MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65af15b11856d21689e9802922fb393c3eafaef2e05724f7af5ecd99c8db6c37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65af15b11856d21689e9802922fb393c3eafaef2e05724f7af5ecd99c8db6c37
SHA3-384 hash: 9460a8f9a4f6ebbb92d80a9451c21e333d75ea8672ff45ddf5006e712d03190813a7f4dd94ddc730d26416b40e7f5579
SHA1 hash: 6755acd358b2e603c5615552d5c3107174b669d3
MD5 hash: 0445861e3e7013992c7d3c8387f40bf8
humanhash: two-beryllium-oven-victor
File name:dhl_doc7348255141.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'372'160 bytes
First seen:2020-06-08 12:38:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:etb20pkaCqT5TBWgNQ7a0Cj/Ne2ZiRoskzL7Jfo6JooJR+n6A:LVg5tQ7a0Cjg2Mesg7JfoB95
Threatray 10'859 similar samples on MalwareBazaar
TLSH 8255D01273DD8361C3B25273BA55BB01AEBF782506B5F96B2FD8093DF920122521E673
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: track.easyandweb.com
Sending IP: 137.74.191.59
From: DHL Express <support@dhl.com>
Subject: DHL Shipment Notification : 7348255141
Attachment: dhl_doc7348255141.zip (contains "dhl_doc7348255141.exe")

AgentTesla SMTP exfil server:
smtp.waltartosto.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 12:40:06 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mwxrlmiyk3jbncpjqausf6zzhq7k7lxs4blsj55pl3gztsg3nq3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03ae4207929577cb85b053974c9fe15f99ccf71992b056ff437a086179ae720d
AgentTesla
5f424b8c80f27423b12cdf9d7d6a70937edb28fe07b8ed4dde0e965810cbd674
AgentTesla
8efdf4cc2920c2c6249a9c38ca612a1b238dd477194a55bff42f1a20ecfd0ebe
AgentTesla
9c8eb9c9b67abe15ffbe4d7589e59173f56a38a853bdb079362297270fdaf4d2
AgentTesla
ac6d10eb17cc67080c4b0d9a33b881d479f88194f5b7bac23cd6c4879afb4934
AgentTesla
aedee4f131eef738b19991d52758a3e5aa8b804a6763a9fd48b568f1351d5452
AgentTesla
ce68522259f7e8dd5e8b7907f896193c44e9a5a1243194d9dfb758a708e7968a
AgentTesla
e53bcd253a30c4fdfbcfe230fadf4cfafa19dff6c10d461041fa2a405e6f1f8e
AgentTesla
e93afd4067150bd662214a18a87f226e8b50729186caf728ef70d71eb4510094
AgentTesla
f32433910c4e4cfc2c310279138f0c977abdb9878661781bf28c752b15b92df7
AgentTesla
+ 10'849 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-qrp23hcbce/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip d6130d160b57a3de1e6d5d21d16966129e966ce68a189174efcb5551317b34bc

AgentTesla

Executable exe 65af15b11856d21689e9802922fb393c3eafaef2e05724f7af5ecd99c8db6c37

(this sample)

  
Dropped by
MD5 83271d4962d0c3a0d2a9612b03273183
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d6130d160b57a3de1e6d5d21d16966129e966ce68a189174efcb5551317b34bc

Comments