MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 208aebc0e600e0bfa453d7b7bb5275f42640586d20940b992cc65faaff8b9aaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	208aebc0e600e0bfa453d7b7bb5275f42640586d20940b992cc65faaff8b9aaa
SHA3-384 hash:	626f48b45b87925e782adf3c7e072f7f5aba68f81421102a75176b57500aef0981916a4733eba5569ee789195d5a2e0d
SHA1 hash:	b133ef1d0c2ee454c8503df7b4d1aca8e8ec80d0
MD5 hash:	aaf111d1f2bc53b6df7a8103f91d968e
humanhash:	east-zulu-lake-hawaii
File name:	DHL Shipment_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	760'320 bytes
First seen:	2020-07-16 08:56:23 UTC
Last seen:	2020-07-16 15:08:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	16b3dd4ab50d24202f43f84f949a698b (3 x AgentTesla)
ssdeep	12288:945y89CxgV6xWZpLy854krNVEAeXmqcYIHGU7lnl8Tak:KYTxkFG8xrNWXmqcfHJlnO/
Threatray	11'775 similar samples on MalwareBazaar
TLSH	0AF4AF52E2E04432C16725789C1B9BB8A935FE1039689E476BF47C0CAF7D781397A2D3
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

abuse_ch

Malspam distributing AgentTesla:

HELO: earth.dotsi.pt
Sending IP: 188.93.232.9
From: DHL EXPRESS <worldwide@dhl.com>
Subject: DHL Shippment Alert!!
Attachment: DHL Shipment_pdf.gz (contains "DHL Shipment_pdf.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/26575/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching a service

Creating a file

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/389495

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/208aebc0e600e0bfa453d7b7bb5275f42640586d20940b992cc65faaff8b9aaa/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-16 08:58:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ecfoxqhgadql7jct2633wutv6qteawdneckaxgjmyzp2v74ltkva._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

63e13b77ab8cff1a49631d5806a3c1530c725f36ea9defa954e1a38f937c49c4

AgentTesla

7a477a446769be5e8f006df9f0b2a77439d269acca020f44954ec93a98252164

AgentTesla

812f79b6a6beba3214cee4b325afb9c5483100aa082bb2e90ea7a6ce835661a0

AgentTesla

a74295a274ff106c67e3260aa2c550ea29126405565ac8104046bbf31d5f083d

AgentTesla

d00396bdc41d762fcc1612605e951071919d7bb0fbce02491c805d2d42d767a4

AgentTesla

eaec22c2d23bb4d85d21b80ce1cc4b3874964631f615d1975cdab03467078f5b

AgentTesla

ec6cfe036b88320b3208921df633e7ec0e1fbd3353e6fdc9d621d5cce1b9a27d

AgentTesla

ef3cbb89feca43a0f0756ff2c3e485755e38f2d4ea6f807e7c09fe31ab710920

AgentTesla

f79a00a5a78540c33e096805046cae230765cd3bd62fa5e077673f3c873cc547

AgentTesla

+ 11'765 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200716-5fsqy91vg2/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar