MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a8897933ca5ef8b9ef0092b50977e9f7b1fb7041ed48acf4c613661fde81f18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a8897933ca5ef8b9ef0092b50977e9f7b1fb7041ed48acf4c613661fde81f18
SHA3-384 hash: be27b0c81e78195ed663bbf1a9fc0d9fc9c81558a0be4e878ac1f6d35e58ef1df12d9d3db2c4c1f59ec8e7303bd35e16
SHA1 hash: 56b51ada804ea70cd9cf1686980a5609fb22172e
MD5 hash: aa7c791a74b8a74586f4bec9c552de72
humanhash: hawaii-jig-hamper-item
File name:dhl_doc8532967438.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:919'552 bytes
First seen:2020-12-10 08:48:51 UTC
Last seen:2020-12-10 10:41:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:b8IAjspCao7LIxJz6No40CVXPk7lsicDFzdnLe+lz:IIAo0j7LIroH04kh7UrnLe+
Threatray 3 similar samples on MalwareBazaar
TLSH 2415AE9C361076EFC927C876DEA81C64EA6074BB530BD203905716EDAA0DA9BDF141F3
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dhl_doc8532967438.exe
Verdict:
Malicious activity
Analysis date:
2020-12-10 08:51:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/114130c8-8260-426d-bb85-420ce78da755

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107612/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.cc.5837.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/559876
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 329034 Sample: dhl_doc8532967438.exe Startdate: 10/12/2020 Architecture: WINDOWS Score: 100 38 cdn.onenote.net 2->38 42 Sigma detected: Scheduled temp file as task from temp location 2->42 44 Yara detected AgentTesla 2->44 46 Yara detected AntiVM_3 2->46 48 7 other signatures 2->48 9 dhl_doc8532967438.exe 6 2->9         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\zajBLGBtTgggi.exe, PE32 9->30 dropped 32 C:\Users\user\AppData\Local\...\tmp2C75.tmp, XML 9->32 dropped 34 C:\Users\user\...\dhl_doc8532967438.exe.log, ASCII 9->34 dropped 50 Detected unpacking (changes PE section rights) 9->50 52 Detected unpacking (overwrites its own PE header) 9->52 54 Injects a PE file into a foreign processes 9->54 13 dhl_doc8532967438.exe 5 9->13         started        18 schtasks.exe 1 9->18         started        signatures6 process7 dnsIp8 40 192.168.2.1 unknown unknown 13->40 36 C:\Users\user\AppData\...\kuqVvGbbkNJZ.exe, PE32 13->36 dropped 56 Injects a PE file into a foreign processes 13->56 20 dhl_doc8532967438.exe 2 13->20         started        22 schtasks.exe 1 13->22         started        24 conhost.exe 18->24         started        file9 signatures10 process11 process12 26 dw20.exe 22 6 20->26         started        28 conhost.exe 22->28         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2a8897933ca5ef8b9ef0092b50977e9f7b1fb7041ed48acf4c613661fde81f18/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-12-10 08:47:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fkejpez4uxxyxhxqbevvbf36t55r7nyed3kivt2mme3gd7pid4ma._file
Verdict:
unknown
Similar samples:
115ac932f149eb49931d6f97f7a4f0f99a4ba3b9a46f3d0de0ad615058f4e532
AgentTesla
dc4703df57c6fd50a74396618bc4f9da307e530c8469a0418667a26d24749684
AgentTesla
ef9af7994d5d9ac283134b522ae1e1680eecee19974bf717fc5cb50d69b5d371
AgentTesla
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/201210-v8rs8nsxkn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
ServiceHost packer
Unpacked files
SH256 hash:
b5a4bf1b5f503ed2db526c041bc34c950bbd43665a13197405ba172da30a200e
MD5 hash:
c424aac2d907399e41b057d5062e6255
SHA1 hash:
00367217637acb2a39623f8718e860752a11489d
Link:
https://www.unpac.me/results/fa1530e7-8a7f-4fbe-bd15-8698197890e6/
SH256 hash:
fe72a1b93c932aaf4a7ef7960c881c0ae12342a1e3aa2fbf8297c3a94f02f433
MD5 hash:
efa27b587de22f310e50cdb57a480704
SHA1 hash:
2e5d22f2d412597b2f99554b12c1d62bda21c31b
Link:
https://www.unpac.me/results/fa1530e7-8a7f-4fbe-bd15-8698197890e6/
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/fa1530e7-8a7f-4fbe-bd15-8698197890e6/
SH256 hash:
2a8897933ca5ef8b9ef0092b50977e9f7b1fb7041ed48acf4c613661fde81f18
MD5 hash:
aa7c791a74b8a74586f4bec9c552de72
SHA1 hash:
56b51ada804ea70cd9cf1686980a5609fb22172e
Link:
https://www.unpac.me/results/fa1530e7-8a7f-4fbe-bd15-8698197890e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a8897933ca5ef8b9ef0092b50977e9f7b1fb7041ed48acf4c613661fde81f18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 837d2b860f27afa125bcb08e049fd49d0d778753e91afa3bc1de63a2d512d250

AgentTesla

Executable exe 2a8897933ca5ef8b9ef0092b50977e9f7b1fb7041ed48acf4c613661fde81f18

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 837d2b860f27afa125bcb08e049fd49d0d778753e91afa3bc1de63a2d512d250
Cape
Cape
https://www.capesandbox.com/analysis/107612/

Comments