MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6
SHA3-384 hash: 3ae143988027474846f4dc74c48edecba9ca6e912647c9088e6badbf02e2da34a7fb39bc5a43943522e221330edd0b33
SHA1 hash: 13238034c80de1242efa4175182ee7797c77a3d6
MD5 hash: 4e1dc0d2e17e635f67331b851f251cfb
humanhash: uncle-stream-helium-river
File name:MV TW HAMBURG_VESSEL DETAILS.docx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:588'288 bytes
First seen:2021-07-06 06:19:13 UTC
Last seen:2021-07-06 06:53:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:NdIopFjV4h+DrEmvdEslw10RCUcPsFDbc:HjuOrEmvdEsl9CDsF0
Threatray 6'653 similar samples on MalwareBazaar
TLSH 32C4F10E7FEA4664C09407B1ACB7E2509B71AE574C56DB4AB488B3072FB33C14A57F26
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MV TW HAMBURG_VESSEL DETAILS.docx.exe
Verdict:
No threats detected
Analysis date:
2021-07-06 06:22:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aa2a3ea2-003c-4118-b866-918b21cc01c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169863/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37191868.9513.15712.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/57241b4f-773c-49f2-9f12-cfc8da3b0859
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812072
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-05 15:54:36 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=edburuetawt276alhftrowsppi6h3272rknop67t3rf7ghyozh3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4f332e317c5116e7c9b64ea8084a39aa4fff859a056ce9463557bdb0093eab55
AgentTesla
750ac1c22fae6298acf85f62700ebbc8ccd8aff1f3ff20b28d8baa075a73c4bf
AgentTesla
8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e
AgentTesla
88f94c1e8a555d84bf7ad2e0fe21d82d33f1976786267af93808cc050d039bd9
AgentTesla
a2116a39b0f6ba02799d74e44c3521e530685b6726b4443060a142f639d597d6
AgentTesla
abfd412e775e8a81efbd61484a67de9aed008c0e51910d9d8a9051c4ea9856b3
AgentTesla
b399203403e92ab8865f492c93233be4d4d1ac1316c571b43171a052c7b214d7
AgentTesla
b54106089f5aa0b97aca6eb87655113e0629010b71d0a47c34d7dfaee54f0891
AgentTesla
cbf445acf88f00bf98448420369d09bb35264d53667272e3363fae6378fa7a1b
AgentTesla
d23d794e3cf354c91c283e13eaeae77749e3265866758d999b99c06a98861a05
AgentTesla
+ 6'643 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210706-jhgq55j2ma/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Unpacked files
SH256 hash:
c571c19d9bd2d8baa9eac82039f12405272ff5617a33261bb3dc7abed9efa6d4
MD5 hash:
b33d2983a8986d40ecc99830716c5d2c
SHA1 hash:
d22be2a22cf3292e1441de01f7e30b24ef6feb62
Link:
https://www.unpac.me/results/cabaa9c2-cf8d-4186-8aca-ef908327e6de/
SH256 hash:
30e8c69eb800313971e86c4879bd059a8cc6a1662fcd70ddfdb2c0695cd28e2a
MD5 hash:
c3166ed7ba6538ef2d706e6c054a705e
SHA1 hash:
6ab978ee8671206f5a4d410b1cd44af3ed9eb0f2
Link:
https://www.unpac.me/results/cabaa9c2-cf8d-4186-8aca-ef908327e6de/
SH256 hash:
3a95c7de01ef3fec3e61c52514e5aecdf19dc9bb97a6d2d58f9b6b7cabba9f80
MD5 hash:
e687d4d789932e1da68a237dcd597eba
SHA1 hash:
28bdf12e572de5e4b3e6209d7098e056996e4ec1
Link:
https://www.unpac.me/results/cabaa9c2-cf8d-4186-8aca-ef908327e6de/
SH256 hash:
3987b1a0103d087d89d296f3afef730ed32781e0a2afc9764c96f78a57ca39e6
MD5 hash:
6d0f7d3d067d36b184dc167a391cc2eb
SHA1 hash:
25600220a43bbd4bf34464c3346edd8a8ee88004
Link:
https://www.unpac.me/results/cabaa9c2-cf8d-4186-8aca-ef908327e6de/
SH256 hash:
20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6
MD5 hash:
4e1dc0d2e17e635f67331b851f251cfb
SHA1 hash:
13238034c80de1242efa4175182ee7797c77a3d6
Link:
https://www.unpac.me/results/cabaa9c2-cf8d-4186-8aca-ef908327e6de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/169863/

Comments