MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 982d2699709d7a024a542a4f771a544cf987ce8d8f15cfa3dcefca157b251e3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 982d2699709d7a024a542a4f771a544cf987ce8d8f15cfa3dcefca157b251e3e
SHA3-384 hash: 9af4de5370f0eb3f3eaafbd41b32af6ec890e607dc5672c4b3f2a5f9eedd8a657cdf97ddf1bd78aa0b2bd732745ed57b
SHA1 hash: 4b15c4122c4f761bb827ad2516c25b69d6d165f1
MD5 hash: 6bc2a140c4e6cd0ff72548d0a9f3613a
humanhash: november-autumn-snake-montana
File name:Receipt_095882247079Dhl.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:763'392 bytes
First seen:2020-05-04 18:16:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 04e2f05a6b7f1bca9a63110a648d2cc2 (4 x Loki, 3 x AgentTesla, 2 x HawkEye)
ssdeep 12288:+S1EbL/CkhkAOo2zF7svoNG9VB4x2VYILbP66mqeXl7GiT3frLUCwtL0:r4/+AOo229y2V9HtmqgzrWtL0
Threatray 11'201 similar samples on MalwareBazaar
TLSH DAF4C022F2F15833D1B7167C9D1B57ACAC2ABE512928994E2FF42C7C5F38281352B197
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: zulu.tautorat.net
Sending IP: 37.0.48.195
From: DHL Customer Support <NO-replyDHL@alhoutisons.com>
Subject: DHL Shipment Notification:Incomplete Recipient Shipping Address
Attachment: Receipt_095882247079Dhl.rar (contains "Receipt_095882247079Dhl.exe")

AgentTesla SMTP exfil server:
mail.wafaagroup.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Nanocore.23.7364.14632.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 19:13:00 UTC
File Type:
PE (Exe)
Extracted files:
63
AV detection:
27 of 30 (90.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tawsnglqtv5aessufjhxogsujt4yptunr4k47i6457fbk6zfdy7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
02455f39ff494cd973e1d1db2b9c8d097157c76cc0e634644f8f49dedee6c796
AgentTesla
21339eb283369e13ec4129e6ba7cedfd84b67a40e9b297f367eadbce06edf0a2
AgentTesla
22165d0974fa72f7e87c8e5128cd1fc3fe6b6dc0ed8e990838229b3a92234349
AgentTesla
32ef6a3c172b8ab59ed668b0fbad8c05dda82428fb2d1ec8e47d9e6db076043f
AgentTesla
37d7cd08ca91dc9962cfd418aafc0d115b954ee72c181feaf7d986c1f56b26a7
AgentTesla
7ab75859697472c8bda10b6cb7e7ffa7c8f5ce5eae3e7c67a565ffad2c6de83b
AgentTesla
8948e4e0f392197b1c1436e5f7a2a7bc326c849b6129d8cf287a6d6a03cd642e
AgentTesla
bed14af47520b04f5fa2b578838a2f88f5c2d7dee6e010b9ed6f5a749bcf8371
AgentTesla
e0e1906cf3bdce3052f97a950aef614488f566a4d587428d64d0c848f97a7a4f
AgentTesla
f2db78e5165646f19a5b9438764740b24ab4c578890cd68e292cedaed3f7ca84
AgentTesla
+ 11'191 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-l534k8jhlj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 1b21f060f7dc8b51ad35605b028f65b6bccb8d84aef03fe334224640d8e91fe2

AgentTesla

Executable exe 982d2699709d7a024a542a4f771a544cf987ce8d8f15cfa3dcefca157b251e3e

(this sample)

  
Dropped by
MD5 2df9deb48f3cd0dd9fa396beabd167b0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1b21f060f7dc8b51ad35605b028f65b6bccb8d84aef03fe334224640d8e91fe2

Comments