MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84576eb81afad9ffdc32144ed3ebf5ebb7e63b27b18725a0e7cead356d3bed60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 4 File information Comments

SHA256 hash:	84576eb81afad9ffdc32144ed3ebf5ebb7e63b27b18725a0e7cead356d3bed60
SHA3-384 hash:	85421041a111e3ed1c82b2712498e91b04b8f59ecc3566d06a00d727a13e37445f0455a9d838d3846cb666d83181155d
SHA1 hash:	be788540afaf2cb6bab71ea6b44abb5062d8022a
MD5 hash:	aad5b1e199c32ea8f365c742f72112f5
humanhash:	seventeen-montana-zebra-jig
File name:	DHL_Confirmation_CBJ190517000131QT.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'806'848 bytes
First seen:	2020-05-26 11:06:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:Vtb20pkaCqT5TBWgNQ7ai6TgBeGOoif6FzNt8KHt+XszTi6A:GVg5tQ7ai6TgBrEME5
Threatray	10'938 similar samples on MalwareBazaar
TLSH	1385AD33739D8363C26151B37A15A7116E7F7C2506E1B45BEFD43ABDA8302E3421A6A3
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

abuse_ch

Malspam distributing AgentTesla:

HELO: anchorai.pw
Sending IP: 173.82.243.236
From: DHL <info@anchorai.pw>
Subject: Confirmation CBJ190517000131
Attachment: DHL_Confirmation_CBJ190517000131QT.arj (contains "DHL_Confirmation_CBJ190517000131QT.exe")

AgentTesla SMTP exfil server:
smtp.homecares-tw.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-26 12:34:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 31 (67.74%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

217b725d60bbb5cd972b449e8dc966492ea4f229455b420f30b8169412553c83

AgentTesla

246c477d796aabc41946276b9fa8c4201716c2f2aad6d2ec2c26075898b7396d

AgentTesla

356d866f274623590c024a10727dc8cb49a79215b671cebe0e64a406cc0e7b77

AgentTesla

51837e07f216a7af44fbabf5a9e0b91dcbc2dfd3c3428badf554049a193938cf

AgentTesla

663277c04235edb713829c334eb54aba6c34bb2c12c92b0f7df97a08df5d5d48

AgentTesla

667c4ee6a7984c778c918da17447317f7af7f44501ac3a2ec791a02dd54a2817

AgentTesla

72bd0977963ba2b746a267fd559578ab5d8d56a0dccc1e8296785ba4641877d4

AgentTesla

955ac7517239af374296cd9fa5448c42f619097c8dd7477d3039d6f028155cb5

AgentTesla

c62e6a976a7999cc933cdb42e0d6eb0be6dbc979a0d0ef2a3143e6e0a4fb5c7f

AgentTesla

+ 10'928 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-tpc6gjaf76/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Drops startup file

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj 323f5df4f0e249f6d5c3666d5cc21893672fe3e8b0bb42079b32f603899871c2

AgentTesla

exe 84576eb81afad9ffdc32144ed3ebf5ebb7e63b27b18725a0e7cead356d3bed60

(this sample)

Dropped by

MD5 cf3140104c146e7a3fee4fd36d441108

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 323f5df4f0e249f6d5c3666d5cc21893672fe3e8b0bb42079b32f603899871c2

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample