MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17c232315ec5a855ccbdaa25487c1b90423692022847b9c67d98a34a78f2e0c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	17c232315ec5a855ccbdaa25487c1b90423692022847b9c67d98a34a78f2e0c0
SHA3-384 hash:	31f83ac3afa757843644df355bfcc0ca22d045fa7127648f5c3830791faaf08a8e0dd35a0e6d67ec6a47ccd660a6a542
SHA1 hash:	f7a8169d0787c35fe8da1815978856ef7edfa457
MD5 hash:	509801a64801b62538fa22044aed31c1
humanhash:	pizza-failed-white-oranges
File name:	DHL Receipt 122481117733.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	208'896 bytes
First seen:	2023-01-12 06:19:35 UTC
Last seen:	2023-01-12 07:34:35 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:66Ep5W0HZTLiS+8qU1O0bxXdvFZ961ug:/0HjyAJd9+
Threatray	1'218 similar samples on MalwareBazaar
TLSH	T17014E143379B8320C964663688FF082503E69B823E73E79A3D0D63DD4A523D79D45B8E
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	ankit_anubhav
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL_Receipt_122481117733.iso

Verdict:

No threats detected

Analysis date:

2023-01-12 06:14:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e665c3d3-9ae0-45c1-92a0-1a9826ef8a1f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/352161/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.64916085.23906.28743.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

obfuscated overlay packed

Link:

https://www.filescan.io/uploads/63bfb5f976cf1dd374b64f20/reports/6f7da31b-06c4-4242-bd2d-e8c0a7872d81/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ccdf463b-c898-43eb-81de-cd740c8e004f

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1150095

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17c232315ec5a855ccbdaa25487c1b90423692022847b9c67d98a34a78f2e0c0/

Threat name:

Win64.Trojan.GenSteal

Status:

Malicious

First seen:

2023-01-11 09:36:47 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

19 of 41 (46.34%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c7bdemk6ywufltf5visuq7a3sbbdneqcfbd3trt5tcruu6hs4daa._file

Verdict:

malicious

AgentTesla

2fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c

AgentTesla

4e586d008dc06d3c77d590393b4e565273b30ef2b536a193976c9a82353878bf

AgentTesla

c0d65ece75e672f0542bc206242fc7e964e234135e59553c56fbb7eb826633c5

AgentTesla

c74929574525d986322053d5633a90c856821ef7c6a57cb2b71c732fcdd93ff2

AgentTesla

df16ab790a09329e447422f579382e23f5d3212c63a9b90c80c61405af18d57b

AgentTesla

fdcd78a70ccee419c0ba4960d470fc5c6d299eb126c668be574b380f61a72cb9

AgentTesla

+ 1'208 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

collection

Link:

https://tria.ge/reports/230112-g3q7tsbb4y/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/1f7d2c31-f073-4d0d-8729-ef38e0483535

Unpacked files

SH256 hash:

17c232315ec5a855ccbdaa25487c1b90423692022847b9c67d98a34a78f2e0c0

MD5 hash:

509801a64801b62538fa22044aed31c1

SHA1 hash:

f7a8169d0787c35fe8da1815978856ef7edfa457

Link:

https://www.unpac.me/results/47582226-7686-411e-b6bb-408d5e438751/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/17c232315ec5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/17c232315ec5a855ccbdaa25487c1b90423692022847b9c67d98a34a78f2e0c0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/352161/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample