MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 131347c9601fe7bc4e4cf621abbc69686360d1210bf0045d663d97adf5fbef6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 131347c9601fe7bc4e4cf621abbc69686360d1210bf0045d663d97adf5fbef6f
SHA3-384 hash: 759ed43e3466fe56437e5b3c7d1cfdfa57bad61b1d60dbbfc89ca4d506796181002aada3bdfa35d8b2dcd61d2fcfe260
SHA1 hash: 02fdfb8f0c6cc787dbaee4cafc59b69423c873f4
MD5 hash: 78e3cfb3ea98b3fea5b40bb4959df718
humanhash: oxygen-seventeen-fruit-violet
File name:Payment Receipt.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:756'736 bytes
First seen:2020-08-03 07:25:54 UTC
Last seen:2020-08-03 07:42:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 831ec412be4cd06baa632b18086fedb4 (12 x AgentTesla, 6 x MassLogger, 6 x Loki)
ssdeep 12288:uZnVKDTViiHWs0H/3b6Wx/wtmqOFOUW3WiwGZqJTMRo1b7lDWvs:I44isf3bXot2CWXGZmMRc7Qvs
Threatray 11'686 similar samples on MalwareBazaar
TLSH 95F4AF62B6F04533C1262A3C9C1B67749C29BF107A68B8766FF91C4C4F3969139F9293
Reporter abuse_ch
Tags:AgentTesla exe HostGator


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gateway33.websitewelcome.com
Sending IP: 192.185.145.87
From: info@welltechscaffolding.com
Subject: Payment Receipt & Corresponding Documents.
Attachment: Payment Receipt.exe

AgentTesla SMTP exfil server:
smtp.fretian-muc.de:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/37458/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/407597
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/131347c9601fe7bc4e4cf621abbc69686360d1210bf0045d663d97adf5fbef6f/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 05:10:51 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cmjupslad7t3ytsm6yq2xpdjnbrwbujbbpyaixlghwl235p355xq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
04428691034f3f528edcfb3a87d8edb1ea37d2cba338657e29ebc857c2fa5a6b
AgentTesla
30a0f8b6dc30fb3a9e649149d9e92f39b50b4d9c595f9d5c4400c62caad0b7b4
AgentTesla
662f115f07c983b7c060eb8a98b4dfa8951df8f3149e71523d2de7ee97d9139e
AgentTesla
8ec138573f2b77cd4a2772d6d2abcc2130ac1d901340505332ce78fc7096622e
AgentTesla
9bcf29ef3bbb1003db97934e2412dfb77fc1d289797a9b4eab2af243bbc8987f
AgentTesla
a97aec67e2a556ec45ea8aa3db146d119d39b14486db55ad5b930f8295eccfae
AgentTesla
c95e7d84353b77c81870d17df0d8a73387b3d3804b5db509b50176b049fa7a8b
AgentTesla
eadde88c8f7d7dcd4174654c77714475743d46b6314f56790e04da399f62f878
AgentTesla
ed7fa775e6484fee75934743e821a3a050e35831a0574685fb124a3e4766a85a
AgentTesla
fe36f8b161c6e9f38fba4be32eb2b67846c9c93de9f48028762f79e5ee2b6169
AgentTesla
+ 11'676 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200803-x1k3z65w7x/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/131347c9601fe7bc4e4cf621abbc69686360d1210bf0045d663d97adf5fbef6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 131347c9601fe7bc4e4cf621abbc69686360d1210bf0045d663d97adf5fbef6f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37458/

Comments