MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1321e390a0141decaf5a8dab00fe02bc111ece34f446115842c6afa068c7fd3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1321e390a0141decaf5a8dab00fe02bc111ece34f446115842c6afa068c7fd3c
SHA3-384 hash: a74ac5d98769760a032e72c3cd27af47c552a7421286e1cf57967f1e9183fdb00b5cfa473efc57bd2aadbf03c48889c5
SHA1 hash: fe2e68496eed6e1f789e1befe4f4d349d12e4143
MD5 hash: 652a7d27ddd37e4ce384bc1957c00b9e
humanhash: alpha-moon-autumn-uncle
File name:HTG-69784869.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:797'240 bytes
First seen:2021-01-28 16:24:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep 12288:s95HYGe1IWFBKDDT7TjqOEyFFgjOcw5x49+TzcRpnubAt1zABV0WIgCzfjW477of:s9QwJEyFWOcw5xSqz7AfqhHijW3f
Threatray 2'483 similar samples on MalwareBazaar
TLSH C70523621071D5F6E5334A30087DBE1B97AEB23E282A4BB61B253A477D9041D607E3E7
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fe2e68496eed6e1f789e1befe4f4d349d12e4143
Verdict:
Suspicious activity
Analysis date:
2021-01-28 12:24:42 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/71177e22-e122-4cf7-b40c-514a6afec0c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114635/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/593112
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1321e390a0141decaf5a8dab00fe02bc111ece34f446115842c6afa068c7fd3c/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-01-28 07:56:34 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cmq6hefacqo6zl22rwvqb7qcxqir5tru6rdbcwccy2x2a2gh7u6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f83e70be0607dff6b747e235c79ea2fce53d2db4905f53d938aa7d1894ba29d
AgentTesla
1a1e74fbe89bed37913351432c163e204018655e51811aabb9e5fc6a06cf5887
AgentTesla
1ecb56fae94db17332e267fa2d786083ac82329386f8405152768cd231a40a57
AgentTesla
238dd9cb9b1c235e2babbc3f3b1372da8d76e4d94a4440776814957e0fd09f0b
AgentTesla
26dad1e44b5d06bcee5cddb288e3cd623da7bfd1d44a68661e27796f32e3de70
AgentTesla
a690487422504d796125e9df91b906d43a3584cb8b9da7d06fc8f50ce8126c33
AgentTesla
b9b2c05c193a6df71266380c102c635199a45263722c6395a0b03de819a01ee1
AgentTesla
b9df96522a30d05a026ab8874eef5ddae02042585e4cc5773909838250cf2635
AgentTesla
f1499a31119aa7a22c867b15923b5cc2671e3ce67d9408485b78f3aa9143ce0e
AgentTesla
fd21ea0fe3b13bc6f4173e46304760631907bc61ce3250844f001c60c1011c05
AgentTesla
+ 2'473 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210128-yj496ev8ta/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Unpacked files
SH256 hash:
8cf5cf0efb072fac79a80001ad1fcaefc548ff159b57534e9f0331c8b1cdb3e2
MD5 hash:
5da5ad17cc53039f55fe216f897ef97f
SHA1 hash:
f563f00d68660dc1b5bcb62987c646be46c06c07
Link:
https://www.unpac.me/results/3ae648a6-0147-4da7-9ae8-039c4113d818/
SH256 hash:
ef3076f6d5133737cdde48424c5d9c81a9950058ec8a613e04aef8330488c230
MD5 hash:
251c71a2e4d45be867d59ae3a17748ef
SHA1 hash:
31374500c62e5d449df14e31d2c365e12ee79221
Link:
https://www.unpac.me/results/3ae648a6-0147-4da7-9ae8-039c4113d818/
SH256 hash:
71d26e8ddb0cb9589df6c5df5d3737a615bac43733face35340c40c0bdd9404f
MD5 hash:
b1dbb365c24e0428ea2200601b3a77db
SHA1 hash:
0bc9fff08fa7cbc5dced2dcadba6549fdfab6793
Link:
https://www.unpac.me/results/3ae648a6-0147-4da7-9ae8-039c4113d818/
SH256 hash:
1321e390a0141decaf5a8dab00fe02bc111ece34f446115842c6afa068c7fd3c
MD5 hash:
652a7d27ddd37e4ce384bc1957c00b9e
SHA1 hash:
fe2e68496eed6e1f789e1befe4f4d349d12e4143
Link:
https://www.unpac.me/results/3ae648a6-0147-4da7-9ae8-039c4113d818/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1321e390a0141decaf5a8dab00fe02bc111ece34f446115842c6afa068c7fd3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 94f8a57adc2ecc7ca69036a725f9f9c20322bf3cbad7e6008a22bbf03290ad66

AgentTesla

Executable exe 1321e390a0141decaf5a8dab00fe02bc111ece34f446115842c6afa068c7fd3c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 94f8a57adc2ecc7ca69036a725f9f9c20322bf3cbad7e6008a22bbf03290ad66
Cape
Cape
https://www.capesandbox.com/analysis/114635/

Comments