MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2239140094a7718ee18a8aab483b57ed1d57da9a26e6b77550ca721c9e5cded8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2239140094a7718ee18a8aab483b57ed1d57da9a26e6b77550ca721c9e5cded8
SHA3-384 hash: e7e06a127cfdcbb7c38bb57aabf4054afbde9a64769aa5f4dd94a7e4471e625ddea8319992ebaccbc996e9ae5874a311
SHA1 hash: b9930d140eb3cb1671ca99d8aef7511673fd6cca
MD5 hash: bef5c963b4cae15a468b43b6925335b1
humanhash: seventeen-march-arizona-december
File name:DHL0966779898.pdf__________________.hta
Download: download sample
Signature AgentTesla
Create hunting rule
File size:130'792 bytes
First seen:2023-10-26 12:11:53 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 3072:oTl2u/UTiTwTITpfXdTKTYTwTBTNuWQtF5EK:oTl2u/PfXJ
TLSH T10AD34B11259E609C70B37F631BDD79EA8F4FBBE1271BA0AA664403078F52E44CE95372
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter TeamDreier
Tags:AgentTesla hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
DK DK
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.26465.5352.239.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/2239140094a7718ee18a8aab483b57ed1d57da9a26e6b77550ca721c9e5cded8/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/653a579334de31f579cb4c86/reports/e2d1d44c-5539-415c-9d78-b90ebc83980b/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/2239140094a7718ee18a8aab483b57ed1d57da9a26e6b77550ca721c9e5cded8
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1332652
Signature
Antivirus detection for URL or domain
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell download and load assembly
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1332652 Sample: DHL0966779898.pdf__________... Startdate: 26/10/2023 Architecture: WINDOWS Score: 100 24 imageupload.io 2->24 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 8 other signatures 2->40 9 mshta.exe 1 2->9         started        signatures3 process4 signatures5 48 Suspicious powershell command line found 9->48 50 Very long command line found 9->50 12 powershell.exe 7 9->12         started        process6 signatures7 52 Suspicious powershell command line found 12->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 12->54 15 powershell.exe 15 15 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 26 imageupload.io 104.21.83.102, 443, 49713 CLOUDFLARENETUS United States 15->26 28 185.254.37.174, 49714, 80 NETERRA-ASBG Germany 15->28 30 Writes to foreign memory regions 15->30 32 Injects a PE file into a foreign processes 15->32 21 RegAsm.exe 2 15->21         started        signatures10 process11 signatures12 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->42 44 Tries to steal Mail credentials (via file / registry access) 21->44 46 Tries to harvest and steal browser information (history, passwords, etc) 21->46
Score:
100%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/2239140094a7718ee18a8aab483b57ed1d57da9a26e6b77550ca721c9e5cded8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2239140094a7718ee18a8aab483b57ed1d57da9a26e6b77550ca721c9e5cded8/
Threat name:
Win32.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 17:16:23 UTC
File Type:
Text (VBS)
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ei4riaeuu5yy5ymkrkvuqo2x5uovpwu2e3tlo5kqzjzbzhs433ma._file
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231026-pc573abf3y/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Detect ZGRat V1
ZGRat
Malware Config
Dropper Extraction:
https://imageupload.io/ib/ekWgHWjP3arvUq7_1698166097.jpg
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2239140094a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2239140094a7718ee18a8aab483b57ed1d57da9a26e6b77550ca721c9e5cded8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

HTML Application (hta) hta 2239140094a7718ee18a8aab483b57ed1d57da9a26e6b77550ca721c9e5cded8

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments