MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20a11d98d3555517a734c848dadd5d9199e1bafe6cd5b779d085aab7203c6466. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20a11d98d3555517a734c848dadd5d9199e1bafe6cd5b779d085aab7203c6466
SHA3-384 hash: b2cef68ad4d9700108f85cbff9ed646e7525f939e605e3638afb74ffce2b887bcfe72e61b0adee7289b7edbcaca26fe8
SHA1 hash: 857ffadbe172bab0c1ebfcfd28ea17d1e2f97c0c
MD5 hash: a96418b82f6184e6ed717414124e78d3
humanhash: saturn-table-football-green
File name:COMMERCIAL INVOICE, BILL OF LADING, ETC DOC.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:415'600 bytes
First seen:2022-01-20 06:57:08 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:heVUCFtqQ/XFc/Mf1Eeh+kf6FxCAVBdm+:GFtRXFc/Mf/hheLVHX
TLSH T1D694239F57C8F8A4F014DD5FA6975F09C6A004F0EC9A36D12F0EFE65A3966FA3905880
Reporter cocaman
Tags:AgentTesla DHL INVOICE zip


Avatar
cocaman
Malicious email (T1566.001)
From: "DHL Express <customercontrol@dhl.com>" (likely spoofed)
Received: "from dhl.com (unknown [45.87.62.139]) "
Date: "20 Jan 2022 03:17:01 +0100"
Subject: "DHL Shipment Notification : 7348222141"
Attachment: "COMMERCIAL INVOICE, BILL OF LADING, ETC DOC.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_badexts35.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed print.exe update.exe
Link:
https://www.filescan.io/uploads/61e907fcd32385db630d5340/reports/d44af07c-5804-4b88-9d41-227c7f0dec84/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/20a11d98d3555517a734c848dadd5d9199e1bafe6cd5b779d085aab7203c6466
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20a11d98d3555517a734c848dadd5d9199e1bafe6cd5b779d085aab7203c6466/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 04:50:30 UTC
File Type:
Binary (Archive)
Extracted files:
22
AV detection:
22 of 43 (51.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ecqr3ggtkvkrpjzuzbenvxk5sgm6dox6ntk3o6oqqwvloib4mrta._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220120-hrha8agegn/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Sets service image path in registry
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20a11d98d3555517a734c848dadd5d9199e1bafe6cd5b779d085aab7203c6466

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 20a11d98d3555517a734c848dadd5d9199e1bafe6cd5b779d085aab7203c6466

(this sample)

AgentTesla

Executable exe 5c32a6274a0a7bd4e25bc4f55d8b27f649b99bfcc00b325462c2b413fcf1e95b

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 5c32a6274a0a7bd4e25bc4f55d8b27f649b99bfcc00b325462c2b413fcf1e95b

Comments