MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c20e81106455f9fb194f0eed281aaa0f48169a728f73b7b42f0d4bec7fbcc32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c20e81106455f9fb194f0eed281aaa0f48169a728f73b7b42f0d4bec7fbcc32
SHA3-384 hash: 13e1dd68d1d008be549388abf7b0cb5f69fd2ee7a7c7e674c98a791a6e9227977d67f7499d4f5504bad1095048e22f86
SHA1 hash: 34f583426b70d2776be3a669da9c60fe8c63f8ff
MD5 hash: 39a5a52bd0138cb973e646915bac0303
humanhash: fish-illinois-ceiling-bravo
File name:Thalesnano.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:465'920 bytes
First seen:2021-04-07 05:53:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:aevtgDeOigwm6nVAN8Uc/n6r60/VDUSY4tuRdv9yVjfaN5MIIgtnzKXGFYnV4hf2:aOtKpIV1Fn6OAVo1T9ugAWhf2
Threatray 3'881 similar samples on MalwareBazaar
TLSH 53A4D0D5B737A90EC2480F3BE437587472FA94267127E32FE8F876D50836689463A913
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.coboisa.com
Sending IP: 194.31.96.140
From: paul <account@victim-domain>
Subject: Payment for invoice no.2021.00294-02
Attachment: Thalesnano.gz (contains "Thalesnano.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Thalesnano.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 06:50:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f2a07c39-dfb4-4932-a725-6506a0cccec8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132755/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.13451.12922.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/668355
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c20e81106455f9fb194f0eed281aaa0f48169a728f73b7b42f0d4bec7fbcc32/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 05:54:13 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dqqoqeigivpz7mmu6dxnfankud2ic2nhfd3tw62c6dkl5r73zqza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0fc02fb4b07f919a0ff54d7e3ef0ca5fa9581fc26fa311e44338c32590f36a3b
AgentTesla
105f2576744d531eaa8515b275542809e6385397b95e735e54c7dad418c4e0c1
AgentTesla
5b8e5eaab8f48bd7ac92bf7437383abc5182ec3667443de0aee1f5d2b8711750
AgentTesla
826298b4d035818be292a13b27215db4d94733f28df50f94e9a93a5d3fea2190
AgentTesla
841b06b50c50fb14aa583956475f860d25ce4180d9cd7d26090cc96cea3903eb
AgentTesla
869147dc42f117713c1b9070d615deda8ff7d7baf8c5baea4ccee3c21829fa96
AgentTesla
87fde2e49507d58cdcc464c5d3e36d322c7f77a4f9e5cc0f1a46455f1a67df5c
AgentTesla
8cdb536378c7a12bb65333b52664cb99cd74a8b14afbc1b74ae73111b8edfc57
AgentTesla
d01b3522dd2a17cd248709a670e7da25be8ab17565848e76b1087d1d1e11fe33
AgentTesla
e0cb1fe1256cbf26178ffac07b55cdbd9ed9e9cd53d1d2642f8ba43db84cf8b4
AgentTesla
+ 3'871 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210407-gh73w328en/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1c20e81106455f9fb194f0eed281aaa0f48169a728f73b7b42f0d4bec7fbcc32
MD5 hash:
39a5a52bd0138cb973e646915bac0303
SHA1 hash:
34f583426b70d2776be3a669da9c60fe8c63f8ff
Link:
https://www.unpac.me/results/2c6df4f6-fa9f-4ac8-8e4f-98fd14f2b85d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/1c20e81106455f9fb194f0eed281aaa0f48169a728f73b7b42f0d4bec7fbcc32

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz e9cfd1c6ec2440f901e786a33478de70fd090e1e9dc9b55aedba8fce5b2a4d50

AgentTesla

Executable exe 1c20e81106455f9fb194f0eed281aaa0f48169a728f73b7b42f0d4bec7fbcc32

(this sample)

  
Dropped by
MD5 6cc5d04f6f11b8d14e05184af6f19668
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e9cfd1c6ec2440f901e786a33478de70fd090e1e9dc9b55aedba8fce5b2a4d50
Cape
Cape
https://www.capesandbox.com/analysis/132755/

Comments