MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 009f077593b2b4ec01c3ebe13aa8ffc991b666108392e1353c522d5047ed6bdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 009f077593b2b4ec01c3ebe13aa8ffc991b666108392e1353c522d5047ed6bdf
SHA3-384 hash: 918d793936dd3eb102f1a08b830579a9c6f9ddd51ae6429179ef96c5a8a350af21e61b5941bc96ec9ba70421ff568ee1
SHA1 hash: 81b3747bb8408343d9f1fb7aeb9f2d77290af539
MD5 hash: 5519d771cb1a4002da7e04ce47faca17
humanhash: mountain-juliet-mountain-august
File name:DHL ORIGINAL DOCUMENT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'647'632 bytes
First seen:2023-02-13 09:30:31 UTC
Last seen:2023-02-13 11:31:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 396c902890b802c5ec6bae321a9a9c71 (3 x Rhadamanthys, 1 x RedLineStealer, 1 x RecordBreaker)
ssdeep 24576:vh0lcYjFLvES7GAvfuwAo1bXMTz+PbvqYCc+3Aidm/NDDEVwAkuD4:5evN7tf9ZoowAiMdywAkQ4
Threatray 22'034 similar samples on MalwareBazaar
TLSH T1CB7569B0BA41A060E9DF86F5AA63425E7810D9235F34DD86E34FE5839F6C393E461F12
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0c8d0d0f0b0c0cc (1 x AgentTesla, 1 x ArkeiStealer)
Reporter abuse_ch
Tags:AgentTesla DHL exe signed

Code Signing Certificate

Organisation:cars.com
Issuer:GlobalSign RSA OV SSL CA 2018
Algorithm:sha256WithRSAEncryption
Valid from:2022-09-30T01:51:05Z
Valid to:2023-11-01T01:51:04Z
Serial number: 58517021882b96d7767dca2e
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 3526c89c004e82e1d007b6d6eb6d31f200d0f6ce9ecb9ffc2597d081f7c50e72
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL ORIGINAL DOCUMENT.exe
Verdict:
No threats detected
Analysis date:
2023-02-13 09:45:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/50c01f3f-1db6-45fa-b78c-7eeed39a00b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/364929/
Detection(s):
SecuriteInfo.com.Variant.Jaik.117548.1788.20805.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Launching a process
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Detecting VM
Launching the default Windows debugger (dwwin.exe)
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/68959/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63ea035a6ea97adc8fc0a13b/reports/663c3395-528a-4ba9-af35-a654837b6cf7/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/009f077593b2b4ec01c3ebe13aa8ffc991b666108392e1353c522d5047ed6bdf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc6f6864-efa3-4c53-ac31-72e3c47dcdf8
Result
Threat name:
AgentTesla, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1173339
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to register a low level keyboard hook
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 806127 Sample: DHL ORIGINAL DOCUMENT.exe Startdate: 13/02/2023 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 11 other signatures 2->56 9 DHL ORIGINAL DOCUMENT.exe 9 2->9         started        process3 dnsIp4 48 2q5vpddoyr5lqfeybxf2.b5p2bdi9gk5 9->48 36 C:\Users\user\AppData\Local\...\6390218.dll, PE32 9->36 dropped 66 Writes to foreign memory regions 9->66 68 Allocates memory in foreign processes 9->68 70 Injects a PE file into a foreign processes 9->70 14 fontview.exe 9->14         started        17 ngentask.exe 15 7 9->17         started        file5 signatures6 process7 dnsIp8 76 Query firmware table information (likely to detect VMs) 14->76 78 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 14->78 80 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->80 88 6 other signatures 14->88 20 dllhost.exe 14->20         started        38 catknock.com 185.61.154.17, 49698, 49699, 80 NAMECHEAP-NETUS United Kingdom 17->38 40 api4.ipify.org 173.231.16.76, 443, 49697 WEBNXUS United States 17->40 42 api.ipify.org 17->42 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->82 84 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->84 86 May check the online IP address of the machine 17->86 90 4 other signatures 17->90 signatures9 process10 signatures11 58 System process connects to network (likely due to code injection or exploit) 20->58 60 Early bird code injection technique detected 20->60 62 Tries to harvest and steal browser information (history, passwords, etc) 20->62 64 2 other signatures 20->64 23 dllhost.exe 14 17 20->23         started        process12 dnsIp13 44 transfer.sh 144.76.136.153, 443, 49702, 49704 HETZNER-ASDE Germany 23->44 46 192.168.2.1 unknown unknown 23->46 32 C:\Users\user\AppData\Local\...\Library.exe, PE32+ 23->32 dropped 34 C:\Users\user\AppData\Local\Temp\Data.exe, PE32+ 23->34 dropped 27 Library.exe 2 23->27         started        30 Data.exe 2 23->30         started        file14 process15 signatures16 72 Multi AV Scanner detection for dropped file 27->72 74 Machine Learning detection for dropped file 27->74
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/009f077593b2b4ec01c3ebe13aa8ffc991b666108392e1353c522d5047ed6bdf/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-02-13 09:31:11 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=acpqo5mtwk2oyaod5pqtvkh7zgi3mzqqqojocnj4kiwvar7nnppq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
050eb60b9d6dd8b866da3835f3a0393d0376a687129d18738dd223c2242a558a
AgentTesla
168e47767e7013f254e3abb232e279eb43b743438820633a4ecbe52cac4e9ae2
AgentTesla
99c1e9b26ff369764907dd0576d3ac4d9aa4db2f8a85fea23a6dd22ff6df1922
AgentTesla
a9b130790783e321b1817977af11af8117662e77a246e3902479f39cba863249
AgentTesla
b1174532d2b70144c1f9a18b4bfb2fe33e27cfe75608508ce1ddde0ecad51508
AgentTesla
c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809
AgentTesla
ce59d2ac679c36ad5169712ed75dd21494e552f8ec9334d8fb4f74f4d83ce190
AgentTesla
d4547527c24bd286f9218a7d165c520e53af7e17e59b475df5d14a45a4e92221
AgentTesla
dc999c9387fdf2312df82d98d0efdab722010a333b6bce2250b3433ba98d8469
AgentTesla
f8348fbc1888f91d067095ec2e7c22ae963b8ec0550b64b5fd153f5cbe1487df
AgentTesla
+ 22'024 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:rhadamanthys collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230213-lg25escc57/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
AgentTesla
Detect rhadamanthys stealer shellcode
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
b4aab0ea9cf560d88cd9b46fc395d6a5ac139732e3c4ff02c39a74107a21faeb
MD5 hash:
27a33941796cd88389a0c1ec4c22d744
SHA1 hash:
63477c178d8d06266816bfc204b7248067d52e58
Link:
https://www.unpac.me/results/70a7c720-f087-45cc-bca4-d8322631f9d0/
SH256 hash:
009f077593b2b4ec01c3ebe13aa8ffc991b666108392e1353c522d5047ed6bdf
MD5 hash:
5519d771cb1a4002da7e04ce47faca17
SHA1 hash:
81b3747bb8408343d9f1fb7aeb9f2d77290af539
Link:
https://www.unpac.me/results/70a7c720-f087-45cc-bca4-d8322631f9d0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/009f077593b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/009f077593b2b4ec01c3ebe13aa8ffc991b666108392e1353c522d5047ed6bdf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/364929/

Comments