MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a13d885104ce1f6005c956cb50e82aec853b48b98c881d6b71fda31580f139f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a13d885104ce1f6005c956cb50e82aec853b48b98c881d6b71fda31580f139f7
SHA3-384 hash: e76f57238f59dd5a8fe63d5db4061030f79a6af542b683f3e9f5f6471641ba8bedc36bd0b937bf1bee7abf2215745938
SHA1 hash: 3ec602156676d4014078392abb6b757f64d314dd
MD5 hash: 69809a06bb1bcf7e37c23806d1999556
humanhash: virginia-dakota-eleven-maryland
File name:ORDER_Payment delay order_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'379'328 bytes
First seen:2021-01-11 08:53:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:8yH43kj1Hznfemqz0BNYst8AEGLjKZtpNU9dyWD4t+kayjSlpmYvjjU4jaxgMmv:p7zqsyncEWmCqUpmmjjU4IgMmv
Threatray 44 similar samples on MalwareBazaar
TLSH DA556B51DB80DB60EE6C17BD2436882512A2FE39FAF8D21DE95DF0666BB314410FE942
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: umail.hinet.net
Sending IP: 45.137.22.41
From: 義美理貨行-許小姐<yimei-judy@umail.hinet.net>
Subject: Re:Re: PO#37146-00 ATTACTED payment
Attachment: ORDER_Payment delay order_pdf.gz (contains "ORDER_Payment delay order_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER_Payment delay order_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-11 08:58:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e661ae6e-0bfd-4688-8e55-ffabbad7872a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111246/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577734
Signature
Binary contains a suspicious time stamp
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a13d885104ce1f6005c956cb50e82aec853b48b98c881d6b71fda31580f139f7/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-01-11 04:53:37 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ue6yquiezypwabojk3fvb2bk5sctwsfzrseb223r7wrrlahrhh3q._file
Verdict:
malicious
Similar samples:
054d100afdadfa10c55b97562d697358e8189b4d9414403626a480a7d4474c96
AgentTesla
43a4ccbc49a375bf9ee5bd085412f9e81bd4e9aba05db7e357dd95e04613a70b
AgentTesla
6f7a133591129c585c8f2e64f359c6b19158e1772c7ce2a8e49b4ebe672a86cb
AgentTesla
85729ea0b65a0a56b59f3e8ed961d4ce07f34804fb6b466b6d1c32e17cda4d8d
AgentTesla
8ccce2a5d01211e5db0bcc8721dbea06422c5f3133466e4945e4d301d44df3b2
AgentTesla
a63c16cb1a26010951dc0d60261f95b7236cd70c4843e906503ba7421ee139e2
AgentTesla
ac9a8babed0c6938fc6a4218376339223faad8ce24cb38497b6377664867b2a0
AgentTesla
b54934cb8e1ff68d2c4306e5a6eb0f9e649ad1680960253c0cfa0c35a6c4d313
AgentTesla
b775f99027bd54675dc308d80174478b62f33f6c432a7e2849ddf970b118bf41
AgentTesla
d6634157030fbc5aa6d88565981868dcacedfd91b8031ab0e2e8dd1a3f1b1c16
AgentTesla
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/210111-pzj5vs1b2j/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Modifies system executable filetype association
Unpacked files
SH256 hash:
a13d885104ce1f6005c956cb50e82aec853b48b98c881d6b71fda31580f139f7
MD5 hash:
69809a06bb1bcf7e37c23806d1999556
SHA1 hash:
3ec602156676d4014078392abb6b757f64d314dd
Link:
https://www.unpac.me/results/f9e4649f-6df0-4f3d-9af6-b9c5a89510e0/
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/f9e4649f-6df0-4f3d-9af6-b9c5a89510e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a13d885104ce1f6005c956cb50e82aec853b48b98c881d6b71fda31580f139f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Netsha_Mar20_1
Create hunting rule
Author:Florian Roth
Description:Detects Netsha malware
Reference:Internal Research
Rule name:win_neshta_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_neshta_g0
Create hunting rule
Author:gpalazolo
Description:This rule identifies Neshta Malware.
Reference:https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 79c821ae5a32fdf89c5e2dafb4e3640b77cab1c02b2cbf522a783258d314c75d

AgentTesla

Executable exe a13d885104ce1f6005c956cb50e82aec853b48b98c881d6b71fda31580f139f7

(this sample)

  
Dropped by
MD5 77eb6fdb0e6401e66c593b9e7cbb8b75
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111246/
  
Dropped by
SHA256 79c821ae5a32fdf89c5e2dafb4e3640b77cab1c02b2cbf522a783258d314c75d

Comments