MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39abc161bea9d6cf4334eab2631bce686feeaa84ff68bfe4cd05e16f4548f06f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	39abc161bea9d6cf4334eab2631bce686feeaa84ff68bfe4cd05e16f4548f06f
SHA3-384 hash:	4a79fb103ace28f29aafce9de6b0470c897c0d084b15f6f513ed8afc371a32e2f7c34b92920775a45dc6e89a765a5d4b
SHA1 hash:	76b55b118fb410c97be4e37dc4c9c290c9fdc92f
MD5 hash:	3471da677d260df99d7939b3f2cc5157
humanhash:	eighteen-washington-india-steak
File name:	39a0e9cb.jpeg, QUOTE2020.PDF.gz (2).exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	623'104 bytes
First seen:	2020-12-10 09:02:57 UTC
Last seen:	2020-12-11 07:40:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:PEs8hKAWcYdQ0ng9EEf6UOoGTRBTNm10G2XMnuFJe0UbJYBdU21MTAdEoHjG:PEs8hWcsQ0ng9EsjGZi3p
Threatray	1'782 similar samples on MalwareBazaar
TLSH	DCD46CAC365072DFC92BC872CAA82C64EA61747B530BD203A05725EDDA0DA97DF151F3
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

39a0e9cb.jpeg, QUOTE2020.PDF.gz (2).exe

Verdict:

No threats detected

Analysis date:

2020-12-10 09:11:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/682f6135-21a2-47de-ab3f-ec8159434f7f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/107615/

Detection(s):

SecuriteInfo.com.CIL.HeapOverride.Heur.18209.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Creating a file

Unauthorized injection to a system process

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/559884

Signature

Allocates memory in foreign processes

Binary contains a suspicious time stamp

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/39abc161bea9d6cf4334eab2631bce686feeaa84ff68bfe4cd05e16f4548f06f/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-12-10 09:03:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hgv4cyn6vhlm6qzu5kzggg6onbx65kue75ul7zgnaxqw6rki6bxq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

261036c3c84844bc59b94e39261363d6d9443350e27e1fd4fa8e7716ab6a2e83

AgentTesla

55948fede55c398fce76d97b8316d5da6f958b08746a33f0cdaf4e016f0a1e15

AgentTesla

7b87995c3121e530fa11c32b58690f875c58f5dec133c5cb57c22fdf4ee237bb

AgentTesla

badf7e8ef826b51aaa028ec3a296f7b9432474d8b6377552f0dcbfd520c0df47

AgentTesla

c9747168a0090d1b036e820b6e51b1983deded573227547901baa71f5914c7cc

AgentTesla

d9b7bb2c86f319f087b2e08d9097639b134acff8298e28a736a103e4eb3a6cbf

AgentTesla

e6efc787bb6b6506150aca14be1966713c7a28f55788af42902e500779818228

AgentTesla

f36eeb335a9d18ff16f6b1869f45a0f81d44f93706fd2d39d4568d8d2e694ca3

AgentTesla

fdac92b0fe7d038bfdfa12127cae944e95dff1ef54684923785701d9e92dfaf4

AgentTesla

+ 1'772 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201210-v8tewcsfcj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94

MD5 hash:

a60401dc02ff4f3250a749965097e13f

SHA1 hash:

3f22d28fd765f831084cb972a8bd071e421c26a1

Link:

https://www.unpac.me/results/f2064953-63f0-4679-85b5-a4a9a1074a8e/

SH256 hash:

a8c411b8a857c6e654b6f5039c4fef29210943db615af54ad28740089028facb

MD5 hash:

d3f7514ef204508b99c0b8e84d7c7017

SHA1 hash:

4f5665d67a80d972aa5976895eb893a1724871a1

Link:

https://www.unpac.me/results/f2064953-63f0-4679-85b5-a4a9a1074a8e/

SH256 hash:

33c0869ea884b0a2cbac0c5ce5812808ac6fe19c670b850e2c80b1d8b98fc574

MD5 hash:

872295358623158189a23ac67add4794

SHA1 hash:

c3fb26f5ee5f3bddfc314c1024733116535b40fc

Link:

https://www.unpac.me/results/f2064953-63f0-4679-85b5-a4a9a1074a8e/

SH256 hash:

39abc161bea9d6cf4334eab2631bce686feeaa84ff68bfe4cd05e16f4548f06f

MD5 hash:

3471da677d260df99d7939b3f2cc5157

SHA1 hash:

76b55b118fb410c97be4e37dc4c9c290c9fdc92f

Link:

https://www.unpac.me/results/f2064953-63f0-4679-85b5-a4a9a1074a8e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/39abc161bea9d6cf4334eab2631bce686feeaa84ff68bfe4cd05e16f4548f06f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a74a2dc217026f23ea7f3c153d41994160abfb05520e50aa95a626eb24ae8836

AgentTesla

exe 39abc161bea9d6cf4334eab2631bce686feeaa84ff68bfe4cd05e16f4548f06f

(this sample)

Delivery method

Other

Dropped by

SHA256 a74a2dc217026f23ea7f3c153d41994160abfb05520e50aa95a626eb24ae8836

Cape

https://www.capesandbox.com/analysis/107615/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample