MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de0bc48e2efc61427a301db89cf4c3497e235cc0ef388db3a26ba94ac734de69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de0bc48e2efc61427a301db89cf4c3497e235cc0ef388db3a26ba94ac734de69
SHA3-384 hash: 70b3f0bfa9bc7fe018c14453759c81dd7d518d45e8e773961dac585a4ff653e3ca6b214b9ea5ec20bdeb9cebb7b2655e
SHA1 hash: 11e0a110b56219a177f9868fffbffe6b91b25edd
MD5 hash: e23e136aa369ed40337780e8412de097
humanhash: jupiter-august-cola-jupiter
File name:DHL SHIPPING DOCUMENTS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:423'424 bytes
First seen:2020-06-15 05:45:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:5hBQikd41/ALZtNtcPfP4+ssOwX0UYS28PME2oE5zMt7lrPxIcQS60ymtA4AIWmR:5X9gQYFtNtufP4+SZ8PME2owg07g5V
Threatray 10'616 similar samples on MalwareBazaar
TLSH 899412087B9C1660C3BCA27ED6EA099443B3D5831972E32F9A8C306C1F577E69562F47
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 162-241-215-159.unifiedlayer.com
Sending IP: 162.241.215.159
From: DHL EXPRESS <Shital.Adecco@dhl.com>
Subject: Re: DHL SHIPMENT NOTIFICATION
Attachment: DHL SHIPPING DOCUMENTS.7z (contains "DHL SHIPPING DOCUMENTS.exe")

AgentTesla SMTP exfil server:
montana.co.ke:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10274/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34016426.19424.29719.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 03:26:31 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3yf4jdro7rque6rqdw4jz5gdjf7cgxga544i3m5cnouuvrzu3zuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
084be7d5522c7679dc17d1aecc5e9bf4e23a1326b4632afd656a72f74a5e9e5a
AgentTesla
10c92a743776387e98c647c1c9549260629e925554df4b098b3ef48ab4906419
AgentTesla
17f583d0dbe0207abb037690c7fab3fd697a9f6112c4c4a6e67461b06546daf0
AgentTesla
1b5523701605c4129803c0161e955d96ec30d18370d8783dae4a257220d0e695
AgentTesla
40e0bca62b48fe04fc0fa37d223d901a3970b0930590f08c11fa6023469bd231
AgentTesla
9cf6d3ac0471037df2eff34d6156961982d84bcf9ca3296eca6988f508d72834
AgentTesla
a5fc1c186bd2f864a83e308d0ace39f6efdeeaa76ac5eb56ae75dad3e9b0c96c
AgentTesla
aec020a6546f4efe2d5766ae7e7da2816c11badee1879d37de7845538b03035b
AgentTesla
c72bce28d1e0909a66971dfa01aa823b767a73da5cedc0679e962dc9230fdf56
AgentTesla
de17285437a4c1de71dae13eda552553af99577fdb088e7715aaf877a0cb1b13
AgentTesla
+ 10'606 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-s7ly4cgcex/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z d2bb015e854f37e72248b11888db6c15d7ae134ba60b409be46aff0f46c89571

AgentTesla

Executable exe de0bc48e2efc61427a301db89cf4c3497e235cc0ef388db3a26ba94ac734de69

(this sample)

  
Dropped by
MD5 83834653aa8881c5859b65d328f0f0fd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d2bb015e854f37e72248b11888db6c15d7ae134ba60b409be46aff0f46c89571
Cape
Cape
https://www.capesandbox.com/analysis/10274/

Comments