MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13a41c3d0c7c646aaa0a1d76f8000727379035749131081dc6c0d8d8636dcbc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13a41c3d0c7c646aaa0a1d76f8000727379035749131081dc6c0d8d8636dcbc5
SHA3-384 hash: d4b29f806d3814bf08a8b91aa29e8ed1d16aecae50ae0ad5f74b61a74eb29f9351306f715725707239caffef18d86f50
SHA1 hash: 05a3583e23261f861350caac2c489e2c33b248fc
MD5 hash: ddc8055401fdf710234143f633e8b6ba
humanhash: uranus-beer-georgia-apart
File name:AWB - INVOICE AND SHIPPING DOCUMENTS.gz.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:592'896 bytes
First seen:2020-11-03 06:05:12 UTC
Last seen:2020-11-08 14:21:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:vierLRyi8aUYOBKH4QXmNfLFb6oTx7oPpZJC0hDOIoXX5:vikLUinH4QXOJb6gx7YPDOIon5
Threatray 913 similar samples on MalwareBazaar
TLSH 06C4F02263986FA6E53D777D4121100007F1E966F736E65FBDEC54DE4AE2F808B22B42
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/81921/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.2214.21068.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/518811
Signature
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13a41c3d0c7c646aaa0a1d76f8000727379035749131081dc6c0d8d8636dcbc5/
Threat name:
ByteCode-MSIL.Trojan.Sudloader
Create hunting rule
Status:
Malicious
First seen:
2020-11-02 16:25:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cosbypimprsgvkqkdv3pqaahe43zanluseyqqhogydmnqy3nzpcq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
262a211656d15bead6b81f0755443a6e8aff1a3316318b326355a575087e39d2
AgentTesla
27bec5b0582b3447dfbf1e2cca8afae778532caa31b449bebb434d5468cbe3b7
AgentTesla
320cad5692bb7d085732786b1823aac9c24aed4a2d1132763d3541f90380708e
AgentTesla
44e995cb44c1ae6e48b73fdbb300634144d62f54787422012c2f0930b2440a57
AgentTesla
5c3e3d39b5a83c245629704b440a8310ed5fe6c99bb559a0f69c0afde00fccce
AgentTesla
60c5937025d6f55a67d64ba824bb2ea0ba3aedd9dd949429544aaec829b98410
AgentTesla
769c63d7722789bcf1466427349b829860136dd7a2337abc48e6a96bf6442105
AgentTesla
ad8aeed2d546163aa0b5cbfb430bc9a02896645be4a51cb654083ce18ab853bb
AgentTesla
b156d54df509f02bed378383dc278b7da2a6ba2db0846d4c1086a3196c5bd8db
AgentTesla
ce0b4d46b5a0d870536813367ec05bdac9e32c3ac06d73ed14926b113e3b0ffc
AgentTesla
+ 903 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201103-r4fm49wtqx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
bdccbd918b3ecac5fc1b7e51346e9cf4fbee70a52fff96dd97ea0f4be9ec9744
MD5 hash:
3093e247d50cadcd7e9b88472fc850ab
SHA1 hash:
22e93fc20147e1ff657de772fdc91ecae01f1f7f
Link:
https://www.unpac.me/results/ff391da3-5c93-48bf-9876-4f118bbd5af8/
SH256 hash:
24dcefbcdf04810a8c3dc3276f873ab62c579429833a26fb2be2145e703a9ee7
MD5 hash:
b32d2c75e3214535275805f85f7ec59f
SHA1 hash:
8849f8fcbe037c5809fd17dc59b838b9597cc304
Link:
https://www.unpac.me/results/ff391da3-5c93-48bf-9876-4f118bbd5af8/
SH256 hash:
13a41c3d0c7c646aaa0a1d76f8000727379035749131081dc6c0d8d8636dcbc5
MD5 hash:
ddc8055401fdf710234143f633e8b6ba
SHA1 hash:
05a3583e23261f861350caac2c489e2c33b248fc
Link:
https://www.unpac.me/results/ff391da3-5c93-48bf-9876-4f118bbd5af8/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/ff391da3-5c93-48bf-9876-4f118bbd5af8/
SH256 hash:
63bf4307af99f48829b913ef3b74761f66a169c2741de1758bdba61e2d0fd595
MD5 hash:
9b09d8efd9502e3fbab1dff64ba5d9f9
SHA1 hash:
0f84808215d1f28783359e9050da714932fbf3af
Link:
https://www.unpac.me/results/ff391da3-5c93-48bf-9876-4f118bbd5af8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13a41c3d0c7c646aaa0a1d76f8000727379035749131081dc6c0d8d8636dcbc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 28acbbd11a88f5c89c0f9ab15bbe0c6c620bc0dd44db83406356f1c234194b56

AgentTesla

Executable exe 13a41c3d0c7c646aaa0a1d76f8000727379035749131081dc6c0d8d8636dcbc5

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 28acbbd11a88f5c89c0f9ab15bbe0c6c620bc0dd44db83406356f1c234194b56
Cape
Cape
https://www.capesandbox.com/analysis/81921/

Comments