MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1304858aed1ca418af95d891f8286843bae63dc9434b6beaaba6f4278b3db33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	a1304858aed1ca418af95d891f8286843bae63dc9434b6beaaba6f4278b3db33
SHA3-384 hash:	8bc21f05f10c4e06a042f77e42f7d1f51998996a0f732a453aa95e335c1637d0240bcc0f4cda422e8fc049fbcd815f15
SHA1 hash:	2c0e052a9146e474bf08f283fee48b13cec96d33
MD5 hash:	2d41893072c12853795b4e9b4b7d3e31
humanhash:	lake-east-mango-california
File name:	Quotation.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	825'344 bytes
First seen:	2022-02-11 12:07:29 UTC
Last seen:	2022-02-12 14:42:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:TM+38K+ABajZAamdlJTdw9gRp8pRW32O:TZsFFreJBwSn8no
Threatray	14'529 similar samples on MalwareBazaar
TLSH	T19505F1ED765076DFC857C6BADA682C25AA603477630FA74B801344E99A0EAD3CF100F7
File icon (PE):
dhash icon	f0c4b2d4f0a2ccf0 (25 x AgentTesla, 9 x Formbook, 6 x Loki)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Quotation.exe

Verdict:

Malicious activity

Analysis date:

2022-02-11 17:37:27 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ad536053-ec14-4796-8d10-7cba751bfa45

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/240920/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1196.6982.20164.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/620651a7289e2f3e4fc2b106/reports/57b05770-89bd-465c-9902-910e20b2c718/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f635d4f9-b80a-4db9-8629-01446b9d13c0

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/938261

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Defender Exclusion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/a1304858aed1ca418af95d891f8286843bae63dc9434b6beaaba6f4278b3db33/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2022-02-11 12:08:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 42 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ueyeqwfo2hfedcxzlwer7augqq524y64sq2lnpvkxjxue6ft3mzq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

31149772b5eff1ebb9326af6a2ee4e4007dd6c6ad30bef239dc7bf50cd1d219f

AgentTesla

66f6704f7b3f314f6d7d076dbdc4576d3a9c91cbf5f7a497f2e8f3dd306d7c05

AgentTesla

705dda74f1a9b2163c3b5f79fe3079dbb2aa940017346d63cebf62a379068684

AgentTesla

777ab54efae3ebf08dd94823c2bd4fbd6c8e063dad74d4f3eb4a5a32cb1ba6d0

AgentTesla

77a08dbc2052b7975a75b0e4069577533fb0ad3c12966c687e2ce81c59356614

AgentTesla

9f6eff0ba2e16b8b35a9cca149a305912ab74d1436f91426feb14e891e42d478

AgentTesla

bffbf7f6312bd941c0d00fceb42df9c714f9d178678aade5a46a13561883ad60

AgentTesla

ea17d1ff94d88763098609b49e10167d233c78094cffdc95a96ec99f5ed07cf5

AgentTesla

f3af27fc0194d9700d308fbf8c06593d6585e6303706cdd3aa32afec3ba7eab4

AgentTesla

+ 14'519 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220211-paw7dacfd2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Maps connected drives based on registry

Checks BIOS information in registry

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

AgentTesla Payload

Looks for VirtualBox Guest Additions in registry

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5112166551:AAEVE3hrPv1AYt9KUGB7F_XFWKFT4haGOVM/sendDocument

Unpacked files

SH256 hash:

f365b92b11041eed57b6f7534e83e04167fce1cfacc570e79335292f3c0ea8aa

MD5 hash:

9147a2ef317fe384182d1281e5af8110

SHA1 hash:

bbe360e6eca29a32e1f787e1416ddad4d35dcf1a

Link:

https://www.unpac.me/results/eaa3aee4-9ff1-4f13-988e-a6a1bfa78f88/

SH256 hash:

f935682dd927f70fd5f41cbde19d99866f0900b6c62e0724e4ca67e6c640855d

MD5 hash:

6ef8852e80e99d6c7448f230112e3f47

SHA1 hash:

a4bc5fecf64b8d5839b49dea79fead2214664167

Link:

https://www.unpac.me/results/eaa3aee4-9ff1-4f13-988e-a6a1bfa78f88/

SH256 hash:

1df5ce82f3a994a8ac57f73feb647dfa235d56a5d8389f0b45991b1bf8a570f7

MD5 hash:

6b8a77d9c956b94d51d5578b474ff22d

SHA1 hash:

990893931b57e63c1c0f3e4f95293415aa07dde3

Link:

https://www.unpac.me/results/eaa3aee4-9ff1-4f13-988e-a6a1bfa78f88/

SH256 hash:

e62c3c33e22c6b77ee3083476cd3b58148c8009c35134ada2c8f2375a305262f

MD5 hash:

9f5a2645762329fd5975b74bb1ad7fc3

SHA1 hash:

5c7543cce85eed8b63218f031eb2b29b53b7e67c

Link:

https://www.unpac.me/results/eaa3aee4-9ff1-4f13-988e-a6a1bfa78f88/

SH256 hash:

a1304858aed1ca418af95d891f8286843bae63dc9434b6beaaba6f4278b3db33

MD5 hash:

2d41893072c12853795b4e9b4b7d3e31

SHA1 hash:

2c0e052a9146e474bf08f283fee48b13cec96d33

Link:

https://www.unpac.me/results/eaa3aee4-9ff1-4f13-988e-a6a1bfa78f88/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a1304858aed1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exec_macros Create hunting rule
Author:	ddvvmmzz
Description:	exec macros

Rule name:	obfuscate_macros Create hunting rule
Author:	ddvvmmzz
Description:	obfuscate macros

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/240920/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample