MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b544138e67ce8812ba90dfa705d39e9f4126eec57aeb7e01e89f776cf6389eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b544138e67ce8812ba90dfa705d39e9f4126eec57aeb7e01e89f776cf6389eb
SHA3-384 hash: 4618261af39ed1bc0b551bfab90518248fe8c9ca885ec07e3fdf8529b734499f1ab9e5c870bc42828407eebc820ea6df
SHA1 hash: bd541bef842c9eae6b95832a66ebc3a64a96127c
MD5 hash: 9e51e1ce0b08d52e9137766a506c9ab6
humanhash: stream-mexico-skylark-table
File name:Shipment_notification.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:332'651 bytes
First seen:2023-02-28 13:35:19 UTC
Last seen:2023-02-28 15:27:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:DYa6vttoddybjf9EdeDXvQ5BB9U5aLtBNI4PIjqTIHwiSqipJWfiwB4erHJ3ed:DYtvk4buAXYBBhLNOqTIHuQJ4et3ed
Threatray 1'239 similar samples on MalwareBazaar
TLSH T1606423693394D8F7E9E267321E34A76EBFFED9104465EE0BA7A0496CBC21510B70E314
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipment_notification.exe
Verdict:
Malicious activity
Analysis date:
2023-02-28 13:36:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c63d02a9-830f-4d80-bed4-8ffa6accc880

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370631/
Detection(s):
Sanesecurity.Malware.28947.BadP.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63fe03452ea6b369663006f7/reports/3ec7905e-13c1-4f43-9e94-fb3113ccf136/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/0b544138e67ce8812ba90dfa705d39e9f4126eec57aeb7e01e89f776cf6389eb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14ab1a91-512b-4441-9f99-a7b2abca13b4
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1184276
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0b544138e67ce8812ba90dfa705d39e9f4126eec57aeb7e01e89f776cf6389eb/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-28 10:01:28 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bnkecohgptuick5jbx5haxjz5h2be3xmk6xlpya6rh3xnt3drhvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09fb849e8e9e88b102e2935c7e7fac8fa1fe4c71e464e397bbad798a16e94c18
AgentTesla
10edaae8239d4e59d1a9d8b84f70ab26374f9588f777b995c337ccc0e9630fa1
AgentTesla
2c9702d9867875e0886e52ee656385ce638a879a9deb55ce4ed52f3d6335e849
AgentTesla
5e517d06a3b252c0bced1ed16f1741fa73b4e0d4b81ec2daf71b57954604afc8
AgentTesla
aaf0aae0610d84f673e476995899a9fd5169ade32485bbfa248b6571132b100b
AgentTesla
c5b83cba12fc69072661e0c8d473ed6d4263580764f0ac0476e4306df3f71e64
AgentTesla
f4cd4df9815a2c3902f07a5389fa171f3fd6b27ae1e9af262d19d6bd286ae9cd
AgentTesla
+ 1'229 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230228-qv8xcabb7t/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
61655315a15ed18ab34352988da8b2bf7c505bb380ae0a6891fafc14cc29e42d
MD5 hash:
8d7b39a8302bc8a43e65d1d34cc903b9
SHA1 hash:
e9dd615db4fa7a3716b1f06544f6a4f37d61b0ef
Link:
https://www.unpac.me/results/0cdbbeda-9e06-4e5e-bf98-8704e97d69a9/
SH256 hash:
396c6fe7ff655657383e3feef7d1b80cee25b23a81e4774e7844edb84faa42ff
MD5 hash:
8498a904ebb1bea7d7d9c6a4b3553ce7
SHA1 hash:
5930656c54c32fa2a0437935e7741321c0fa488a
Link:
https://www.unpac.me/results/0cdbbeda-9e06-4e5e-bf98-8704e97d69a9/
SH256 hash:
c462ef4a716a3354d1a01c4404c7a4a5dbdce5f7542fa1cdd0733a04679f252e
MD5 hash:
4148c56df4ab2b941df12b7500cfa488
SHA1 hash:
16847416842a65e640b16df9b81d268d90b5683c
Link:
https://www.unpac.me/results/0cdbbeda-9e06-4e5e-bf98-8704e97d69a9/
SH256 hash:
0b544138e67ce8812ba90dfa705d39e9f4126eec57aeb7e01e89f776cf6389eb
MD5 hash:
9e51e1ce0b08d52e9137766a506c9ab6
SHA1 hash:
bd541bef842c9eae6b95832a66ebc3a64a96127c
Link:
https://www.unpac.me/results/0cdbbeda-9e06-4e5e-bf98-8704e97d69a9/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0b544138e67c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b544138e67ce8812ba90dfa705d39e9f4126eec57aeb7e01e89f776cf6389eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 501b37fe66a037f8eaba5c9f49f961ecc72ae6f1dc8ae399997f26b9744c369a

AgentTesla

Executable exe 0b544138e67ce8812ba90dfa705d39e9f4126eec57aeb7e01e89f776cf6389eb

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 501b37fe66a037f8eaba5c9f49f961ecc72ae6f1dc8ae399997f26b9744c369a
Cape
Cape
https://www.capesandbox.com/analysis/370631/
  
Dropped by
MD5 c642f8452f037b56b5e3cba459d35dbf

Comments