MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13997ca8537609439505135fd73fbc53cd410fc54f307b8050c84b0c85bcc920. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13997ca8537609439505135fd73fbc53cd410fc54f307b8050c84b0c85bcc920
SHA3-384 hash: 3edc2a52f7be48129c58bcd1726250f4d73e965585cd7e35572631eb721c4ae0ad5037b797420b8422cd0437b7c98e9d
SHA1 hash: b618c0f1b5c453afb85905e0bb8c1c8351cc5c44
MD5 hash: db936d1f66b45cb0667faa86e10e3d73
humanhash: delaware-tennessee-seven-avocado
File name:db936d1f66b45cb0667faa86e10e3d73
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'096'186 bytes
First seen:2021-10-16 16:13:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (871 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:rAOcZQh9J9h7TDb2BYMwprds5a6TPY5I7nT1RMwazO:tJcYMc96c5IzTXM7q
Threatray 1'029 similar samples on MalwareBazaar
TLSH T1A6351202FAC1D871D8A32D315A39AB106D3E79215F349A6FE7E459BCAA305906134FF3
File icon (PE):PE icon
dhash icon 0ccaaaa4b4a40cac (5 x LummaStealer, 2 x AgentTesla, 1 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
467
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
db936d1f66b45cb0667faa86e10e3d73
Verdict:
Malicious activity
Analysis date:
2021-10-16 16:15:31 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/3d3b424a-9d70-44c0-b8ce-aedd9847d086

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197906/
Detection(s):
Win.Malware.Autoit-7191974-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Adding an access-denied ACE
Launching a process
Creating a file in the %temp% directory
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook greyware overlay packed
Link:
https://www.filescan.io/uploads/616afa4ea9d585e6d52b160d/reports/cf5e508c-4584-4d36-ab06-5c41e7d5ea7d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42e75df0-b998-491a-b595-c1e722ce7625
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871641
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 504065 Sample: c2PnaEHRmi Startdate: 16/10/2021 Architecture: WINDOWS Score: 100 31 smtp.lko-import.de 2->31 33 us2.smtp.mailhostbox.com 2->33 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 4 other signatures 2->49 8 c2PnaEHRmi.exe 77 2->8         started        12 eBbIsjQ.exe 2 2->12         started        14 eBbIsjQ.exe 1 2->14         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\oefansuf.pif, PE32 8->29 dropped 59 Drops PE files with a suspicious file extension 8->59 16 oefansuf.pif 2 8->16         started        19 conhost.exe 12->19         started        21 conhost.exe 14->21         started        signatures6 process7 signatures8 35 Multi AV Scanner detection for dropped file 16->35 37 Writes to foreign memory regions 16->37 39 Allocates memory in foreign processes 16->39 41 Injects a PE file into a foreign processes 16->41 23 RegSvcs.exe 2 4 16->23         started        process9 file10 27 C:\Users\user\AppData\Roaming\...\eBbIsjQ.exe, PE32 23->27 dropped 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->53 55 Tries to steal Mail credentials (via file access) 23->55 57 4 other signatures 23->57 signatures11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/13997ca8537609439505135fd73fbc53cd410fc54f307b8050c84b0c85bcc920/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 04:25:31 UTC
AV detection:
26 of 45 (57.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=comxzkctoyeuhfifcnp5op54kpgucd6fj4yhxacqzbfqzbn4zeqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03c6ec94511f79ea5315870ca752e55f074581382a9e33ea403281e3bec95968
AgentTesla
0ce9dd105728a0d9dff59c549aabe49d4b9eeaa92f81f84ba82119b00962eb05
AgentTesla
141c6b8848fa3cabc916fd0c8048c2a2a7ddbe9009520cab75154843d7cddbe9
AgentTesla
336c8f08437e02813b6f5c4a9e61f6b22f93fb28b014532dfe48b5a1707f6cce
AgentTesla
4a4da69215b399bdf428b5ca73d7f26e91042dd43011ff6e8c712ecf0b7c6154
AgentTesla
66bc28999e398e9ffcf4ff0f36c9b1be8aa85383aa067f574a6c7ac86502a072
AgentTesla
6ec80b2dc86e97a886c52fb67aea4ce1ab195587d51236f00cd5c4bf93edb4eb
AgentTesla
831b9a469de0d9441e977b8b055235bf56e2a51a9fb0c4a08424c733e33271d7
AgentTesla
85b580fc9c82956212145424c8974d85b0d1b2418544b3ca691b0c040011782c
AgentTesla
+ 1'019 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211016-tpnk1achdp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
66cce95e3a1e00afc47758f9f20780a718ea6ad8e5c1237b4115bf11a27339a0
MD5 hash:
d89b7d06dac2f89fcacf9df3cce11230
SHA1 hash:
1e590122a7aff41608a92ecd152f4e960ee39a5b
Link:
https://www.unpac.me/results/5aa64d35-7e46-432c-8cf5-3ae36c1a0fa9/
SH256 hash:
0932e10f47b0f5ca3f73efaf26ecf1da4a88e7953f96ef242687cd9ce46e32ce
MD5 hash:
65177174b0d01d2be9674e6d20c1ddf2
SHA1 hash:
95cd6b593bb79502f20069d042abc54d59ac667b
Link:
https://www.unpac.me/results/5aa64d35-7e46-432c-8cf5-3ae36c1a0fa9/
SH256 hash:
13997ca8537609439505135fd73fbc53cd410fc54f307b8050c84b0c85bcc920
MD5 hash:
db936d1f66b45cb0667faa86e10e3d73
SHA1 hash:
b618c0f1b5c453afb85905e0bb8c1c8351cc5c44
Link:
https://www.unpac.me/results/5aa64d35-7e46-432c-8cf5-3ae36c1a0fa9/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/13997ca85376/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13997ca8537609439505135fd73fbc53cd410fc54f307b8050c84b0c85bcc920

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 13997ca8537609439505135fd73fbc53cd410fc54f307b8050c84b0c85bcc920

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1685447/
Cape
Cape
https://www.capesandbox.com/analysis/197906/

Comments


Avatar
zbet commented on 2021-10-16 16:13:42 UTC

url : hxxp://ateliermue.info/wp-content/aa.exe