MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e65f5a5983ed021643425c83b8ffc1f324402a3acd38bf6625658218a690fa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e65f5a5983ed021643425c83b8ffc1f324402a3acd38bf6625658218a690fa0
SHA3-384 hash: 372ec097fcdc8f5ab448de13f93efcd50e992393c83326c0b6788d53c49bbe755bab103cb1283a0e511011f1d233de8c
SHA1 hash: 543efb6c8edc78a79da4803a2f8ddd2899669d46
MD5 hash: c491cdad621329618d549769f117d833
humanhash: helium-vegan-stream-alabama
File name:DHL00117353792022PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:483'328 bytes
First seen:2020-05-13 07:05:24 UTC
Last seen:2020-05-13 11:25:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:YGdV4t2s8OHN9EcoHvA7QaEaxNB5JxhqWn5rc:YM4Is8G/EPA7NT5DUWn9
Threatray 2'146 similar samples on MalwareBazaar
TLSH 94A422E43D02D84FCE7B79B87149C7CA87A08C87B491F58B2EA57C70A6873DA0D505A9
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: vxado-27.srv.cat
Sending IP: 46.16.58.131
From: DHL Express Delivery <info@dapelixi.com>
Reply-To: worldnetofficemailer@gmail.com
Subject: DB_DHL_AWB_00117353792022
Attachment: DHL00117353792022PDF.iso (contains "DHL00117353792022PDF.exe")

AgentTesla FTP exfil server:
ftp.eden.ro:21

Intelligence

File Origin
# of uploads :
4
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 07:36:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 30 (86.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzs7ljmyh3icczbuexedxd74d4zeiavdvtjyx5tckzmcdctjb6qa._file
Verdict:
malicious
Similar samples:
164e48e363fa5ab0f87e623500e1a9752deb0726e14d2dbfb8efb3fb242b0de4
AgentTesla
3be9a39a38e9b29caca887de4c983aa2839004bc0fdbec8767fc6001c46fb250
AgentTesla
6b8c42512f9ded989af306acf3815e327bc85e0110dec5e6afe04900ff8d5429
AgentTesla
935e06731d9b88fcf33673ae11c9f9d184610aa64a6b7e1da89b1328a34e1b83
AgentTesla
a0e235eeab80ec69585271a662cfca4d0a8b7f89495fbb55a42758be1ebb7676
AgentTesla
b2dfba1ce7b2522089f2d409187d5661483e581e893f7fb6fa681b5dbebed71c
AgentTesla
cff33a8745ac625c5b182ba9ec05cc309ca77346b81f748c9a2738d8322ebf05
AgentTesla
d159b66f0376a6dc5026fd4a827e12c77af9bf91d69e1c2a4766bafb236f344b
AgentTesla
e102edf045b60201468f4f7910e3ed9d78bcfb0a1e0955bf14faa9ebb2deab8f
AgentTesla
e304360ae3cd976383d8593e91f3f3bb95ab4f56f90d281e390e64b9f9b45a10
AgentTesla
+ 2'136 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-nx16f2rf1s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Modifies service
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 00c683daa732a0f64c8601e5c6ba8e006f84f9ed24180dea224f05c72d27baed

AgentTesla

Executable exe 3e65f5a5983ed021643425c83b8ffc1f324402a3acd38bf6625658218a690fa0

(this sample)

  
Dropped by
MD5 3e0e01ef963ccba4dfdafaf8a2bd3ea0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 00c683daa732a0f64c8601e5c6ba8e006f84f9ed24180dea224f05c72d27baed

Comments