MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c465ef4e04ed7cd32d3dc6cc3e52ca654721fdfd696baa7d6358e72f75a4b55e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c465ef4e04ed7cd32d3dc6cc3e52ca654721fdfd696baa7d6358e72f75a4b55e
SHA3-384 hash: 21ba5615bf3500f55a3e85bfb91f5ff4b5797e637dd7dc635766006c54b05f298a2de8b1a9d93a13442cb81b464fe174
SHA1 hash: 7a5f8f1279748111f3b46d32d119de92f5bcc8e4
MD5 hash: 5e7432bd27aa3e4e08c3d73199b59a50
humanhash: fish-tango-princess-sixteen
File name:dhl_26072020_AWB28072020_INV88729900.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:743'424 bytes
First seen:2020-07-29 06:56:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ef47e85c79ee608837cc415c05c43b (15 x AgentTesla, 5 x NanoCore, 5 x Loki)
ssdeep 12288:DRXtpnVH9Az44BnvOCDhzcl0UdKndi2bnXJi27ugcERJowlmjuGr:Dfd8z4byilBdlGXSjiMjn
Threatray 11'422 similar samples on MalwareBazaar
TLSH 27F4AF66B2E14833D1672E789C1F57649F3ABE102E3859862FFC1C4C9F397813866297
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: smtp.outgoing.loopia.se
Sending IP: 93.188.3.38
From: DHL|Express Shipping <nabavka@zelvoz.rs>
Subject: DHL -28072020_AWB28072020_INV88929900
Attachment: dhl_26072020_AWB28072020_INV88729900.zip (contains "dhl_26072020_AWB28072020_INV88729900.exe")

AgentTesla SMTP exfil server:
smtp.wtgriderline.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34281/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.19347.10936.15784.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401421
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c465ef4e04ed7cd32d3dc6cc3e52ca654721fdfd696baa7d6358e72f75a4b55e/
Threat name:
Win32.Trojan.DataStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 23:25:45 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yrs66tqe5v6nglj5y3gd4uwkmvdsd7p5nfv2u7ldldts65newvpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0f263962c238b4055e7314a1be8a1d4b9f2c929da4806257ffe0c4a9d8c313ad
AgentTesla
29e5d8196d419e7731d97b71a59f0cb5f4158cf3c7e285241bf74d05815b734c
AgentTesla
3ff12e5656da20f43c70d051b320420da82d2fcecdb5ea2c7acd2d6eb7ec24f6
AgentTesla
4936f703c3766d5968297c3e682fc5be8a3af59fa6557502b5e29af7a4f8c925
AgentTesla
6c882aeb918e424cefe1068a6d3fbff5526c31e185716bf3a0d5ae0295772f09
AgentTesla
8e1f5e94e0e8ea6f82b75d5b21f3964b77df3810c65a875c1ddfcaef53c5e10f
AgentTesla
a83d00913bb5e3f6e95d31626388d67c0db45fbd098d68e63e88c0167f248620
AgentTesla
b0d235b9c088e9a63aae30dba72eb886b6b08ef8a664d9979943ddfa6c04e086
AgentTesla
b1e971ba689623d9fbc5befb741a9d9e046515a0c05d0adc27a165471bc6303d
AgentTesla
f255241a0343f23d9e0b2fd5a3e81be32ac570b70404ff91b01536c8c9b055b3
AgentTesla
+ 11'412 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx spyware
Link:
https://tria.ge/reports/200729-5rnp6gz3e6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c465ef4e04ed7cd32d3dc6cc3e52ca654721fdfd696baa7d6358e72f75a4b55e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 61bd6c78433c7fb6161d62f7c2729c207b5352c2783365eb82409f708fa468f8

AgentTesla

Executable exe c465ef4e04ed7cd32d3dc6cc3e52ca654721fdfd696baa7d6358e72f75a4b55e

(this sample)

  
Dropped by
MD5 733dafec3ac678c115c043dacb5c0612
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34281/
  
Dropped by
SHA256 61bd6c78433c7fb6161d62f7c2729c207b5352c2783365eb82409f708fa468f8

Comments