MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e13c26e3f597f9408603d053ee4e246995adf0973b96f7d0eabfadc9d63d52c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e13c26e3f597f9408603d053ee4e246995adf0973b96f7d0eabfadc9d63d52c3
SHA3-384 hash: 37eac40caa4e9ddb819cdd2267e4a9f29e7babe508b98e5dd8cdae23492b5638dad1a89aa39cffd3e4354e15fd4dd9dc
SHA1 hash: 5e06480fe342682eb425a66ad61e2eccbbed79f1
MD5 hash: a801af578522599b5fa5bd80da8da253
humanhash: seventeen-venus-stream-football
File name:PO NOAB1088 ALEMO INDUSTRIAL ENGINEERS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'315'840 bytes
First seen:2021-07-29 11:43:04 UTC
Last seen:2021-07-29 12:46:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:tgS/d3eKzks9kswQXwMWy65mQBttnIKHc4wWq1Gy8jhMN6ZNwZ:UKycNCDnIIc4wJAyN6ZNw
Threatray 7'565 similar samples on MalwareBazaar
TLSH T17E55D024C98C9B9ACC5C03740E5846345EF56DE2F2B0D8AC3D8D72B5B7F2829DAB5346
dhash icon c4b4e6e69898d2c4 (11 x Formbook, 11 x AgentTesla, 4 x NanoCore)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO NOAB1088 ALEMO INDUSTRIAL ENGINEERS.exe
Verdict:
Malicious activity
Analysis date:
2021-07-29 12:01:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c8cafbc6-ff02-44c7-8e58-1d2b610cfe01

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175012/
Detection(s):
Sanesecurity.Rogue.0hr.20210729-1007.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6999ba57-8b5c-4b99-8d2f-11d211d4a671
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823779
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 456191 Sample: PO NOAB1088  ALEMO INDUSTRI... Startdate: 29/07/2021 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 7 other signatures 2->51 7 PO NOAB1088  ALEMO INDUSTRIAL ENGINEERS.exe 7 2->7         started        11 DBqQu.exe 2 2->11         started        13 DBqQu.exe 1 2->13         started        process3 file4 27 C:\Users\user\AppData\Roaming\wNBtIAPh.exe, PE32 7->27 dropped 29 C:\Users\...\wNBtIAPh.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmpB8A5.tmp, XML 7->31 dropped 33 PO NOAB1088  ALEMO...L ENGINEERS.exe.log, ASCII 7->33 dropped 53 Writes to foreign memory regions 7->53 55 Injects a PE file into a foreign processes 7->55 15 RegSvcs.exe 2 4 7->15         started        19 schtasks.exe 1 7->19         started        21 conhost.exe 11->21         started        23 conhost.exe 13->23         started        signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\...\DBqQu.exe, PE32 15->35 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->39 41 Tries to harvest and steal browser information (history, passwords, etc) 15->41 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->43 25 conhost.exe 19->25         started        signatures8 process9
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 09:35:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
52
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4e6cny7vs74ubbqd2bj64trengk234exholppuhkx6w4tvr5klbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07ec2c9cdd71be2769952cb169ec7db7625ba8790d95cf3d977b9544d8efbcf9
AgentTesla
13d90261f73ecaa7455ccdaf16de6d96b122e8829cbf0ffe84ab89fc2cf4cad2
AgentTesla
1b467c02c56a9130e3fb9e62e0ee62aa6b950845c9858f95656e659b814699c3
AgentTesla
2e525c09344f83f1f77d92e492a3fe75158e5424dcc22be92a45870168275879
AgentTesla
566554b534a53102dd67fc20bd07ca49241b51616d73619e383e80bdfc4fe08a
AgentTesla
7b4b43d22be88ed3b2054ef7090ebb7b44ecc03dffa6c32e578002c9a12cbea8
AgentTesla
a10f8284111774da520ee4ddba45bbca1d55441ef48e9da3143aa2ea06f4e635
AgentTesla
dc8b8addeb256bdfb0eb82d09b54b57400deed315a727e331fe66ca59c965373
AgentTesla
+ 7'555 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210729-qgvybw7msx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
CustAttr .NET packer
AgentTesla
Unpacked files
SH256 hash:
f420c786e54c04dc7f9e603037a8d2df634ffcf27f28c83f8a49debc0405bda4
MD5 hash:
a10b82252cd7e435b8efc7ead8e3090b
SHA1 hash:
cc1dfc8a227637d7b0cf725d6992d9c6a1ea2c78
Link:
https://www.unpac.me/results/7226ba01-76cb-4e1c-a984-d196aac7da74/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/7226ba01-76cb-4e1c-a984-d196aac7da74/
SH256 hash:
bca2ba95f1321593158140a7e1efdba2d64d7e42749d6e4f5e38b9594f8a28e0
MD5 hash:
9a8c5aa9f9ae844773972e292471358d
SHA1 hash:
2da4f10be631f115f3d05319e6e6eebf2b588e89
Link:
https://www.unpac.me/results/7226ba01-76cb-4e1c-a984-d196aac7da74/
SH256 hash:
e13c26e3f597f9408603d053ee4e246995adf0973b96f7d0eabfadc9d63d52c3
MD5 hash:
a801af578522599b5fa5bd80da8da253
SHA1 hash:
5e06480fe342682eb425a66ad61e2eccbbed79f1
Link:
https://www.unpac.me/results/7226ba01-76cb-4e1c-a984-d196aac7da74/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/e13c26e3f597f9408603d053ee4e246995adf0973b96f7d0eabfadc9d63d52c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

8b3227148a76cebba26528fcca582241c63a8523e2655426f6a276ad625fb41f

AgentTesla

Executable exe e13c26e3f597f9408603d053ee4e246995adf0973b96f7d0eabfadc9d63d52c3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 8b3227148a76cebba26528fcca582241c63a8523e2655426f6a276ad625fb41f
Cape
Cape
https://www.capesandbox.com/analysis/175012/

Comments