MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13ffdb1e0af89cfd63797f6e22f1b41aabd839b0c80f768c2b1e05dc25d8ce60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13ffdb1e0af89cfd63797f6e22f1b41aabd839b0c80f768c2b1e05dc25d8ce60
SHA3-384 hash: ceaf31fa68d97df19859c5eef73e4dc8d4faf6e65a55c6179ff56de21542fcbc8c8c1d170b0ae800ee67baee338fd2a9
SHA1 hash: 3cc4c15ac9024db06789477875c512cece2dcd68
MD5 hash: 6b075dd514bb73528f7292d1c5ecb434
humanhash: robert-lamp-sink-salami
File name:RFQ-20511-QUOTATION.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:871'936 bytes
First seen:2022-02-21 11:36:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:li2GDYvuz7FpJgH22qla5w/yXbxlih6LJQ8fhL4MAw:li2GcmflgH0MW/Ibxlp54MA
Threatray 15'224 similar samples on MalwareBazaar
TLSH T15F054A04FBB1DE91E9A4453B96F533011F2DAEB08CCAF60B71C9B8398DF6B562E41158
File icon (PE):PE icon
dhash icon 31f098b29298f031 (53 x AgentTesla, 30 x Formbook, 12 x RedLineStealer)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242940/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62137966875593a3ccfaf662/reports/aa352bd8-c067-4a4e-bfb8-d34e8be06e7f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1badefb-46e0-4468-9f52-3400ed2fff85
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/943181
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/13ffdb1e0af89cfd63797f6e22f1b41aabd839b0c80f768c2b1e05dc25d8ce60/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-21 11:37:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cp75whqk7cop2y3zp5xcf4nudkv5qonqzahxndbldyc5yjoyzzqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3b8067fda3a018631e93bcc5e5ab73c56adc91c4964c45c092d42f2cc9acea6e
AgentTesla
4c67722d6cbbdf3ca55c350488c348f1ccc5177727bd008c10856b16c8510b69
AgentTesla
54297a66291e2f879e2eaae44cb06032719d69299968e28c237f6315fe1d7eb1
AgentTesla
7323b8d5a71d744ada47370e02c8d86eb551bacb6881aee27ed7ec61cc22e068
AgentTesla
9898c37e93d4e9a054c013f34ca57c1aa9130112c9104386219f94e1125d0b97
AgentTesla
9dc456c763a1a7999883f059a1438c37bd4888ee0e93285d4de8f5eb5d91bd90
AgentTesla
d3bee5348b0108ed67db1d364f29d51a4b0f119cdf45e7b7c414b49e55eeb548
AgentTesla
da4e120e4586c277edfa8a75a76f502a53c60594caee8b0bdf452220c9c61efb
AgentTesla
fce3f94a3ada9b313d42d261e01794bec35d98dffee6ec9bd101a34b4511691b
AgentTesla
+ 15'214 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220221-nq59jsaab5/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/b35879e0-b758-4e10-a11e-df44e488295e/
SH256 hash:
2fb422d568b61934c9b28ff556666a0361df210650f0a63629f3b900fa8e0ee0
MD5 hash:
f124008e76ffd4954ce04c5a7648cf99
SHA1 hash:
a9b44544f5a1730b1f6dcd015c0c2fac1eea4606
Link:
https://www.unpac.me/results/b35879e0-b758-4e10-a11e-df44e488295e/
SH256 hash:
a65533caf3c4b672cfceb3fb1cb051f486c2ccbf03c8649ee240fea20cba3d1e
MD5 hash:
7815cc5af3ff73bdd09324781b9009e5
SHA1 hash:
7ae84126bc7cb352a4b14f1cf28ee4bb8a979862
Link:
https://www.unpac.me/results/b35879e0-b758-4e10-a11e-df44e488295e/
SH256 hash:
13ffdb1e0af89cfd63797f6e22f1b41aabd839b0c80f768c2b1e05dc25d8ce60
MD5 hash:
6b075dd514bb73528f7292d1c5ecb434
SHA1 hash:
3cc4c15ac9024db06789477875c512cece2dcd68
Link:
https://www.unpac.me/results/b35879e0-b758-4e10-a11e-df44e488295e/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/13ffdb1e0af8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13ffdb1e0af89cfd63797f6e22f1b41aabd839b0c80f768c2b1e05dc25d8ce60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 13ffdb1e0af89cfd63797f6e22f1b41aabd839b0c80f768c2b1e05dc25d8ce60

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/242940/

Comments