MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08e8fd6698c6f9ec2463945c8bbb7c49302d551d39de1d148554c1e2d7bebd05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	08e8fd6698c6f9ec2463945c8bbb7c49302d551d39de1d148554c1e2d7bebd05
SHA3-384 hash:	69aad93e9cd232f87c73bd920607b46a12899d498639eda0c8071d49422e696acc7449a32f0eeed0d3e149ef9c15752b
SHA1 hash:	749ea447420f1f2968c77bd1c882375ea60ca509
MD5 hash:	accb71b25b538cf41c531a240a8dff80
humanhash:	december-mike-robin-cat
File name:	invoice No_SINI0068206497.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	663'552 bytes
First seen:	2020-08-06 05:55:38 UTC
Last seen:	2020-08-06 22:24:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:7kZWGYlDhZ//qtSMy8Cbpv8MYKR7cEoZi/YM2JkOTfF9oFFRmb:7kKjZASMy8CbpfYKRQEX/YhkOMVm
Threatray	824 similar samples on MalwareBazaar
TLSH	54E43A3D3682A905E53E093644E8599363B1B1473B92CB1F6AC6579C7F123EF3F0618A
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

abuse_ch

Malspam distributing unidentified malware:

HELO: sx0.msllownpl.ml
Sending IP: 139.59.1.202
From: DHL EXPRESS <noreply@msllownpl.ml>
Reply-To: annequeyquep@gmail.com
Subject: DHL PO1001910 Sample Arrive : Tracking No_SINI0068206497
Attachment: invoice No_SINI0068206497.gz (contains "invoice No_SINI0068206497.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

64

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/40100/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/412181

Signature

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/08e8fd6698c6f9ec2463945c8bbb7c49302d551d39de1d148554c1e2d7bebd05/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-06 05:57:07 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bdup2zuyy346yjddsroixo34jeyc2vi5hhpb2fefkta6fv56xucq._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

1ef829bc1993a01681f50af586d81c35f31455dd8263d422888761eb420687cb

1fe24761cfcb48d6d3a4f1ad9d02c2429c7f567fda2bda78f5d12c89717c6285

2aa15fa44c566c42a45a262792c01f2badb64bbe49dc9abf38957bbebdbcf2d6

3458232b533e946c63311cd8241c2a390868950d89c3f5e3aaac3f2413c9b82a

4007480b1a8859415bc011e4981f49ce2ff7a7dd7e883fe70d9f304cbfefedea

590c19542f6959d6424107eb4f2998b04d035575341b1f23a40dea6d82aecadd

6d9c4aa0d5dd0a772adfea51ed3fe61ce25cfe079d91353cd7516cc972c9cf70

91433fed32b520cfc98adb3cd6bae0a973117440474e47eff440bddb37262287

afe4edd3d00f95f9dbab6934ae1eb0a7354dc1f950182a27774ece0134a0166b

f44c6c8c1c81f9990f11a0f70e6517c358fc1ee00a78b32461d4a2594b48e47d

+ 814 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer family:agenttesla

Link:

https://tria.ge/reports/200806-d8tjee4n1s/

Behaviour

AgentTesla Payload

Agenttesla family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.70

Link:

https://yomi.yoroi.company/submissions/08e8fd6698c6f9ec2463945c8bbb7c49302d551d39de1d148554c1e2d7bebd05

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz b3d330df038cf37ddfb69d939987e14e9c81ea830eb126f90eb3504356042dbc

exe 08e8fd6698c6f9ec2463945c8bbb7c49302d551d39de1d148554c1e2d7bebd05

(this sample)

Dropped by

MD5 7dc4813d5e4233857ca6646c399e9f2f

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/40100/

Dropped by

SHA256 b3d330df038cf37ddfb69d939987e14e9c81ea830eb126f90eb3504356042dbc

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample