MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06a16cb81dd821dece755c1cf69446c8216622560560c6e4305aa0afab0038de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06a16cb81dd821dece755c1cf69446c8216622560560c6e4305aa0afab0038de
SHA3-384 hash: bdfdf0b0aae1e69c0457fa8c4417c621f0136c62a61360c4bcf97c5dbcc4214b8ac38b1b93e08925542b0f4f173a40c3
SHA1 hash: de9f226da56d33b030a78e181fe7bf4f523a67ac
MD5 hash: 7b26b737223eea495f860ee64284cfb9
humanhash: floor-blossom-lactose-cola
File name:DHL Shipment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:772'096 bytes
First seen:2021-05-30 06:09:54 UTC
Last seen:2021-05-30 06:50:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:oNjj6NDEZXK1oGtTpvc4bXc7cqE5XM5W2UNp:oNjaA611TpbX2lE5qW/b
Threatray 5'383 similar samples on MalwareBazaar
TLSH 3DF4AE6606C86581FD2C5AF38183FDA7D3F4016F7E31C2AA2948C7087AFB76B5E06645
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
298
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Shipment.exe
Verdict:
Malicious activity
Analysis date:
2021-05-30 06:23:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/54785897-54c5-4273-bb4b-912511dfc2f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/163219/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36993315.31709.29258.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794323
Signature
.NET source code contains potential unpacker
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/06a16cb81dd821dece755c1cf69446c8216622560560c6e4305aa0afab0038de/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-05-29 12:19:15 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2qwzoa53aq55ttvlqopnfcgzaqwmiswavqmnzbqlkqk7kyahdpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20649a9922f5fbcc070cf6d8455621b0891217ce1167f89c23ab6964abb90aaa
AgentTesla
27645f1d148b659a43b23aff406fd0a354c0f4c5ad89eadc475cc5b58244c83b
AgentTesla
39540a67e127cb27a4082b5e63f7d3d82963fec9f56e5a739f9f2b1a1e854baa
AgentTesla
4316dbece42e93640c8df6fab16f81e09d207967c9e94b908b96f680c0469064
AgentTesla
8f75c88c3376308b7053698d849a6f228cd9ebde1fec893fa850d4fa9e9ac25a
AgentTesla
91c721be1fbcbe252218eed8b8e8b89c46f49b26def8efebf1f30aaae1055725
AgentTesla
938a1c15eab21846b96971f70eac4ef78f273adf89d6305aee7b91f5212e9013
AgentTesla
988bbad8a48d5a66c06478290c947492ae662576793a26028d9a87fa652b84aa
AgentTesla
e60c96af9c671afb6096d78d825d9e28d969ed94f25376300eb97f64b25bdde5
AgentTesla
f134da53b5e6400a6b810bcb5883d2ecaf6e3c0f973ccdacc5ddb93ea0c9194a
AgentTesla
+ 5'373 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210530-dpfsds4lca/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06a16cb81dd821dece755c1cf69446c8216622560560c6e4305aa0afab0038de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 06a16cb81dd821dece755c1cf69446c8216622560560c6e4305aa0afab0038de

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/163219/

Comments