MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5d738ea5a80bc92eb43fb1eddf4d628412684eda0bdcd2a325a206d1fac0b2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5d738ea5a80bc92eb43fb1eddf4d628412684eda0bdcd2a325a206d1fac0b2b
SHA3-384 hash: 94d60351d8593ab227c1060715103b9e4dbc4096f3cee73dbf470dbf3b46e69725067a054b23e04c365f221c20afbc22
SHA1 hash: eb06125d27dabf962f9fb8bb76c60a78df9441f0
MD5 hash: d0a1896ee4fc2f42f980b1bfdbf7ce45
humanhash: fillet-nevada-white-queen
File name:DHL_overdue account letter.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:482'816 bytes
First seen:2020-06-15 13:25:37 UTC
Last seen:2020-06-17 00:18:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0mG7pES4mp3lASbgpGOkwW/aIPsI5Yc7N:Cpemp3SSkppLW4I5Yc7N
Threatray 10'634 similar samples on MalwareBazaar
TLSH F1A402057BD8DA21E2F59FB688F1284583B5799B3912E38F5EC070A81E73F848952F17
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: dhl.com
Sending IP: 103.99.1.170
From: Pravina Patole (DHL IN)<Pravina.Patole@dhl.com>
Subject: DHL Overdue Account Notice - 4447575766
Attachment: DHL_overdue account letter.rar (contains "DHL_overdue account letter.exe")

AgentTesla SMTP exfil server:
mail.microtechlab.in:587

Intelligence

File Origin
# of uploads :
4
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10450/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Sonbokli.Acl.11575.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 13:27:06 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxltr2s2qc6jf22d7mpn35gwfbasnbhnuc642krsliqg2h5mbmvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0189ad2e08f8bb4c487e31502a7e86ccf2bfaba40fda638f316cb5c9ca80d767
AgentTesla
4e1d9e3cb83b44c13a9870d21f59b4eb335167d952a6914583a8a0259d6c16c0
AgentTesla
595b37aaa2f4f30c1fc3652272dc53800f81d53b2f879cb994862386f5bbcf91
AgentTesla
75baae23f80f6def274e340b17867d205068b34425fe6f7537c9667e370dec5a
AgentTesla
7864620a0e1fdef43163fbc802279ea7a824e794cc9512b7339a76ab3c2f76c7
AgentTesla
80b4c56e36ef0b631c43b78c0b3d8c27c67244300b0ce703bf945534912e3e99
AgentTesla
bb6bf1c0fb36e175528bcef7e126b0345cbaab84206b0b835c14b98787753219
AgentTesla
d525e111135a2e896a657e0ecb849340a683e13c47893c3df15bed3ee5f5aa90
AgentTesla
f9bf3a9f4c6ba16abe57cd52a7ebf59f62ef535ec965f7d294da4ba3f6c39ef3
AgentTesla
ffd474ba42b484a0c7eb8688e37334d55e65c49dcb88dcf3bc542276cd7d5348
AgentTesla
+ 10'624 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-gysxwdskt6/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Drops file in Drivers directory
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar b625749cf5c283ad041e9c358dcaa23c5f2aedc641a147d0cf5e425a3e0e2ac4

AgentTesla

Executable exe b5d738ea5a80bc92eb43fb1eddf4d628412684eda0bdcd2a325a206d1fac0b2b

(this sample)

  
Dropped by
MD5 f04cb9995bec16ac945e7cfaa0d244c9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b625749cf5c283ad041e9c358dcaa23c5f2aedc641a147d0cf5e425a3e0e2ac4
Cape
Cape
https://www.capesandbox.com/analysis/10450/

Comments