MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c41903d63ccc422242f758edb7f0486b163bcb6b0031a6d515f39bde4c73b60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	1c41903d63ccc422242f758edb7f0486b163bcb6b0031a6d515f39bde4c73b60
SHA3-384 hash:	5f19cf85b06959634a327a2a0533cf05dd8aeaf163c244d09c29e120d949474a3d4c36ff025eae13f4c59fd120a069ec
SHA1 hash:	a39bc0d8cc543b843938036f2672cd0c373c165e
MD5 hash:	39c279a40f2612cb9e45ed2fa248561a
humanhash:	river-summer-burger-west
File name:	DHL_AWB_NO_#3522849002.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	825'344 bytes
First seen:	2023-02-24 13:37:25 UTC
Last seen:	2023-02-27 11:11:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:JUhRuQUaYmUjwxDwZo6JtVq+hucptTmEl3puckBzztx/yGq252JsS:JUVoo+n7ucpoWAcgzhZyZsS
Threatray	983 similar samples on MalwareBazaar
TLSH	T1D605AD88EAB4532BDFDABD367204319F19A0B98137119BFDE7D925B4E204674E2C44EC
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	3096d0f0f0d49630 (5 x AgentTesla, 5 x SnakeKeylogger, 1 x Formbook)
Reporter	abuse_ch
Tags:	AgentTesla DHL exe Telegram

Intelligence

File Origin

# of uploads :

# of downloads :

213

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL_AWB_NO_#3522849002.exe

Verdict:

Malicious activity

Analysis date:

2023-02-24 14:09:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e8096933-d3fe-4065-a564-e91530c2b368

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/369466/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63f8bdbd124864afb39e32b3/reports/469d760b-0a67-4ad5-8be2-bf8bf9c332fd/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/1c41903d63ccc422242f758edb7f0486b163bcb6b0031a6d515f39bde4c73b60

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a6a6f32d-221f-4242-88c6-030f7b89f9b7

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1181926

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected Telegram RAT

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/1c41903d63ccc422242f758edb7f0486b163bcb6b0031a6d515f39bde4c73b60/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2023-02-24 12:30:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 25 (76.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=drazapldztccejbpowhnw7yeq2ywhpfwwabru3krl4433zghhnqa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1283438598f854513cc5486567c3b41d64064ee7901b30db625704f956a5d633

AgentTesla

17e4e777cf7db066c6a344d5b36610d4124068bbfe4dd23cadcbbc7582805048

AgentTesla

31c4050dc647c5bd89feca0aa84d283add7e27e5a3f64866096aebca7b4f862d

AgentTesla

a9fab340c43939608d6319ff68a8e06c23c20f3e1cd7103400002692c110bfd2

AgentTesla

bd8d44039b39c1303a8873f7a6047ec475b00f82a69c1d480192c1c68a295502

AgentTesla

c1add17549206e0ea3e1025ec81ff8d7e5ae994381600ec84d33eeab50ea7232

AgentTesla

db758d56da8bf2d88700bf3846d3885a5a16816f99a3880beb04a6956c888d7b

AgentTesla

dc0e4f762dfa9989cee78a01c3186d710365695141ec8ea246e5bee245d2944b

AgentTesla

eec946f0290cdbb199c804a9ba1a896b5bcad0d0e62c1e1cdd542f5f3e934808

AgentTesla

+ 973 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230224-qxdh8abe28/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot6191932863:AAEw6WZfMHSbIiilSKsmAnJOgaZwvnoMVh8/

Unpacked files

SH256 hash:

8c9f559331de2d8b4668813f321af8257b90aba936c92cae4eeee4b4b2576f46

MD5 hash:

b04b38308a0c61fe4e9d70b701ef8b44

SHA1 hash:

fff249331f8cea3255d45dab63b443d88f29ac90

Link:

https://www.unpac.me/results/fd5f6223-17e0-458d-9c10-265e09602506/

SH256 hash:

ffd38ec91854fa4ab12dab9ad4cb191305c5fa849238deb67137f6061a9d17dc

MD5 hash:

b8c03380b10f5448bf3be567abdbd4d9

SHA1 hash:

dffd743bdceb24e72262bdcd6ffb635f5bdc1a42

Link:

https://www.unpac.me/results/fd5f6223-17e0-458d-9c10-265e09602506/

Parent samples :

d5d18f9417c9f5268a707e6c276d8318f0bc399302ff07d8d8319257c9dac063
21d455342573c58b10724e61e0fefadd32fd934b573b8f6f655e52e08dadc8bf
a955da66c4fea454fc830bec547d560ea494e777259e38f195f7c7266fbd8ee3

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/fd5f6223-17e0-458d-9c10-265e09602506/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

dea2369b7d4c0bbad43ececcf9ba24cc7dc8e46c3de236b154cb9d5af0cbf5be

MD5 hash:

6336ffa05034538ea24a4bbd92249135

SHA1 hash:

7641540073babd9c68fd35144475bbeaaf637904

Link:

https://www.unpac.me/results/fd5f6223-17e0-458d-9c10-265e09602506/

SH256 hash:

80135c98251483b4df3a76973424e6490b1823dc6cdd931fb4a6e4a4d8419ab5

MD5 hash:

5400b6f6be0da8bb56349349c1af860c

SHA1 hash:

495485b694b2e1fd0848ffa98c855dbe887545e2

Link:

https://www.unpac.me/results/fd5f6223-17e0-458d-9c10-265e09602506/

SH256 hash:

1c41903d63ccc422242f758edb7f0486b163bcb6b0031a6d515f39bde4c73b60

MD5 hash:

39c279a40f2612cb9e45ed2fa248561a

SHA1 hash:

a39bc0d8cc543b843938036f2672cd0c373c165e

Link:

https://www.unpac.me/results/fd5f6223-17e0-458d-9c10-265e09602506/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1c41903d63cc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1c41903d63ccc422242f758edb7f0486b163bcb6b0031a6d515f39bde4c73b60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/369466/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample