MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13681068261071d375bc58275501f72bbe2693f4df6ec40364b2f62c0eb1b106. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13681068261071d375bc58275501f72bbe2693f4df6ec40364b2f62c0eb1b106
SHA3-384 hash: d7e0ff56afb2d060e05a94f1c8d8d6d9235dd538114a9013e8e0ef70685cc6a2c9c9118dab1fddccb296cdc7eff9e5dc
SHA1 hash: 69e8171f929a3d181413c269e8d8325d7ea31c6e
MD5 hash: e43e71d24b098881f85a4b55b99c1ba5
humanhash: nebraska-emma-michigan-alpha
File name:Our New Quotation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:739'328 bytes
First seen:2023-04-18 22:17:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:CwRJXJTxigow3SQGlbpt/L1I1eop9YavvqfcZRhArjNkMJteQU7:7XNxirw3SHdtLyD9tRhaveZ
Threatray 301 similar samples on MalwareBazaar
TLSH T104F4F118E135ADB6E69E0B3500153AE9DB74AEE374B7C63C0B96748ADBBF3112C44187
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
dhash icon e0e2aba3a5b8b8a8 (38 x AgentTesla, 18 x SnakeKeylogger, 14 x Formbook)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Our New Quotation.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 22:19:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cdaa5810-bcff-4719-bbed-ce32ee3249d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383114/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.Spynoon-9939401-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643f171b8da0bdd508330434/reports/b62cec9b-de54-409f-8b79-a3b9dd4f0d78/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/13681068261071d375bc58275501f72bbe2693f4df6ec40364b2f62c0eb1b106
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bacb09a9-1097-470e-b599-552a5a73c2fe
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1216396
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 849324 Sample: Our_New_Quotation.exe Startdate: 19/04/2023 Architecture: WINDOWS Score: 100 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->69 71 7 other signatures 2->71 7 Our_New_Quotation.exe 7 2->7         started        11 toQQnZNDuVb.exe 5 2->11         started        13 bUhSoz.exe 5 2->13         started        16 bUhSoz.exe 2->16         started        process3 dnsIp4 53 C:\Users\user\AppData\...\toQQnZNDuVb.exe, PE32 7->53 dropped 55 C:\Users\...\toQQnZNDuVb.exe:Zone.Identifier, ASCII 7->55 dropped 57 C:\Users\user\AppData\Local\Temp\tmpD61.tmp, XML 7->57 dropped 59 C:\Users\user\...\Our_New_Quotation.exe.log, CSV 7->59 dropped 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 7->83 85 Adds a directory exclusion to Windows Defender 7->85 18 Our_New_Quotation.exe 2 10 7->18         started        23 powershell.exe 21 7->23         started        25 schtasks.exe 1 7->25         started        87 Multi AV Scanner detection for dropped file 11->87 89 Machine Learning detection for dropped file 11->89 27 toQQnZNDuVb.exe 11->27         started        29 schtasks.exe 1 11->29         started        63 192.168.2.1 unknown unknown 13->63 31 bUhSoz.exe 13->31         started        33 schtasks.exe 13->33         started        35 bUhSoz.exe 16->35         started        37 schtasks.exe 16->37         started        file5 signatures6 process7 dnsIp8 61 host43.registrar-servers.com 198.54.116.10, 49700, 49701, 49702 NAMECHEAP-NETUS United States 18->61 49 C:\Users\user\AppData\Roaming\...\bUhSoz.exe, PE32 18->49 dropped 51 C:\Users\user\...\bUhSoz.exe:Zone.Identifier, ASCII 18->51 dropped 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->73 75 Tries to steal Mail credentials (via file / registry access) 18->75 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->77 39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 29->43         started        45 conhost.exe 33->45         started        79 Tries to harvest and steal browser information (history, passwords, etc) 35->79 47 conhost.exe 37->47         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13681068261071d375bc58275501f72bbe2693f4df6ec40364b2f62c0eb1b106/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-17 01:15:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnuba2bgcby5g5n4latvkapxfo7cne7u35xmia3ewl3cydvrweda._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de
AgentTesla
52208dce9b01e32cd33278444f09b15ba8163a919c73d3d5e33401ce6520c7d2
AgentTesla
69dcb21b36f6de65c945422621bc55badbebb0312518bd7f38b704d5a1ae7930
AgentTesla
7b0134022faef8ea8b527241b3dc2e74457b4b05fbe029eb9b0e9bc4d1206453
AgentTesla
80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d
AgentTesla
a036acc68623b42509e807b81be7270e1fc0c626aa15d8164d2f52bd321be1fd
AgentTesla
a15153863ec4bed33ce7f014da9861ef349b152b46a5978d5c03b5fe75544aea
AgentTesla
c046fa2c19c9ff918bc1918ec579fc4e01166553c97753ce85fe744561f0973d
AgentTesla
c70ed8b0ed3a434cadb2b4fcb796b3f6fb7266a3661c0a60ebe87a1e39613e21
AgentTesla
d89323dd840c86ee64285f6353eee84089b4c242df329b9b5f0c42a6b8944eb5
AgentTesla
+ 291 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230418-17xpysge2z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
be75f3b3cfaa63446129af48ff177a86e91b22b7342205bdebe21158858c02a6
MD5 hash:
c803443d846a68d2ef80dc3df705034f
SHA1 hash:
b87acb2dd2b78a15472717b5806cc07950d497b7
Link:
https://www.unpac.me/results/25fa8090-ccce-401e-a31f-41378bca36ea/
SH256 hash:
6adcd6de8615d7452ff05b209d20f3cde3db214daf3068b63d80b7990bb0fb2f
MD5 hash:
6a2ed48c4854bd179e378c2f5b7e9c39
SHA1 hash:
add9a89cb3dcca2cea1f4029f5220843530e94de
Link:
https://www.unpac.me/results/25fa8090-ccce-401e-a31f-41378bca36ea/
SH256 hash:
39dd649c044feae9d43ddd49e64c4c2c7b434131d5951b58c6b70f4d1356035b
MD5 hash:
4bba97de1b97225183ffccb680f9bbd9
SHA1 hash:
9f194249d95f6abebfcf7ed1f0e03440b2487ee2
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/25fa8090-ccce-401e-a31f-41378bca36ea/
Parent samples :
a494db0ac3044848e328e4df3cda6dfd698f5389376623cf9936cfc7ce5a31ad
13681068261071d375bc58275501f72bbe2693f4df6ec40364b2f62c0eb1b106
0451b9c358b1404717f5060aea5711327cf169cd4c5648f5ac23f1a1fb740716
6beb6c8530ae26563b435151158d82e6e097cf51a4e27693c694aa237207d57a
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/25fa8090-ccce-401e-a31f-41378bca36ea/
SH256 hash:
a9f23a97db636c02f2f46e5daae8aefebaf10daa020ad5eebd5f17c1e1f42514
MD5 hash:
5fcd6b8318a5b79f42d2b453798def2f
SHA1 hash:
7608a30ebea20ebb6719257f09a82f4a62091322
Link:
https://www.unpac.me/results/25fa8090-ccce-401e-a31f-41378bca36ea/
SH256 hash:
13681068261071d375bc58275501f72bbe2693f4df6ec40364b2f62c0eb1b106
MD5 hash:
e43e71d24b098881f85a4b55b99c1ba5
SHA1 hash:
69e8171f929a3d181413c269e8d8325d7ea31c6e
Link:
https://www.unpac.me/results/25fa8090-ccce-401e-a31f-41378bca36ea/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/136810682610/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13681068261071d375bc58275501f72bbe2693f4df6ec40364b2f62c0eb1b106

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 13681068261071d375bc58275501f72bbe2693f4df6ec40364b2f62c0eb1b106

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383114/

Comments