MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13a34248109d29dee8c2467ad2cebd0acf6712df7db92d8ca7cf9cb21f70eca5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	13a34248109d29dee8c2467ad2cebd0acf6712df7db92d8ca7cf9cb21f70eca5
SHA3-384 hash:	fe07e7644447708979f6e050f206a42e9cfa66963dab0178fcedcbbef9b8766148d9636757c9d930cd6b4bdc88add679
SHA1 hash:	d09b133968bb615544c54f85a465e06c8b057417
MD5 hash:	a28f16df2ae4cb9ee1473798df5c424e
humanhash:	saturn-rugby-ack-hydrogen
File name:	13a34248109d29dee8c2467ad2cebd0acf6712df7db92d8ca7cf9cb21f70eca5
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'080'160 bytes
First seen:	2020-11-25 12:36:29 UTC
Last seen:	2020-11-25 14:51:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'605 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:9ln5PqttqmMb/DFRC+nU3jX5CKD9TLQyv9NJVmESVgu6KK40CGFM6KEjfH:DlqSmMb/xR0sKtt9NJVxVu6Kb0JJb
Threatray	9'536 similar samples on MalwareBazaar
TLSH	B1359D2377458654C96C72B305A4EAD23725F9CA36408F0F328FE3199E932DB6B1D678
Reporter	madjack_red
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/546921

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Contains functionality to register a low level keyboard hook

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/13a34248109d29dee8c2467ad2cebd0acf6712df7db92d8ca7cf9cb21f70eca5/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Suspicious

First seen:

2020-11-25 06:28:11 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=coruesaqtuu552gciz5nftv5blhwoew7pw4s3dfhz6oleh3q5ssq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0ca1f0a08b7a21079683beeaf8bfa86df3d396b8d7a0cade52e963b78bd9a7e3

AgentTesla

1328e0030337b326a962b3369cc8dd2b474de98267e8e9fdc3684f4e5ecb9984

AgentTesla

50cbc0b693b4204caf169db073592dc53b8b1c21b9e71a640ee79692918cdcef

AgentTesla

516b29be6f0d91a249adca2b26381bfa5b90cf6a643d1b621095c6425a74795b

AgentTesla

602539024550629c94790807ab0f6b99379a53767b14375963e64b71a2185408

AgentTesla

9b71ca5e5e3faf0bd77b6f6d370d5aa32dffd3e2019b15624a544487895f82f5

AgentTesla

a9103ccf2939a9a9b54d8c50aa993af6fcf3ddda4e0491f1987fe09a83f98ab3

AgentTesla

ad7db1393e62d89dcb0039aa5ba64a897e88d3f6b76d146ccf419e952e57c317

AgentTesla

d17de71fad23c19ea4e181c8fe33be0fc230d15be13e6d3c755c77e7ff1519d5

AgentTesla

+ 9'526 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201125-3e42htkh2j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

13a34248109d29dee8c2467ad2cebd0acf6712df7db92d8ca7cf9cb21f70eca5

MD5 hash:

a28f16df2ae4cb9ee1473798df5c424e

SHA1 hash:

d09b133968bb615544c54f85a465e06c8b057417

Link:

https://www.unpac.me/results/30a23f63-86d6-4116-b1a8-c5e516bc0512/

SH256 hash:

4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd

MD5 hash:

304cc4a1948539064cfec5b70bd83e21

SHA1 hash:

32b3754f52323fd71b8349f01c9dd4bc4fecd880

Link:

https://www.unpac.me/results/30a23f63-86d6-4116-b1a8-c5e516bc0512/

SH256 hash:

4336f33abd4868cb2547151ac21ed6bccce97f5ddf4e3f7a17176abd930a5010

MD5 hash:

72cce92723be5ff1b387ff655d4f84ed

SHA1 hash:

c3b26c6c4839874f0a4f12ecea19ac891ee295f7

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/30a23f63-86d6-4116-b1a8-c5e516bc0512/

Parent samples :

13a34248109d29dee8c2467ad2cebd0acf6712df7db92d8ca7cf9cb21f70eca5
ba0f71fb8d0bc64a55644f7086fe2e03d78dab544f9998658eca5ebd2c48be76
e49644244645c3be9ab057acc1f3f84c12a066bc570529dff3842c2c6f5d72aa
b29cdab25f43c9c71ef7b132b3064eb5243e82f3bde2acd6cdd48a24cf30e527
63ffcd2680423128ba007fc38937dce83f0c4466f65e4f1021e84287b990c422

SH256 hash:

9790a6aa3d28d77d320c8f32938122c1212b7f6291daa7511f854a3fcd0fb037

MD5 hash:

6e53bc3c0364eefd1d448d25e026975d

SHA1 hash:

f11ea87b0638531f442b113feb19dbaae81ad518

Link:

https://www.unpac.me/results/30a23f63-86d6-4116-b1a8-c5e516bc0512/

SH256 hash:

542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75

MD5 hash:

0ab09caf48c9dcbcbd53aef80493abd2

SHA1 hash:

fd985c8ed98d443fde035be26592b92662b9c5ea

Link:

https://www.unpac.me/results/30a23f63-86d6-4116-b1a8-c5e516bc0512/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/13a34248109d29dee8c2467ad2cebd0acf6712df7db92d8ca7cf9cb21f70eca5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	agent_tesla_2019 Create hunting rule
Author:	jeFF0Falltrades

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample