MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fa1363c857cc46f603a4eff38b86058b80ecca1f554c65e943f94725b5c2570. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fa1363c857cc46f603a4eff38b86058b80ecca1f554c65e943f94725b5c2570
SHA3-384 hash: 66cea9db9d069996649e8554e2239bffc999ad4de3c3432c0788505fc6e19e582c62b77bbd5f9b02663e27830e08974e
SHA1 hash: 2e160435fdb8407bbff4ed8d71bde0f317365a27
MD5 hash: 615bf96891a61c261995f100b65f5097
humanhash: undress-georgia-twelve-carbon
File name:DHL_Document.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:447'488 bytes
First seen:2020-06-24 06:47:54 UTC
Last seen:2020-06-24 10:35:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:4fhdJPUeMfwl5g5owLAd86iHnUx3EVkEfkJ+MkAln3BB4isw52SMqVLq5u5XcqXS:4FNMfwLqxZ6i0xrEsJ7A29MqU5uNn8wG
Threatray 10'632 similar samples on MalwareBazaar
TLSH 2494011A376CEA1BC97C11F588D2274803B969AB7750E3E90CC066FA64C37F689653C7
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: dhl.com
Sending IP: 103.99.1.145
From: DHL Express<dhlsender@dhl.com>
Subject: RE: Shipment Arrival Notice
Attachment: DHL_Document.rar (contains "DHL_Document.exe")

AgentTesla SMTP exfil server:
mail.aquariuslogistics.com:587

AgentTesla SMTP exfil email address:
ajay@aquariuslogistics.com

Intelligence

File Origin
# of uploads :
5
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13504/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1fa1363c857cc46f603a4eff38b86058b80ecca1f554c65e943f94725b5c2570/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 04:45:30 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d6qtmpefptcg6yb2j37trodalc4a5tfb6vkmmxuuh6khew24evya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
031b0bcde6e169070993f85f816ecaf48f46a90f40f2d08cf5e0089d11d25e32
AgentTesla
131bfb49b5d80492ddcab3ec34448a445806e0c992c96eca65d42311539defe6
AgentTesla
4eabc90cd22f8508e0cdbb89f10c19a91634f174a57f64b6d988b7979f9fb77d
AgentTesla
7d56a78ec4597281ff8c36645c1ff7286cf3d494965a2acd6666ece2d8ff856b
AgentTesla
82bdf1c9eeecb62113d9b063bcf848c14e4cecf21950b129fefeb40d6ec95a70
AgentTesla
8470a2e93ae48abb1b987d9927277eb7a3bde99fe0d048274f839cc25aa3aa95
AgentTesla
9961dbd5a5bab309bcb5b9ba4bdb33859ad01d03cebf2690dfe1a9c8746d6a74
AgentTesla
99a8b22ec655fd50aa2bdb93b05e8533ec539feeffacf592cf038a6ede299314
AgentTesla
c2bd939267fd297467b51564f35292ef7753329e2ac5ca000b9b1c1fcbf90d1a
AgentTesla
e658e882e9edcae046e5229fbf61c435264f57f9a8af9b2cb5fe4419ea4cdb1c
AgentTesla
+ 10'622 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-hhfnhw6l6a/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Drops file in Drivers directory
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar f8fadb389277ddda11c44f8f2eabcc5de5da6c02d067e7a1505b6aba3d6ff6bf

AgentTesla

Executable exe 1fa1363c857cc46f603a4eff38b86058b80ecca1f554c65e943f94725b5c2570

(this sample)

  
Dropped by
MD5 8d369cb0879373692cacead79e8dd02a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13504/
  
Dropped by
SHA256 f8fadb389277ddda11c44f8f2eabcc5de5da6c02d067e7a1505b6aba3d6ff6bf

Comments