MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01a16a12d3dd5d0128710c4257088b8b561a1166b4d160267a1efaeeb2d4fc45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01a16a12d3dd5d0128710c4257088b8b561a1166b4d160267a1efaeeb2d4fc45
SHA3-384 hash: 973b3bc409cada4246661676a909c7456a66e17da1806f72d28bef70d7ed62871af5e786685d93f4d577c7e0808ccefb
SHA1 hash: d59be2c982157d05b9cfc6a51af665bf84262b4c
MD5 hash: ad2aa876b41698adaff80c069071778a
humanhash: mike-fix-blue-pip
File name:Our Inq. Ref. no. 380-2020-10-05.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:970'240 bytes
First seen:2020-10-07 13:44:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:OAZIli5UY8UOIEZFxP+svjcxr5F69179V4IBd1mhAhQb9o7vj:OeIkOfEsLcxr5F6X7zMqmbk
Threatray 375 similar samples on MalwareBazaar
TLSH 0B25C01092880267F132D038A626D5786BB69D426A04D6D52DD6DCBFFECFFD8F5E0248
Reporter Racco42
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68956/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484229
Signature
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01a16a12d3dd5d0128710c4257088b8b561a1166b4d160267a1efaeeb2d4fc45/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 16:44:05 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=agqwuewt3voqckdrbrbfocelrnlbuelgwtiwajt2d35o5mwu7rcq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19b7ae6956a38825ac143952843f6e046c642a9dc635e18d4f84dcff4568c142
AgentTesla
253699419919004fb74774050abd7d0137363801f969ad6a5a9dd96c924308b1
AgentTesla
516f16ca6f1b1ec44cb6c21f9849ceb0e7474adffce7530d1fe46c4483e5c27f
AgentTesla
787bbb324bff5c9623f81bcfb8eb548a5938a50323c594440bc46dacd52276a4
AgentTesla
8616545829272fd918765d945bb44e610852b995be21965577b77cfea4868007
AgentTesla
96c4bcff0df93379d1447731b9fd7738ded981e16b2a646668ae1bed2f72a320
AgentTesla
b048deffae10786cce2ffe352fc6415cd4549c49505f34e18e7fc820d7d20a1d
AgentTesla
e03c4f9c8ae0b28a7538315c3af97428339911bd6118371c0459adfd14abca44
AgentTesla
e281f0b064faeff8de9de21c7bd3ef3b385decbeb9cb69cc72035c02c1571eb4
AgentTesla
ecd02b07f2d16323eb97c26de4ed644479f33bd6c20fe4b554cff7ef1b62c300
AgentTesla
+ 365 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201007-1e628pheqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
01a16a12d3dd5d0128710c4257088b8b561a1166b4d160267a1efaeeb2d4fc45
MD5 hash:
ad2aa876b41698adaff80c069071778a
SHA1 hash:
d59be2c982157d05b9cfc6a51af665bf84262b4c
Link:
https://www.unpac.me/results/aa2143d6-f007-4266-ab7d-62d56db35616/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/aa2143d6-f007-4266-ab7d-62d56db35616/
SH256 hash:
26fe66a1516042ea31a521f54e77e9742560eaaa444259faa0c302d1be1bfd34
MD5 hash:
795cff0c09dfaa17239d316362a2ccf2
SHA1 hash:
377a373e595d037fa45fa592b52f4548f79bce2a
Link:
https://www.unpac.me/results/aa2143d6-f007-4266-ab7d-62d56db35616/
SH256 hash:
33a4a7805fb0f53362620d1625dbe06c6842f3162ba96b2270ff5372670b72ca
MD5 hash:
fc2709d9c3eb38b71adaccfbd89fa510
SHA1 hash:
b06686a1d3ad984a8a57d6713054252211d183f9
Link:
https://www.unpac.me/results/aa2143d6-f007-4266-ab7d-62d56db35616/
SH256 hash:
71585097fc523667ed6eb28a2d1824c187faa98be90efc123866ea9e6c056f0f
MD5 hash:
55a52a72999f147156020d6023241722
SHA1 hash:
cddc8a2b051a8df8eb0fe71e2d9681c6a9d66ce9
Link:
https://www.unpac.me/results/aa2143d6-f007-4266-ab7d-62d56db35616/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01a16a12d3dd5d0128710c4257088b8b561a1166b4d160267a1efaeeb2d4fc45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 01a16a12d3dd5d0128710c4257088b8b561a1166b4d160267a1efaeeb2d4fc45

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68956/

Comments