MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fad51611a2053587275ec40318c63e952f1dedd82753010ef3716999cc41c9d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fad51611a2053587275ec40318c63e952f1dedd82753010ef3716999cc41c9d7
SHA3-384 hash: 46c9aab1eda823ba174fa5a2b08e9b2e59415d85598b45193923d00f8f0180bcf6bc6a51f1f78f21f6499044fb4f2ba9
SHA1 hash: fb037c0ef4aa55914a0a59d44413a69f85c558c6
MD5 hash: 203fc26510ef07de316e740fb2c40418
humanhash: eleven-snake-london-triple
File name:DHL Original Invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:699'392 bytes
First seen:2020-07-04 15:50:43 UTC
Last seen:2020-07-04 16:45:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:i/gWd/MfJurpU0bHHZhT8o0f4LO2pOzPeFHzUStu6EbLtdBmfXvniUnc51V2+1vK:5WBOurBlBe49rdEXtdgviUcI+1v2
Threatray 210 similar samples on MalwareBazaar
TLSH 75E429387B919426E53E0A3684E551D5A370F5873E13CB0F7ACA532C6E123EF3B46296
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: vmh18397.hosting24.com.au
Sending IP: 103.237.108.115
From: DHL EXPRESS <support@dhl.com>
Subject: DHL CONSIGNMENT ALERT :
Attachment: DHL Original Invoice.zip (contains "DHL Original Invoice.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.23885.3004.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fad51611a2053587275ec40318c63e952f1dedd82753010ef3716999cc41c9d7/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-04 12:15:48 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7lkrmencau2yoj26yqbrrrr6suxr33oye5jqcdxtofuzttcbzhlq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2b677efbb2d332ea0a8fe453281fa6013bf223e7897d8419f98b13e5fbf48615
AgentTesla
340f91f6a1fcdbc340294c22c13f6c33b0a32e39be276ba04f8a87fad1059ca5
AgentTesla
3dedd27d28463b27df577e2f0dad58c1a0f295dbbcb1f132eea1632080dc4508
AgentTesla
52f5a6edefd196a3396c1bb0c499a2d02868361aca19824bdde34e4003357f0c
AgentTesla
6fb3cc3f910373a884690e6f66d5eb7506095dd1e9856d8deff777fb47cbdd06
AgentTesla
7201787f662618eb96e10f46c29872dadecf33f6b12920eac8ec9b9dd1724cd6
AgentTesla
866ece40ac3cb176771792b217bafb77ef9da017f3962920b46b2d108609fc39
AgentTesla
8867a152f90a76d696141c7144b160b21607bed11da3aa3f0d3f0e25035ee36f
AgentTesla
a9568b036d4f3245151a68d35ac9e295dadc54d8b8528896b285497157bf2f35
AgentTesla
e356d7e8758967daa9f5d129eef727202e2c48d2808355924cf247aebc1bd336
AgentTesla
+ 200 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware persistence keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200704-nte9ya3hmx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Modifies service
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip dedc58ae172caa21e54b91a00dd882e1e7e8ebea94fbda64bb733d288a8870dd

AgentTesla

Executable exe fad51611a2053587275ec40318c63e952f1dedd82753010ef3716999cc41c9d7

(this sample)

  
Dropped by
MD5 71caed7c8c9e35e25f2fa83a56d6d48b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 dedc58ae172caa21e54b91a00dd882e1e7e8ebea94fbda64bb733d288a8870dd
Cape
Cape
https://www.capesandbox.com/analysis/20215/

Comments