MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b675daa6c54e06962ef1162fd7fe105fe9e76193626ec451dda29081cab3582. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	4b675daa6c54e06962ef1162fd7fe105fe9e76193626ec451dda29081cab3582
SHA3-384 hash:	959600c3ace5be8b27751c3ec976c156d3dbfcd89f95d89c4d5c0ba1daaa508fc33f9a09e2eac7537d55f1202c568a6f
SHA1 hash:	2ecc1ac4325fd994336904c3d8126ec91b93efda
MD5 hash:	f786e547403c0dff7eda565cb5cb7c1b
humanhash:	jig-neptune-queen-undress
File name:	DHL11-05-2020.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'204'736 bytes
First seen:	2020-05-11 08:49:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	94ac44d361a5151c3b27c7d1a876a7f3 (14 x AgentTesla, 4 x Loki, 1 x NetWire)
ssdeep	24576:KGfM18WnMVuvk591FKN3vuawP7UumPTfXZCGdvP/iav:K03z91Y/u9jfmPThCGZPKS
Threatray	2'841 similar samples on MalwareBazaar
TLSH	9E45E121F6B01437C1321AFD4D5B56ACA92BBE513928994E2BD71F4C9F3B681392B1C3
Reporter	abuse_ch
Tags:	AgentTesla DHL exe geo TWN

abuse_ch

Malspam distributing AgentTesla:

HELO: hosting12.ji-net.com
Sending IP: 203.130.149.250
From: tw.customercare@dhl.com
Subject: DHL Express運送確認書
Attachment: DHL11-05-2020.zip (contains "DHL11-05-2020.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

95

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Artemis85EBAC484AE7.32433.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-11 01:10:33 UTC

File Type:

PE (Exe)

Extracted files:

395

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jntv3ktmktqgsyxpcfrp277bax7j45qzgytoyri53iuqqhflgwba._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

Similar samples:

24e7c637d79dab5d54c17af32acb51ff82ea26b6a76ee58c22c4ef97254c09db

267126396c3c2edf406eecf6072b3acbee74dfbde7630cd184b9824ed18aac92

3aed578eac99c3b865fceef0250760f283ed3a2e2c191447e3e6eddf659a1c5b

415f51fc45bfa2cc9d08ef68776efa27b5495043c1e180fdba23998d42a1edeb

459dec201d7e9bfaaa4e4be9fe419b51bef407d0215a6d292cd5346fa3885f95

4a6067b076edb6669b238f77c51ee8408cb4708f7c8b99ddddbca3b4b8e304a2

69743cf570a9635bebdf3c89b4ad7c6824efac3c2c3ee33577177fb7954848a6

7637dfc39e0b31a46b0a129581e6aaab7cfbc6f52bbe705ee62816fa7743b35f

7c124384c122263b3c98e2cd1208ae98d8964e1f0d3fc08b326fd62cd75bc59a

80eb41c227d25497e75d5d5bde1e26d917d997c5a7dabdcc31c31ae1008a7ced

+ 2'831 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger spyware stealer upx

Link:

https://tria.ge/reports/201109-48422twbae/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

UPX packed file

MassLogger

MassLogger log file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 8e0487bd2f93a139d1ea66a227d135f0d0383ca310d90cb8622df4da10bf8a90

exe 4b675daa6c54e06962ef1162fd7fe105fe9e76193626ec451dda29081cab3582

(this sample)

Dropped by

MD5 39d13c48bfbd30038fc7c8f9a4ddb8ff

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 8e0487bd2f93a139d1ea66a227d135f0d0383ca310d90cb8622df4da10bf8a90

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample