MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 023e8f353fd78a832818597a81c03ae4287af75ae28f02b2bba97df745b09894. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 023e8f353fd78a832818597a81c03ae4287af75ae28f02b2bba97df745b09894
SHA3-384 hash: 24a598997eb0e04cd60f97f7c614d3d24d2c9599c01491f464f88b9ee82b89ec68d23721c7731c5bd51742ee91088beb
SHA1 hash: 52947d3d881c54135d2049681c488ade7919b9e4
MD5 hash: e00b509f4c0a81cbfd51bba4f7cf9831
humanhash: island-mirror-carpet-idaho
File name:DHL DOCUMENTS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:885'515 bytes
First seen:2023-08-03 15:43:13 UTC
Last seen:2023-08-03 19:32:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (388 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:NTbBv5rUanep+5lli8A6BGa6mXcqIAXisQxQFSDu:HBjey7i8APLAXisQxVi
Threatray 5'124 similar samples on MalwareBazaar
TLSH T1CE151202BAC158B2C4761D335A786B20A93DBD301FA5CEDF97D04A2DDA725C1D631BB2
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f4d4d4cce4e8e0 (27 x AgentTesla, 19 x Formbook, 17 x DBatLoader)
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
345
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
DHL DOCUMENTS.exe
Verdict:
Malicious activity
Analysis date:
2023-08-03 15:45:40 UTC
Tags:
autoit stealer agenttesla
Link:
https://app.any.run/tasks/f526e499-49b6-41c9-82a7-7d5eab273a9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/440112/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file
Sending a UDP request
Enabling the 'hidden' option for files in the %temp% directory
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm autoit cmd control evasive greyware keylogger lolbin masquerade overlay packed replace setupapi shdocvw shell32 wscript wscript
Link:
https://www.filescan.io/uploads/64cbcb43539838c2be521b10/reports/36bcc32a-8a24-4d1f-9dd1-b6f8f7467c5d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/023e8f353fd78a832818597a81c03ae4287af75ae28f02b2bba97df745b09894
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/27bc70ee-f4b5-46af-acc3-bc34f3a574fa
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1285222
Signature
Allocates memory in foreign processes
Creates multiple autostart registry keys
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Starts an encoded Visual Basic Script (VBE)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1285222 Sample: DHL_DOCUMENTS.exe Startdate: 03/08/2023 Architecture: WINDOWS Score: 100 94 Found malware configuration 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 Yara detected AgentTesla 2->98 100 4 other signatures 2->100 9 DHL_DOCUMENTS.exe 76 2->9         started        13 tbskqujt.icm.exe 1 1 2->13         started        15 TbMBQ.exe 2->15         started        process3 file4 62 C:\Users\user\AppData\Local\...\tbskqujt.icm, PE32 9->62 dropped 110 Starts an encoded Visual Basic Script (VBE) 9->110 17 wscript.exe 1 9->17         started        64 C:\Users\user\...\tbskqujt.icm.exe.exe, PE32 13->64 dropped 112 Creates multiple autostart registry keys 13->112 19 RegSvcs.exe 3 13->19         started        23 conhost.exe 15->23         started        signatures5 process6 dnsIp7 25 cmd.exe 1 17->25         started        27 cmd.exe 1 17->27         started        30 cmd.exe 1 17->30         started        66 mail.asgamaltex.com 19->66 68 asgamaltex.com 19->68 70 3 other IPs or domains 19->70 102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->102 104 Tries to steal Mail credentials (via file / registry access) 19->104 106 Tries to harvest and steal browser information (history, passwords, etc) 19->106 108 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->108 signatures8 process9 signatures10 32 tbskqujt.icm 1 74 25->32         started        36 conhost.exe 25->36         started        114 Uses ipconfig to lookup or modify the Windows network settings 27->114 38 conhost.exe 27->38         started        40 ipconfig.exe 1 27->40         started        42 ipconfig.exe 1 30->42         started        45 conhost.exe 30->45         started        process11 dnsIp12 52 C:\Users\user\AppData\...\tbskqujt.icm.exe, PE32 32->52 dropped 54 C:\Users\user\AppData\Local\...\tbskqujt.icm, PE32 32->54 dropped 56 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 32->56 dropped 58 C:\Users\user\AppData\...\tbskqujt.icm.exe, PE32 32->58 dropped 80 Writes to foreign memory regions 32->80 82 Allocates memory in foreign processes 32->82 84 Injects a PE file into a foreign processes 32->84 47 RegSvcs.exe 17 4 32->47         started        72 192.168.2.1 unknown unknown 42->72 file13 signatures14 process15 dnsIp16 74 asgamaltex.com 104.152.168.38, 49718, 49721, 587 CROCWEBCA Canada 47->74 76 mail.asgamaltex.com 47->76 78 2 other IPs or domains 47->78 60 C:\Users\user\AppData\Roaming\...\TbMBQ.exe, PE32 47->60 dropped 86 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 47->86 88 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 47->88 90 May check the online IP address of the machine 47->90 92 3 other signatures 47->92 file17 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/023e8f353fd78a832818597a81c03ae4287af75ae28f02b2bba97df745b09894/
Threat name:
Win32.Trojan.Runner
Create hunting rule
Status:
Malicious
First seen:
2023-08-03 10:26:56 UTC
File Type:
PE (Exe)
Extracted files:
101
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ai7i6nj726figkaylf5idqb24quhv5224khqfmv3vf67ornqtcka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
128b4d5b46b29d5a788f28a9059f7ad139afea6a686eed22acbf05e33ecab3f9
AgentTesla
2297e75fe8813c4d7c4b3514e0763d2cdc08b1b8a30962afac4dc6f00ce6fddf
AgentTesla
51ba2b6912305fd63c041dccff36db067314cab3f93227aaf21990801efa0b25
AgentTesla
53ed19bdd82010971c4de9eab9e63bf174f0da20c5c0c702976ea3e22f354201
AgentTesla
601dc4de31bcaa59570d7ec039396da0c846daa9fca986721617c2574d7c11f6
AgentTesla
658d5f23cc2d33d6d5883e6dbe0e43f80fe93983c53943e8067d18ae161c119d
AgentTesla
6efd2481d8f463c87e0eac63a7330072e2cf9af82216e5b70bc10b7ac5989513
AgentTesla
726bc1cc141d4ad30a0a1622d3aa8ac21af76273180b0efd160d2cc12d4a7fcb
AgentTesla
e6d98d839dd2372b008ed4ec970c951963b863f89959d2d917cbe32fe7ce7f21
AgentTesla
+ 5'114 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/230803-s6gcksea29/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
023e8f353fd78a832818597a81c03ae4287af75ae28f02b2bba97df745b09894
MD5 hash:
e00b509f4c0a81cbfd51bba4f7cf9831
SHA1 hash:
52947d3d881c54135d2049681c488ade7919b9e4
Link:
https://www.unpac.me/results/47999acd-8758-468e-9797-29da4259f0e6/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/023e8f353fd7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/023e8f353fd78a832818597a81c03ae4287af75ae28f02b2bba97df745b09894

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:pe_imphash
Create hunting rule
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 023e8f353fd78a832818597a81c03ae4287af75ae28f02b2bba97df745b09894

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/440112/

Comments