MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0442367788ead3ccf0c9a36805053be48c332ab656f51667f4c08cbbfa3f3ac0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0442367788ead3ccf0c9a36805053be48c332ab656f51667f4c08cbbfa3f3ac0
SHA3-384 hash: d7e0c1d43c55771f7bbd89d8ad136c987d2852e0495e5d6d0effa876744ab621946f8651c53d29238edba02c9ca951f6
SHA1 hash: e68eeff0c01deb9b469825f00f287d88fdd85c0a
MD5 hash: d65a37653012ce0c0a177456458a465c
humanhash: lion-crazy-washington-eighteen
File name:DHL_Receipt_106_9882_671.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:871'424 bytes
First seen:2020-08-18 11:39:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:QS1QbvgWK5WpLv9hcE1F5/qrGzfPCwq0TS1jR5ITmLTh:pQbvxaW5h1FhqrGzHCwqrIyR
Threatray 10'552 similar samples on MalwareBazaar
TLSH 2A0507393A856C18D53E567110E86AC1B331A18B3E81CB1F7ACF43DE6F0669B3B9605D
Reporter abuse_ch
Tags:AgentTesla DHL exe Hotwinds


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: hwsrv-755267.hostwindsdns.com
Sending IP: 104.168.176.44
From: DHL Express <contact@service-immo.com>
Subject: DHL Delayed Parcel No: 106-9882-671 Download Print Receipt
Attachment: DHL_Receipt_106_9882_671.iso (contains "DHL_Receipt_106_9882_671.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47743/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a file
Running batch commands
Launching a process
Creating a file in the %AppData% directory
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0442367788ead3ccf0c9a36805053be48c332ab656f51667f4c08cbbfa3f3ac0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 11:41:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=arbdm54i5lj4z4gjunuakbj34sgdgkvwk32rmz7uycglx6r7hlaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2f32d708b0b5b6b6bbd476e029d0609c4a5444650a7d4ce53bd476af0b90d4d3
AgentTesla
62afb1cbcacb77aa2ca99cc55c0e3536738415289f53c4a3a57d9b9cc08ee5ab
AgentTesla
80f341333728513fea45dc07c8582e5a8c3ac630de39b53ef23d1742ddc0f5d2
AgentTesla
99afa20e22dac4e8fd5f536c3fd6c806fa6a9f52a0458c0c1a90fdc3e8a1f3f8
AgentTesla
a7d27c9cca035fac67dadf420c7adcfb2b196b4f2db64d94e13ddb6a9ea1c46a
AgentTesla
c22ee6c1ffbbc94db718846d0d68da507573c24eb66ab1122a1d2a177fa42e2f
AgentTesla
c639621985cf5e13b426c10f605d28767636aabd6ac4e8d16da8ddc2c2bbc356
AgentTesla
d045c6b114f25c29811bbb61864da2f464c9d5195b54d70008b7bbf91384b47f
AgentTesla
d5231355835fc25fb6f9923639331084ff0ae602929793c263e01eda38d2fa1b
AgentTesla
fe13b5826a85afc204c9be0a3c8da5fb28844c5d7829413d23dd7e4229400bf4
AgentTesla
+ 10'542 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer family:agenttesla
Link:
https://tria.ge/reports/200818-3rv7jc3l9j/
Behaviour
AgentTesla Payload
Agenttesla family
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso c822a3d25176e5fa147c6ed47cc3ad99b34c8b0768aca882e29d66738c111cd7

AgentTesla

Executable exe 0442367788ead3ccf0c9a36805053be48c332ab656f51667f4c08cbbfa3f3ac0

(this sample)

  
Dropped by
MD5 dac67c0ba34de014ea9db1127a399065
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c822a3d25176e5fa147c6ed47cc3ad99b34c8b0768aca882e29d66738c111cd7
Cape
Cape
https://www.capesandbox.com/analysis/47743/

Comments