MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e19dfb59bb4eca04491409c02a31dc3a3b7cfd407638f28029578b2d3da0001. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e19dfb59bb4eca04491409c02a31dc3a3b7cfd407638f28029578b2d3da0001
SHA3-384 hash: 6074ddb0dd37d37a7523fe7a20e687fa12cbac354d4434c70cffda3b577d055e2e25249f654e914617701f485591ef3c
SHA1 hash: f1e6641b8adc43093fa9924cf9df8ea1c69e63c3
MD5 hash: 207dd78afb6a2a8409abd27d7cd6a95f
humanhash: north-lamp-social-golf
File name:DHL_DOC 978654787986709E.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:892'416 bytes
First seen:2020-07-20 10:49:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:npSmgRDF1q9I6/kldSCGDyaod+ik4g8y3SoDwU0pucwPvt4hegn4YgFYw:GbOPW2rEloD52uckvt40gp
Threatray 10'715 similar samples on MalwareBazaar
TLSH 9315E0C83B40A40EC59E1EBA4E518D708770AD42F6F3E34727C66EDE297E39BC905691
Reporter abuse_ch
Tags:AgentTesla DHL Endurance exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 162-241-204-235.unifiedlayer.com
Sending IP: 162.241.204.235
From: DHL Services <ceo@radhashyamcorp.community>
Subject: DHL Shipment Notification: 7348255141
Attachment: DHL_DOC 978654787986709E.rar (contains "DHL_DOC 978654787986709E.exe")

AgentTesla SMTP exfil server:
smtp.groupageos.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28947/
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8e19dfb59bb4eca04491409c02a31dc3a3b7cfd407638f28029578b2d3da0001/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 10:50:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rym57nm3wtwkarericoafiy5yor3pt6ua5ry6kacsv4lfu62aaaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
078b1c9afd06c1090bb88657eba69d04ab283663f0f7dd400efd26abfae64451
AgentTesla
52d7bfc971d3f5909eed410680570736d02dc79f93b42e1627a78597205ef862
AgentTesla
672890fe585891106f1f8b275f6084f6ac05855aae825a2c0ada8899da2be91d
AgentTesla
6b24da236543d38133dc41cadcf3dea51bc290479b3d669031a2c8668a620648
AgentTesla
6c6e4ab5cfae334d310d66a79b2ec9947b66f14f4115b5240632bbeadb46a0cb
AgentTesla
897a1305d267937baedeaf75e35e386efbb9c5d7d66819aaecfd885e84196142
AgentTesla
a3f9545ddf7244f998a67295061f41c41695e851af01b195be80a800c2997954
AgentTesla
ae74623e356130501507540ec165aa3ca088a7cb27bae50769998b6cb6538f0b
AgentTesla
e4bcafbc49c2728523bf73c57d25daf68b79c07b73f7c67a6d1bb7642a9841ec
AgentTesla
f7e7f9c0172ba900708b35378e311e9a29168621ed968082f3f980f81de19c54
AgentTesla
+ 10'705 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200720-hsmjc1ldx2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e19dfb59bb4eca04491409c02a31dc3a3b7cfd407638f28029578b2d3da0001

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 8343908b285440f41e45e0a497f5dfdbaf9bfa015ff7d52c1f82431c2dea3d01

AgentTesla

Executable exe 8e19dfb59bb4eca04491409c02a31dc3a3b7cfd407638f28029578b2d3da0001

(this sample)

  
Dropped by
MD5 1d0a93e5ecba493c1725c18ff744626a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28947/
  
Dropped by
SHA256 8343908b285440f41e45e0a497f5dfdbaf9bfa015ff7d52c1f82431c2dea3d01

Comments