MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0a3247dd909ae3c546e45891109b28ea158c0be38913a658b065e980f48a991. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	f0a3247dd909ae3c546e45891109b28ea158c0be38913a658b065e980f48a991
SHA3-384 hash:	a2581c272610d710b6566d9d3b622cf81ef3451ce257eac415135255926648cbbde9e8e544680c9fcc56abd5958f91a4
SHA1 hash:	58897570838af026f2d15daf699ae19f296a41e6
MD5 hash:	8f5ed14139e843b49ca8fd1a09d66b56
humanhash:	fix-spring-kilo-don
File name:	mr kesh.bat
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	8'192 bytes
First seen:	2021-01-25 06:19:28 UTC
Last seen:	2021-01-25 07:50:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	96:5mc/pv5p8QUgiC6XJ56dzPlYok4CdGz+mWKu+JSTGfHdQ9e8/A0Zh:0c/pv5pbMCGJoBPlZVMYjW1+JSudQG0
Threatray	2'272 similar samples on MalwareBazaar
TLSH	83F19404F388AF23C97D7B791253151933B796C22B6BDF226F9D4AD1A8035CA0E1E749
Reporter	cocaman
Tags:	AgentTesla bat

Intelligence

File Origin

# of uploads :

# of downloads :

197

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

mr kesh.bat

Verdict:

Malicious activity

Analysis date:

2021-01-25 06:24:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/78c1ea3d-5658-4452-b3c8-19efc2ef850d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/114595/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader36.37393.13779.13377.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Sending a UDP request

Using the Windows Management Instrumentation requests

Sending an HTTP GET request to an infection source

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/589201

Signature

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/f0a3247dd909ae3c546e45891109b28ea158c0be38913a658b065e980f48a991/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-01-25 02:47:43 UTC

File Type:

PE (.Net Exe)

AV detection:

9 of 44 (20.45%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6crsi7ozbgxdyvdoiwerccnsr2qvrqf6hcituzmlazpjqd2ivgiq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0c316b6e9b1bb80efe9a27b513c7c091cd047d5bf437b88db13f8e45a40e89d6

AgentTesla

342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda

AgentTesla

3be787bec6c661048c534c126761c2be937e70cb5ce8f1922cca5f4f22106b54

AgentTesla

40c8376a50a1b89af73aba46d959d14b5b1964accbbf6983066bbf57224f5d8f

AgentTesla

45fde804068d4fdd834fbabc35029ee0d8e427b7e5e32b4fd62cd17fee36b8de

AgentTesla

61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d

AgentTesla

a9af2bddccc4126a93f8b0a3413df57fd0f70d8829c8cba61c8aae21c07423f6

AgentTesla

b3169da25d6a50990a664203361eac74ab36b8f9412e46fd89e19f450993e307

AgentTesla

d6815935b80fc0d39cceab37523c71add55b175d975fa0d42169894b551e27cd

AgentTesla

+ 2'262 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210125-j6gmdemvqe/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

f0a3247dd909ae3c546e45891109b28ea158c0be38913a658b065e980f48a991

MD5 hash:

8f5ed14139e843b49ca8fd1a09d66b56

SHA1 hash:

58897570838af026f2d15daf699ae19f296a41e6

Link:

https://www.unpac.me/results/e57000ad-5cc6-41f0-a63c-3f0843f5fad0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Dropper

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/f0a3247dd909ae3c546e45891109b28ea158c0be38913a658b065e980f48a991

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip afd5410abbe5d213a422788ceddae0aa0b53659e0b2c90f9f47636875c3035d8

AgentTesla

exe f0a3247dd909ae3c546e45891109b28ea158c0be38913a658b065e980f48a991

(this sample)

Delivery method

Other

Dropped by

SHA256 afd5410abbe5d213a422788ceddae0aa0b53659e0b2c90f9f47636875c3035d8

Cape

https://www.capesandbox.com/analysis/114595/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample