MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a384816b481c92571f603a60f84b5a4cf57a6422c55c3fffe17d5dd0e85a5034. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a384816b481c92571f603a60f84b5a4cf57a6422c55c3fffe17d5dd0e85a5034
SHA3-384 hash: 1d6d2c936442e8ecd019bc328709e5439571c2ac81c6158684f7166efff106e4faa05f1f1731ab9c4215a89b1fdf1188
SHA1 hash: bed60b95ac870077bcc9cedf6901ee60ba6cb2f6
MD5 hash: 0dd86b0c43f54c9f582ba37f558c0b44
humanhash: helium-magnesium-mockingbird-sink
File name:Dispatch Details.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:824'320 bytes
First seen:2020-08-12 18:12:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ca8a968818883f4b47dacd6943e1ee04 (3 x AgentTesla, 2 x Loki, 1 x Formbook)
ssdeep 12288:F13XOoKnE7J93PUtFiMx56Vnh+23dOEhYkvEPlEjwF0NGLrlkO1gySyUeKUnc:ze87J98ii6NY+9gN5yypsyS3eKx
Threatray 11'178 similar samples on MalwareBazaar
TLSH 9105BF22B3D04937CC67163D9C0B5774A839BE51EA2899862BF51CCC8EF978538392D7
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: lebanonhost.denver.wehostwebsites.com
Sending IP: 72.18.154.62
From: DHL Express LTD<info@dhl.com>
Reply-To: <annewilegama@gmail.com>
Subject: Re: order dispatch documents
Attachment: Dispatch Details.pdf.rar (contains "Dispatch Details.exe")

AgentTesla SMTP exfil server:
mail.ozoneworks.co.za:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/44392/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BackDoor.SpyBotNET.25.28221.1486.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Moving of the original file
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/423552
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Found malware configuration
Maps a DLL or memory area into another process
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 264215 Sample: Dispatch Details.exe Startdate: 13/08/2020 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Detected unpacking (changes PE section rights) 2->36 38 Detected unpacking (overwrites its own PE header) 2->38 40 6 other signatures 2->40 7 wscript.exe 1 2->7         started        9 Dispatch Details.exe 2->9         started        process3 signatures4 12 Dispatch Details.exe 7->12         started        15 Dispatch Details.exe 7->15         started        50 Writes to foreign memory regions 9->50 52 Allocates memory in foreign processes 9->52 54 Maps a DLL or memory area into another process 9->54 56 Queues an APC in another process (thread injection) 9->56 17 notepad.exe 1 9->17         started        19 Dispatch Details.exe 2 9->19         started        process5 signatures6 58 Writes to foreign memory regions 12->58 60 Allocates memory in foreign processes 12->60 62 Maps a DLL or memory area into another process 12->62 21 Dispatch Details.exe 2 12->21         started        25 notepad.exe 1 12->25         started        64 Drops VBS files to the startup folder 17->64 66 Delayed program exit found 17->66 process7 dnsIp8 30 ozoneworks.co.za 156.38.198.58, 49747, 587 xneeloZA South Africa 21->30 32 mail.ozoneworks.co.za 21->32 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->42 44 Moves itself to temp directory 21->44 46 Tries to steal Mail credentials (via file access) 21->46 48 2 other signatures 21->48 28 C:\Users\user\AppData\...\PO16836STAMP PI.vbs, ASCII 25->28 dropped file9 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a384816b481c92571f603a60f84b5a4cf57a6422c55c3fffe17d5dd0e85a5034/
Threat name:
Win32.Hacktool.CeeInject
Create hunting rule
Status:
Malicious
First seen:
2020-08-12 18:14:09 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uocic22idsjfoh3ahjqpqs22jt2xuzbcyvod777bpvo5b2c2ka2a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb
AgentTesla
1042eea9861e1ac601f162a2ad3da77a4ee701eb9877cdc60d78cf88bfbc2a58
AgentTesla
44096c1493b07b6097e73099250d28081e1729e2181420e90b5913030c9687b2
AgentTesla
45abe8a161deff5b835815fcc2ff8f0b63b478ae26ce07f648c6fc6679a8e77d
AgentTesla
4d8d60702145448a23d9304e58670f55d8449d2281a6ca9d6d95dbc25cb4e598
AgentTesla
6247e523ab6dc7d791fbf3760047f445d88b85632077090d7e346e9c6c0c76ae
AgentTesla
6f6c89a2569d5cf213a0cba5a78eef2d116a0325a6128190a3832f74f9df887b
AgentTesla
aa9023f5a703af9d6ee84deadf49232572e1ab61d8faeee175db811a6878a6e6
AgentTesla
d2d03d5d249a3c6ef5ed2dcf47bdb3bfda1f68d7ab507a676ae0c6a16ff78eed
AgentTesla
e6a9bbee2b3b1dec06bfcddd17711777d7d14171e9c180a7310f6bb9cabf6879
AgentTesla
+ 11'168 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200812-9mvabg7ste/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a384816b481c92571f603a60f84b5a4cf57a6422c55c3fffe17d5dd0e85a5034

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 45f7de0a4fb679b83cb9564e0b0dc101bc1ce2964b43e4fc4be20d7c3552d215

AgentTesla

Executable exe a384816b481c92571f603a60f84b5a4cf57a6422c55c3fffe17d5dd0e85a5034

(this sample)

  
Dropped by
MD5 9ceecbc52ef9d44e36be63d173bbef55
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/44392/
  
Dropped by
SHA256 45f7de0a4fb679b83cb9564e0b0dc101bc1ce2964b43e4fc4be20d7c3552d215

Comments