MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d13d830852f0979e5bdc92510044a36622047ff26d660c70783e96dde3e50bad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d13d830852f0979e5bdc92510044a36622047ff26d660c70783e96dde3e50bad
SHA3-384 hash: 0bbc5f2f9d6484e0aa27f5df80100622a13c3431fe30cb13b6cde4cf2064749b403ee0297d6be8b3f867130534b160ae
SHA1 hash: 2692c0c0bc409e7aa6bd1e807c0e9cf07204385d
MD5 hash: 016b8ae2905fa4a385a6ef59e4fb812e
humanhash: social-sierra-tennis-pasta
File name:PO #00079.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'212'928 bytes
First seen:2020-12-18 06:42:12 UTC
Last seen:2020-12-18 08:41:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:pFoHv5peIlK7aEDi5ladSgK9GR/WhejgwLMKb0/:XI7EDp/K9yJDH4
Threatray 1'884 similar samples on MalwareBazaar
TLSH C945AF207FD92726F03FBBB555D86089C7FAB223E306EE5A3CA103C65612E45CD91636
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO #00079.exe
Verdict:
Malicious activity
Analysis date:
2020-12-18 06:43:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/51c2869e-3a00-4cb3-b60d-0b2dcf6e62d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108403/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45055935.5983.32162.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565960
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d13d830852f0979e5bdc92510044a36622047ff26d660c70783e96dde3e50bad/
Threat name:
ByteCode-MSIL.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2020-12-18 00:40:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2e6ygccs6clz4w64sjiqarfdmyrai77snvtay4dyh2ln3y7fbowq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
164194c08dd53211cac7f964486f2dfbd9c1c8b4ccf980288d043f3544c7637e
AgentTesla
182c0e87117b2763f638ace1294239a1e6f779a293257d9f843365a77f9cb369
AgentTesla
3262041b975c085ac4910cab0c54cafd02bee3accf8f921712f9a626634ea833
AgentTesla
34fef61460f3196f9c4f0f267443302cc5573d935ad73f18eb33aea41d8be5d3
AgentTesla
5ccb4b42592b867c638bc0b10bd75d11865ee1bea36d8242bffe1aba403336e4
AgentTesla
69049cb94657b71040281c6906d20d60a4fe48b5c5ecdf2032980e1e898e550c
AgentTesla
96b93e42d633a412f50572331b8b866baf01a3a14bf1f8fadb2d7d9644febaf3
AgentTesla
abe6a77fefdede7de287d151689f87a3f59eb496d94351f4085b3bc1a6b755c2
AgentTesla
b8b373ce2f5835b617f904b50e5e594232982967ea1a12b35bd085c83aa057bb
AgentTesla
ba3548566c5eda9447bd910346549f92ecc5cd51f959f51cc7bc836a2ce49501
AgentTesla
+ 1'874 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201218-t58alwdbjx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
d13d830852f0979e5bdc92510044a36622047ff26d660c70783e96dde3e50bad
MD5 hash:
016b8ae2905fa4a385a6ef59e4fb812e
SHA1 hash:
2692c0c0bc409e7aa6bd1e807c0e9cf07204385d
Link:
https://www.unpac.me/results/58351ac8-cce9-4f05-95c5-f8d7c5fc7215/
SH256 hash:
72de5ecbcd543ccb6527ef9ce2c7df3a70d9647d93ae6242c1008e2ec1fa5982
MD5 hash:
c2d1b7dffb6d68fa305885a1548883ab
SHA1 hash:
0175e5aacee2e16d30bae96f5d387e8823104e7c
Link:
https://www.unpac.me/results/58351ac8-cce9-4f05-95c5-f8d7c5fc7215/
SH256 hash:
55abf08a6a6ab7c7848a2bc0410d84befe6dcfa118336e2e4f1ee456a8009efc
MD5 hash:
6ce9761c3c3ae715d40a77b982d31dc9
SHA1 hash:
42a5a02eabe7d80d79408549e7686d4e44524361
Link:
https://www.unpac.me/results/58351ac8-cce9-4f05-95c5-f8d7c5fc7215/
SH256 hash:
e73a44f677e237ab479948f70a2dea3ddbe698f99a1933cb0322dc650a5fa43a
MD5 hash:
5b0b480e35c60c380130106debc465e6
SHA1 hash:
5c142cdf204ba8bde8e722207e37c002f6f7752a
Link:
https://www.unpac.me/results/58351ac8-cce9-4f05-95c5-f8d7c5fc7215/
SH256 hash:
d2a61e32312c4969af619b8cd66c8f270731e5b2c21afc63fcbcd6ff81d215ca
MD5 hash:
0b6b49bd2b30fe0e4be136aa41c568b6
SHA1 hash:
8655229c1cca31c39ad822bc2f3a377cba04f0ea
Link:
https://www.unpac.me/results/58351ac8-cce9-4f05-95c5-f8d7c5fc7215/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d13d830852f0979e5bdc92510044a36622047ff26d660c70783e96dde3e50bad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 67bfd659395a2fadbf8f52fb117348693cd140509f85ca98547419bbdc6394fc

AgentTesla

Executable exe d13d830852f0979e5bdc92510044a36622047ff26d660c70783e96dde3e50bad

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 67bfd659395a2fadbf8f52fb117348693cd140509f85ca98547419bbdc6394fc
Cape
Cape
https://www.capesandbox.com/analysis/108403/

Comments