
AgentTesla
7a8572538d238ecc9522afd19cdbf90ba4562b3c075f2b4d6b070e29fc565f0b
AgentTesla
893870940f0b3f56d46f71effcd3cc731607154214f1ba956f54f50b5a4134dd
AgentTesla
a7abe48c11defe7c62c3b5b54eccbf4b7a4cd7ae844c7206312dfbec8ab3b9ce
AgentTesla
ac18f1cbdf0303e840e4da9594405257df6300374d748956c8378b07181c6129
AgentTesla
c4fce336f2e0a78838016ce095556c8d121801cc13547438f1b3464afab94b49
AgentTesla
f328c0cde7df997ea2fd271bd3096b93f28fb6d93b06e5894209684b9f58873e
AgentTesla
+ 4'224 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230525-khly6aha29/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6175178581:AAHk-SpIPyDneGNKdp_qF5kBnZKjYzJe0-8/
Unpacked files
SH256 hash:
623c603608de95ade3ebc8519b6ff2dec6eaddf129eb0a9d07fbfd4c0665f487
MD5 hash:
09e5be5eaa02466156d8fb66e1b990d5
SHA1 hash:
b5642d89168dc6f32fcdb065e0593aec1dcb45ac
Link:
https://www.unpac.me/results/1e7e9841-7649-4998-a735-e9d26068ee9a/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/1e7e9841-7649-4998-a735-e9d26068ee9a/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb
MD5 hash:
de906fce89f615f303ddfb80c1b37b35
SHA1 hash:
3568e3f9f0731da9a3294f4f8de61f95dc3eec31
Link:
https://www.unpac.me/results/1e7e9841-7649-4998-a735-e9d26068ee9a/
SH256 hash:
d193c8b8860a618afefaa527a7dda935fff2176f5976d506f658bd93c2c04e08
MD5 hash:
4f233c11385759c7590b9b2e27162d5c
SHA1 hash:
cdd026b699fcfb7fb1c0521852d70c77b58d254e
Link:
https://www.unpac.me/results/1e7e9841-7649-4998-a735-e9d26068ee9a/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d193c8b8860a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d193c8b8860a618afefaa527a7dda935fff2176f5976d506f658bd93c2c04e08

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/391498/

Comments