MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0b0867a1134a009f72806ea563e4e6597152fd73206bdbabea5a7e716cf99b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0b0867a1134a009f72806ea563e4e6597152fd73206bdbabea5a7e716cf99b4
SHA3-384 hash: f3d10c59661e98fc9dccc23c392d2fa5270bee570747e6d62289152c1a858451f8fc8c5506abaa0b6bca9bbd1bee7625
SHA1 hash: 3471a7cdf16afff56f75076a8db5112fdb6dfc83
MD5 hash: 5a20b50b8dd0be34acee223edea303d1
humanhash: cardinal-kentucky-floor-pip
File name:aaiygiJAsBkaLRK.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'116'160 bytes
First seen:2023-06-01 19:34:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:yutW/4M5R687w9hNHLwbYP6uPJxyH8SXPTskH5epr1:yutW/J368yHHkbiVyH8mPTsH1
Threatray 2'540 similar samples on MalwareBazaar
TLSH T11D35020866FE9F1EE879BFF40A01213083F5661A247BE64A5ED359FB2E65FC04D41A13
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe Telegram

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
aaiygiJAsBkaLRK.exe
Verdict:
Malicious activity
Analysis date:
2023-06-01 19:36:16 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/5943f592-d2f2-40de-a2c3-c71aa90e617e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/394593/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.23041.17215.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/6478f2e832f44d594eb97b02/reports/be21b76b-d7ea-47ee-a5b7-55037042c3b6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e0b0867a1134a009f72806ea563e4e6597152fd73206bdbabea5a7e716cf99b4
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e600a54-29d7-4893-a147-21096348c420
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1247241
Signature
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e0b0867a1134a009f72806ea563e4e6597152fd73206bdbabea5a7e716cf99b4/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-01 17:32:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4cyim6qrgsqat5zia3vfmpsomwlrkl6xgidl3ov6uwt6ofwptg2a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19d89eb7dffdde1f430586fd0fbcb87e5e6b7bfc3ccb9ee1a80dfcf92c30c94b
AgentTesla
202494911805344069ceb189e70db6f89e17f55febe24dc4f42b3736c5b457a4
AgentTesla
4f83fcc39abe5edc0e1ff4abdfb7fb49b01ee918c3c0ab6f0378551450349271
AgentTesla
52f7df04cb306719eead0d602947612f3b909ef4fba8029af064891882ff4048
AgentTesla
6e6fbb8f5874a70451963264d87adb2f6aedce3c02d32881f4178e245c134537
AgentTesla
9f615d71befab152d5d48bca4568fd8a85b2ef53966c2c054fa703a1a8f89420
AgentTesla
9f9ef502a14f6985947ff8aed129252f4db71d4ab29bb2cd11b533ce1fbf3102
AgentTesla
a1147ccf60f6595605bbdef6050964cfe9223e65820ea9c354f54ceabdab8d9b
AgentTesla
a5e39f16cb3dec0b3e2b6fe876bbfa1805f2266011289cf24864b3b85d9e5561
AgentTesla
f9d49ba395212bc46444ac00546a04c8da9b251ce103adf52d9c80be61f6348c
AgentTesla
+ 2'530 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230601-yan1fage31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5473903116:AAH0COryXTO6kCeNjQRiy6Z66WJsa9yts6c/
Unpacked files
SH256 hash:
3214ce6d699782a1bfcca1a5f01137de8c7d5c377d7a4208775f2ed8c2478304
MD5 hash:
bcee068cbec8334f277bcfe996548f6b
SHA1 hash:
f3d28a05ff6a88269df288ccc4a174822947a750
Link:
https://www.unpac.me/results/7acd0395-3b68-4151-90fa-8909e4224702/
Parent samples :
1a30bc0d430f010b44ea3768053a0889efab84eb1b5b199153b487633733de78
9e19816e28ea81520a46e89d85f46e573f4feed5eb0eef8537c36b1120bed32f
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/7acd0395-3b68-4151-90fa-8909e4224702/
SH256 hash:
662b899a3d050fa6076cb97dd15c48b2b058d5e63d8d71c8311b26043b360e94
MD5 hash:
a501f46bf9084fa3b9ebaedae00444fb
SHA1 hash:
90159556d13064ce15bc0b8a650ad6b5fcd5ddd9
Link:
https://www.unpac.me/results/7acd0395-3b68-4151-90fa-8909e4224702/
SH256 hash:
73d4aaec0f264347cc03f2b7a791afc0840fcbb683207d6af9c9b59bec544300
MD5 hash:
2efbc4dad284502ca334a1723a81f24b
SHA1 hash:
5f8511f0597e8b2361a3a0d3abddfed2fb238413
Link:
https://www.unpac.me/results/7acd0395-3b68-4151-90fa-8909e4224702/
SH256 hash:
af951d655441882242ceafc33ccf660785fa31d64a429863d508c71dfeb94801
MD5 hash:
fefe8f5df3f39806d06010352b83f908
SHA1 hash:
1bddf68497747d90faa900fba68dc46508a12910
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/7acd0395-3b68-4151-90fa-8909e4224702/
Parent samples :
f9d49ba395212bc46444ac00546a04c8da9b251ce103adf52d9c80be61f6348c
e0b0867a1134a009f72806ea563e4e6597152fd73206bdbabea5a7e716cf99b4
a229b01fd4888c399c9310fdb53edbee125121f96cb7f6c710adcd616a4c3677
5058d993163b6a49d2fa6b102c03da4217787bbb50026e84d111f85cf0241219
SH256 hash:
e0b0867a1134a009f72806ea563e4e6597152fd73206bdbabea5a7e716cf99b4
MD5 hash:
5a20b50b8dd0be34acee223edea303d1
SHA1 hash:
3471a7cdf16afff56f75076a8db5112fdb6dfc83
Link:
https://www.unpac.me/results/7acd0395-3b68-4151-90fa-8909e4224702/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e0b0867a1134/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0b0867a1134a009f72806ea563e4e6597152fd73206bdbabea5a7e716cf99b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e0b0867a1134a009f72806ea563e4e6597152fd73206bdbabea5a7e716cf99b4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/394593/

Comments