MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c13d10d9eb5505c91c1982dd55019f8d5e5121952be774dc80eff344453c50ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c13d10d9eb5505c91c1982dd55019f8d5e5121952be774dc80eff344453c50ea
SHA3-384 hash: fe7ac0eeb7f06e648f4fdb50f912e6d93ee5e0d291c16fac9f56b203982e69294f5bba0187cd01965d7e8c3b7cb555e0
SHA1 hash: a8f2d447da5359eb0190422ebe5c957a836f43a8
MD5 hash: 8a4e7633cd4638e903e0d88842b94fd2
humanhash: five-burger-three-bulldog
File name:8a4e7633cd4638e903e0d88842b94fd2
Download: download sample
Signature AgentTesla
Create hunting rule
File size:697'856 bytes
First seen:2023-05-27 01:19:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:t7z5GoJiGaq5auBwaAqApQAGu7Y0k9cx2cqtaXYJL3rcWeqTjaE:p5GoR5aIlALPGQ46wtaELbcWr
Threatray 4'312 similar samples on MalwareBazaar
TLSH T12BE412583269981BE0273FB445626B790BB67F957034EBCB2CC233DF42E6B914612787
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4ccccd4d4cccccc (8 x AgentTesla, 7 x Loki, 3 x RemcosRAT)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8a4e7633cd4638e903e0d88842b94fd2
Verdict:
Malicious activity
Analysis date:
2023-05-27 01:21:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/efbb5f99-30ef-4c7b-9b98-6e54039cf38c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392337/
Detection(s):
SecuriteInfo.com.Variant.Lazy.346656.1753.24950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64715ac30b66894fb762f043/reports/82321ed7-6111-435f-8d68-23e11bf29078/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/c13d10d9eb5505c91c1982dd55019f8d5e5121952be774dc80eff344453c50ea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c833052-a012-4a60-89be-ade7cdf91501
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243597
Signature
.NET source code contains potential unpacker
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c13d10d9eb5505c91c1982dd55019f8d5e5121952be774dc80eff344453c50ea/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-27 01:14:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ye6rbwplkuc4shazqlovkam7rvpfcimvfptxjxea57zuirj4kdva._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
13e98dcbf169f54503a15d9415b086222ae48f2e872c69c9417e56d29f610b85
AgentTesla
4708bada9bbf77daade9a3f124eb0f5309ea68bba94c5bb4b332701d1d010185
AgentTesla
631c5e9fd885b9265351f4be1562ed151d7c8c0a9ed30ddae5614d8091174ab7
AgentTesla
65e5db36aa890bc554af92c7fb9b492651e9ef18bc68cad829511b914d0be5e2
AgentTesla
92a4f2858bb9f3e546b315c52ee4e07903125b02f55c23cc8ae3e32e2012b2e0
AgentTesla
a242d05d9234c40a82be642ceb1c6e4ee4b5ff008ced528553f1cd104a6fd82c
AgentTesla
ae06162a5d6deb6cb98b2c2f0d1f5e1c8427f15d271e90654d47520833d3f106
AgentTesla
be06d327419c53584beff876b97e9620c5e47b1cdca45d895d059cc2ed3644f7
AgentTesla
c533150826bd6cd5b29cc1ec1b552091e976f7ec10044796f947bc262023d9bf
AgentTesla
d645c82038ed0caed9dfb2b13d0057e75205e4dfcfb448ebb7b7c6e2271e6079
AgentTesla
+ 4'302 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230527-bp32ksac9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Gathering data
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c13d10d9eb55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c13d10d9eb5505c91c1982dd55019f8d5e5121952be774dc80eff344453c50ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe c13d10d9eb5505c91c1982dd55019f8d5e5121952be774dc80eff344453c50ea

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/392337/
  
URLhaus
https://urlhaus.abuse.ch/url/2642199/

Comments


Avatar
zbet commented on 2023-05-27 01:19:59 UTC

url : hxxp://194.180.48.59/kakazx.exe