MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4865aacbca098c07aea1e49efe9bf55dd13b0120b9f29cf49575532ede8ef04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4865aacbca098c07aea1e49efe9bf55dd13b0120b9f29cf49575532ede8ef04
SHA3-384 hash: f2f0d0185d6b8d945fe5d6d5f06848d47602065191c52f4753aeb58b1a29d88b5d3c1e94073d3081945351dc104de97e
SHA1 hash: 1f35b4b1dfea332d890733f9d4b838e6d16117aa
MD5 hash: 76d9b797ab0a4ed1fdd108a1f9b31388
humanhash: saturn-comet-california-nebraska
File name:mOchrona.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:8'111'033 bytes
First seen:2023-06-13 14:31:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 196608:9Msp7lUOtskX+X2XUq78gVunZFMytdiz0z:9MI7Wax40uPJdizq
Threatray 3 similar samples on MalwareBazaar
TLSH T1CE86223FB268713ED46A0B3206B39260983BBE65B81A8C1F57F0791DCF765601E3B615
TrID 60.6% (.EXE) Inno Setup installer (109740/4/30)
22.9% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.8% (.EXE) Win64 Executable (generic) (10523/12/4)
3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0006070767670609 (1 x AgentTesla)
Reporter pmmkowalczyk1111
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mOchrona.exe
Verdict:
No threats detected
Analysis date:
2023-06-13 14:34:19 UTC
Tags:
installer
Link:
https://app.any.run/tasks/f7b63b78-ed16-4990-9d4e-c1dcaad21b9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398454/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90499/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/64887de328381b85ed1a3300/reports/9aa8f971-9c06-4010-b7bd-f52686fb4aa0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/023c0198-2087-44d4-ac6d-5460998aa513
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
suspicious
Classification:
bank.troj.adwa.evad
Score:
38 / 100
Link:
https://www.joesandbox.com/analysis/1253693
Signature
Creates files in the system32 config directory
Enables a proxy for the internet explorer
Installs new ROOT certificates
Modifies the hosts file
Obfuscated command line found
Sets a proxy for the internet explorer
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 886714 Sample: mOchrona.exe Startdate: 13/06/2023 Architecture: WINDOWS Score: 38 76 Yara detected AgentTesla 2->76 78 Yara detected Generic Downloader 2->78 8 mOchrona.exe 2 2->8         started        12 BackgroundService.exe 68 123 2->12         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 process3 dnsIp4 62 C:\Users\user\AppData\Local\...\mOchrona.tmp, PE32 8->62 dropped 88 Obfuscated command line found 8->88 19 mOchrona.tmp 32 176 8->19         started        68 api-mochrona.gslb-ext.ose.net.pl 195.164.192.4, 443, 49680, 49683 OSEPL Poland 12->68 70 windowsupdatebg.s.llnwi.net 12->70 74 2 other IPs or domains 12->74 90 Installs new ROOT certificates 12->90 92 Creates files in the system32 config directory 12->92 22 certutil.exe 12->22         started        25 certutil.exe 12->25         started        27 WerFault.exe 15->27         started        29 WerFault.exe 15->29         started        72 192.168.2.1 unknown unknown 17->72 31 WerFault.exe 17->31         started        file5 signatures6 process7 file8 54 C:\Program Files (x86)\...\is-QM6FT.tmp, PE32 19->54 dropped 56 C:\Program Files (x86)\...\is-93PTQ.tmp, PE32 19->56 dropped 58 C:\Program Files (x86)\...\is-6B08R.tmp, PE32 19->58 dropped 60 171 other files (4 malicious) 19->60 dropped 33 Installer.exe 8 9 19->33         started        38 BackgroundService.exe 4 19->38         started        40 mOchrona.exe 19->40         started        86 Installs new ROOT certificates 22->86 42 conhost.exe 22->42         started        44 conhost.exe 25->44         started        signatures9 process10 dnsIp11 64 safe.duckduckgo.com 33->64 66 forcesafesearch.google.com 33->66 52 C:\Windows\System32\drivers\etc\hosts, ASCII 33->52 dropped 80 Sets a proxy for the internet explorer 33->80 82 Modifies the hosts file 33->82 84 Enables a proxy for the internet explorer 33->84 46 conhost.exe 33->46         started        48 conhost.exe 38->48         started        50 WerFault.exe 40->50         started        file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4865aacbca098c07aea1e49efe9bf55dd13b0120b9f29cf49575532ede8ef04/
Threat name:
Win32.Keylogger.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-13 14:32:06 UTC
File Type:
PE (Exe)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6sdfvlf4ucmma6xkdze672n7kxorhmasbopstt2jk5ktf3pi54ca._file
Verdict:
unknown
Similar samples:
05f06f778672ad3ef34420c40919a13d6c27bdc6b4988e87fd8004fe50325f1b
AgentTesla
3066d8aee375735ae180cd83974d6a72f98489736e59333798e458e383d2b718
AgentTesla
c9944c04100d2b5d75b8bff00359b3bef6481bdb72d965032ac800d99cb4fe1a
AgentTesla
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230613-rv9z3sgf92/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
b8da6c4111dad541fe9d559b0615bf5284ad449c25976ed48c426b1f2ab1b74b
MD5 hash:
d41dcc6ee981d6d128e072b530494743
SHA1 hash:
e536a0b65a67da5abbe496bb2a7540bf88dd12eb
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
e16897b98adc10e4ca840a7f6b74aa5a59406ae11201f11099279a6382988ea0
MD5 hash:
ce05fde1486a6dceaef3cf6be2aeda39
SHA1 hash:
e4125e2be69d34ab98a4e1eac681fcc4a287f096
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
4dc279355a9b093cf066e7b07122a3e982cd170bea61469dff807fb63c98a18a
MD5 hash:
f98152bd160c6c26a5e1cf84599d9556
SHA1 hash:
d93d340cea7cf17cc07bfb44f8b43595a7baca8b
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
13db11053b197e638faba53337d0753f36b391b792de0fa2e8d9b0265e40b1e6
MD5 hash:
1c9f1e12be4514ce6490996cfe565279
SHA1 hash:
be3f3f0de3503c5a1c939b9f37b271a1e272d553
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
2e1599d090ab8d725fe8d1e701ec31d2ee009e2272691f85e212ab6ca49ef0df
MD5 hash:
c4df559dac8dfe4c494a7d6a4f618d2c
SHA1 hash:
a1f542199d6b02f5ba8886a8bae21c1c4a332018
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
6a2091f1c63534c9fd40a87da657485e220c957d6cf31bce5e7e417fd9b1e09f
MD5 hash:
7289d75540f200570cb581ebe1b49b2d
SHA1 hash:
7dfcbb4bc9bda01833e463a3c02ac814b54ed258
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
95b7eb32fbee2a0d971d5bf53133e0c1cd8cfa025469ef4372a47cc2fcae9474
MD5 hash:
de2bf8d5209bf6a5e7b739b6adf085c5
SHA1 hash:
71bb328525618857eaa20c6092837a8353e70b72
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
957172dde5f770eac9b298032b199c971866061d3282bdaf05c346e49d278284
MD5 hash:
b915fd94953e374d3263dab60cf392d1
SHA1 hash:
5eb66e5d69052ad4ddb3d726abaa7fa54217321e
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
829f9cc6b93861cdad31279f9788183e32661f543d071003e056f00f52505ed9
MD5 hash:
1a2c453a57a686dfa94bacd03386caff
SHA1 hash:
55c21441c7ea1b023df02ced10b6b623e0fdde4e
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
746902bd3dbdcbdaca11eba25ea78e61fcac8262b981e3a717c44d6a995013a2
MD5 hash:
46049a7652684f0a50b63b2a869b0b5c
SHA1 hash:
3c6f2bb9ff324e26314f762a9f77ee1e9a511d10
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
c4f1183e4df24d8cfdc6237118f748ddff2cf1a71d77378440ece7e49366205f
MD5 hash:
6625eb32c21a4dec2adfcb6421d9cfc3
SHA1 hash:
2effa00d802690d693eb0d9f31d9b33840ba18d8
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
42062b2bff441ad6d5b9dc550e38aae44082d8940583073847b9d0b1fa078897
MD5 hash:
b3959e9364a5546b793599d4c203ec78
SHA1 hash:
28053a9966da6761db7829128bc640bd4e98ef40
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
c1f375243b76b9a991738b81d74b73ff598d628003dd53c43cedc6e65cd0495a
MD5 hash:
3ebc1f2bff2f6facb1a499e664bef77d
SHA1 hash:
0376cc114824772e4db2e91a788f932bd1fd1a5f
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
2deaf475acff39430c440e694f2afaa5aab296a586b7be34a4cc2f04a5b0347d
MD5 hash:
492a83efd4efebf916ccb666fe4b967b
SHA1 hash:
7a9c7af0b4cf853d95251a3e5a12105d3f28e27f
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
248defddfecf27dc34fbc449234f4f4234d861a1a8b7afd7a0c02cba91848e3d
MD5 hash:
6f3204db657fef6232e99b2dd4d8f657
SHA1 hash:
d7e90eaf49468448d2e41ee1050160ae82c71c3a
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
910833acb57810bde0d82605997a99569293344f6fbe905ab1f2213decd32ab9
MD5 hash:
2cc80d7ae3661260cd0bab8582bfd1c0
SHA1 hash:
4c0e7cf2f112738086278574291ec0dafec1b527
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
SH256 hash:
f4865aacbca098c07aea1e49efe9bf55dd13b0120b9f29cf49575532ede8ef04
MD5 hash:
76d9b797ab0a4ed1fdd108a1f9b31388
SHA1 hash:
1f35b4b1dfea332d890733f9d4b838e6d16117aa
Link:
https://www.unpac.me/results/a2324870-39db-4b91-9969-3f3c35f0f37b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4865aacbca0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4865aacbca098c07aea1e49efe9bf55dd13b0120b9f29cf49575532ede8ef04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/398454/

Comments