MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f332e13d0ba87a0dbbed2a27f3fa73be40d1b2468f95ddc4e18b3395947cd0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f332e13d0ba87a0dbbed2a27f3fa73be40d1b2468f95ddc4e18b3395947cd0c
SHA3-384 hash: 1c8bbf73ea0bf2a3400dbfa58813a5c93cf56d3a4e4ddcc2cd01e11fe553af4d2da7a5d2f3fdbff686024a05c9ce92ca
SHA1 hash: 9a1f84cafa68621ae5cc7e154d403cc887783403
MD5 hash: dfbd54b28bd03c8ec3e1c64986c952dd
humanhash: helium-sixteen-single-alaska
File name:DHL Shipment Invoice NO - INV8425487-80228.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:757'760 bytes
First seen:2021-09-30 05:38:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:TRbQ+X8+UiDLbRHahmUjJVQMvqpq3pp/gnMA+byLDt8bsj3U3Iywp5n9dD:9bQ+X8+UiDLbRHahmUjGq3vnA4Wosj3H
Threatray 10'871 similar samples on MalwareBazaar
TLSH T1A3F48C54F11CD2B9FE0822B1253DFCD825F82EA8147DE91BB9D7B1E224B9E3154B01A7
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Shipment Invoice NO - INV8425487-80228.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-30 05:42:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dd225a00-b951-4d7e-b00a-33f937194516

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193326/
Detection(s):
SecuriteInfo.com.ArtemisDFBD54B28BD0.12809.28895.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/809241f5-3ee9-4cbd-a8af-de7e5a593f50
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/861550
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Modifies the hosts file
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1f332e13d0ba87a0dbbed2a27f3fa73be40d1b2468f95ddc4e18b3395947cd0c/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-30 05:39:17 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4zs4e6qxkd2bw562krh6p5hhpsa2gzend4v3xcodcztswkhzuga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0fc268f23d1296d162de486acbda3e5e745e52f8bdd255a3813a788ab279dd66
AgentTesla
11158aa236a07183547892ad906115d89ef9e2563f0fe56cc77dcef8bc581129
AgentTesla
1f57778e5448ce6d8834f523299fc5ba868636556c993a4b5f3faabacb36c993
AgentTesla
4fcdae562d7a9bba5bd8997e152ffb33211a2e42c322adfd24b68cf448e5272c
AgentTesla
a51412351320c2876dc38780b18441bbc160c6a0fa21bda69330eeaef1fb6ca6
AgentTesla
d0e52d49dac173d7e660fe4c404de85fdc3098cf323d3969959a4faf71b9b7e1
AgentTesla
e433b3cc952fec02984b9d3678ab71f9e168a5616550f44e7ab3b0548d01ed2e
AgentTesla
+ 10'861 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210930-gca3xsgfcq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1902237025:AAFiDWtJ1TbNwiQBLarM5Nfl9yob5WLm-5k/sendDocument
Unpacked files
SH256 hash:
2c8702e7323eda1a1c39bf05325d68149c8520dc7dc8a9e31d0ec041f30d61e2
MD5 hash:
66e95ee62e6fb6862f80f4199ffe3af0
SHA1 hash:
df99b672b7a6a1d25a02f47780edd24cdbd28210
Link:
https://www.unpac.me/results/2ab4e931-252d-4bad-8c01-759cf6ab7079/
SH256 hash:
38843c1246c75dc43dd4deec307c596b86674000f9b13435ea87d663eb4bd8b3
MD5 hash:
5cb57e675fa8d278b8eea8611fa17579
SHA1 hash:
cf81d09a24215e4463f89ebb55808075aa602b22
Link:
https://www.unpac.me/results/2ab4e931-252d-4bad-8c01-759cf6ab7079/
SH256 hash:
6fef8420a8bd6a90cfe7ac8aeb0e3811422b9b6cb9e0b14ea03f5236438f72ba
MD5 hash:
10c7772f435231d58046e0dc34def127
SHA1 hash:
38c8f9ffb5136848d62582ef41bab6c810121c74
Link:
https://www.unpac.me/results/2ab4e931-252d-4bad-8c01-759cf6ab7079/
SH256 hash:
f882eea93c7e06fd2dfd40ba23f80a220da8b7b05c7e3d490ca0c98c6af97d78
MD5 hash:
88dd49b4bc698cb9978231d198c8144c
SHA1 hash:
2f6216bd6f415f92ab366f52a2db2b7f8248c44c
Link:
https://www.unpac.me/results/2ab4e931-252d-4bad-8c01-759cf6ab7079/
SH256 hash:
f7d272daf3522f99ca67b99bfe557564baba239104c7f20cef842f2e870bdf28
MD5 hash:
cceaca53d81061c0f1c6cf35ca7bf34b
SHA1 hash:
23ba45b249e0e4bdc5a8d4b4b07e2f7509cf85be
Link:
https://www.unpac.me/results/2ab4e931-252d-4bad-8c01-759cf6ab7079/
SH256 hash:
1f332e13d0ba87a0dbbed2a27f3fa73be40d1b2468f95ddc4e18b3395947cd0c
MD5 hash:
dfbd54b28bd03c8ec3e1c64986c952dd
SHA1 hash:
9a1f84cafa68621ae5cc7e154d403cc887783403
Link:
https://www.unpac.me/results/2ab4e931-252d-4bad-8c01-759cf6ab7079/
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1f332e13d0ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f332e13d0ba87a0dbbed2a27f3fa73be40d1b2468f95ddc4e18b3395947cd0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193326/

Comments