MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1aea4e7b8481bcdd7b508a00f90e0547c40aa2dfe47805c4f199b136cb31e12b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1aea4e7b8481bcdd7b508a00f90e0547c40aa2dfe47805c4f199b136cb31e12b
SHA3-384 hash: 5733c32247d48b1cafd213397df61b957ba746af14b05933e1704f50106cd8c3e7a027b5ebda73a81c4ad78efb987eac
SHA1 hash: c9dfee18c0ce7f347d8ca34834ed2dc939c8605a
MD5 hash: c777e10b85823e280255fd47281190ba
humanhash: october-berlin-video-three
File name:DHL_document11022020680908911.doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:50'200 bytes
First seen:2021-03-30 06:26:30 UTC
Last seen:2021-03-30 07:59:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:lATThGlGvD0AQqtI2imKNOq2Hz6arZgS3LmOpOruBG4mJLfMurqCNwDJnF/5eeYF:lnGvD0AX9KpAVOJL0/ethn
Threatray 43 similar samples on MalwareBazaar
TLSH 2D33A7AB2255F5C7CA8A5532DB4FD8543D28E335EA81870BE052C26CEACB5777DC84C8
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_document11022020680908911.doc.exe
Verdict:
Malicious activity
Analysis date:
2021-03-30 06:30:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6e690b24-7655-465c-bd5d-b310ced38485

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127903/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.61403.2711.27800.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a file
Moving a recently created file
Creating a window
Launching a process
Creating a process with a hidden window
Running batch commands
Setting a single autorun event
Forced shutdown of a system process
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9af95159-d78e-49f0-8a91-e1f5fae0510e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/658017
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Drops PE files with benign system names
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377941 Sample: DHL_document110220206809089... Startdate: 30/03/2021 Architecture: WINDOWS Score: 100 65 Found malware configuration 2->65 67 System process connects to network (likely due to code injection or exploit) 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 8 other signatures 2->71 7 DHL_document11022020680908911.doc.exe 18 11 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 2 other processes 2->16 process3 dnsIp4 59 x11fdf4few8f41f.com 172.67.137.73, 49703, 49710, 49716 CLOUDFLARENETUS United States 7->59 55 C:\Program Files\Common Files\...\svchost.exe, PE32 7->55 dropped 57 C:\...\svchost.exe:Zone.Identifier, ASCII 7->57 dropped 77 Adds a directory exclusion to Windows Defender 7->77 79 Tries to delay execution (extensive OutputDebugStringW loop) 7->79 81 Hides threads from debuggers 7->81 83 Drops PE files with benign system names 7->83 18 vbc.exe 7->18         started        21 cmd.exe 7->21         started        23 powershell.exe 26 7->23         started        35 3 other processes 7->35 61 192.168.2.1 unknown unknown 12->61 25 cmd.exe 12->25         started        27 powershell.exe 12->27         started        29 powershell.exe 12->29         started        31 powershell.exe 12->31         started        85 System process connects to network (likely due to code injection or exploit) 14->85 63 127.0.0.1 unknown unknown 16->63 33 WerFault.exe 16->33         started        file5 signatures6 process7 signatures8 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->75 37 conhost.exe 21->37         started        39 timeout.exe 21->39         started        41 conhost.exe 23->41         started        53 2 other processes 25->53 43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 35->49         started        51 conhost.exe 35->51         started        process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1aea4e7b8481bcdd7b508a00f90e0547c40aa2dfe47805c4f199b136cb31e12b/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-30 01:15:05 UTC
AV detection:
14 of 43 (32.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dlve464eqg6n262qriapsdqfi7caviw74r4alrhrtgytnszr4evq._file
Verdict:
suspicious
Similar samples:
0456c33539c62c09bfd8ea53b3848e63a7d62b5ddc05ec1e806e1db12adf8f7b
AgentTesla
1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55
AgentTesla
32c3ae8cd868f60dc052888ac37dda6e70a4e524a290b0e0aaf32967da7490db
AgentTesla
65e57627e0e6f9f3366fc32618deed8b57ce718a61e312090bb715ada018bd9f
AgentTesla
6687134582d1dd1a69b086546e77e014fb38c67ed6190b8b629579ecd534b051
AgentTesla
725422976036f66aadde06633c41bc88fa4f55020051b22a644ee6668a3f7c31
AgentTesla
878c680864cd95fc8be624b36d702a2ce4e0d9c7a5ce127c5b4d3cbbb7d6407d
AgentTesla
989f330817cadbe60308cdd0977792aa3ee8fd2f55b2e92ed32d2416de16c32d
AgentTesla
f8749ca876587c5f8fa58378ac2b02aabd0572a01a9a54d05716f976ee6fed23
AgentTesla
fd52b7c2b69a57bfa5bfb3ca6414665be1ff6f17d4d7ab061a8df45721fb3307
AgentTesla
+ 33 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210330-6mcreh2dva/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Uses the VBS compiler for execution
Windows security modification
AgentTesla Payload
AgentTesla
Windows security bypass
Unpacked files
SH256 hash:
1aea4e7b8481bcdd7b508a00f90e0547c40aa2dfe47805c4f199b136cb31e12b
MD5 hash:
c777e10b85823e280255fd47281190ba
SHA1 hash:
c9dfee18c0ce7f347d8ca34834ed2dc939c8605a
Link:
https://www.unpac.me/results/78ad07c5-caf6-422f-8eee-b941c35b3e13/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1aea4e7b8481bcdd7b508a00f90e0547c40aa2dfe47805c4f199b136cb31e12b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127903/

Comments