MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fa603dd41e95f257403b45ec3cba307ed33aa3d5aa605e8d8796b5ab28cac54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fa603dd41e95f257403b45ec3cba307ed33aa3d5aa605e8d8796b5ab28cac54
SHA3-384 hash: 28c483c24a9dc025da636e48469b09104b665433c295d73b113037a276c5dcef5cfd5e29e88fd3ea47b624103b11afc5
SHA1 hash: 10697098cbfcb4d6c4be889305aaf9a1dd6a042b
MD5 hash: 36d3e4700d246075bfc4716cc329c894
humanhash: maryland-delaware-hamper-green
File name:DHL Shipment WaybillDoc_TransportLabel_PRG211001715505.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:438'784 bytes
First seen:2021-12-30 07:42:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:A/kKzoF7vUhgLllUp+uPQESz3orJFXx7tHMbctBHKSLxCpxkL9zc:AjoF78aBepXPIALhDBHxCpxkdc
Threatray 14'109 similar samples on MalwareBazaar
TLSH T1099412595A68667FFADD3ABF041E225083704231014BF3CE4DE1D2DA1AC6BE68610BE7
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.bariscantekstil.com.tr:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
358
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Shipment WaybillDoc_TransportLabel_PRG211001715505.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-30 07:44:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b4e411c0-8de4-46c1-9a31-666d8f7cfa1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216851/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
DNS request
Sending a custom TCP request
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/61cd63084ab5c44cbf5729b8/reports/352a7b01-438f-40df-bbce-3b34dff314a6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a4cb4f7-c5bb-4399-8654-0e68a30fb7d1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914008
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2fa603dd41e95f257403b45ec3cba307ed33aa3d5aa605e8d8796b5ab28cac54/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-30 06:01:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f6tahxkb5fpsk5adwrpmhs5da7wthkr5lktal2gypfvvvmumvrka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
073e537df1a31ebe720a81a20f86f46f4eb24ee911e317a10a9849a3aeb46c0d
AgentTesla
118c41cc349faeaf8f78b73842903b12b9aa9ebf8b0bf6ece455fd8ea943da25
AgentTesla
3400fb69c6d46a8f3171110b48b7e443a0828b3a45054a63536b3689b5d2bad0
AgentTesla
43ce04c6b8f460899f646dde2d89608c45c52982dc389182d70a4c86cd20ce4a
AgentTesla
8ee5b792f71a86bab6e1ac1d82669d474ac1b4f973f610b0074ee89bed67306e
AgentTesla
93353095ec20b348490396b58860554459789d8ccfa98fa42f0d336b9eb94eae
AgentTesla
bc8fc1d6e4b1f2d54e06717a136ebd113d7cf50939958bcf85b9556083d5b00f
AgentTesla
ce6f26feac8b78450380877161487e271e676a50cc93f8a7a2ecea65b5e41020
AgentTesla
+ 14'099 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211230-jj9wyaecaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
7cbf6e915984c637c37f86c546ba416b24583bf1f3fc2327ff3bb0b7e5c402a2
MD5 hash:
4f67871f95f8f909211eb90b84c2959e
SHA1 hash:
f23a198c6c504b058fc289e3152755a81e5a1ec6
Link:
https://www.unpac.me/results/384282bd-fbb7-4573-9a34-357042acbb48/
SH256 hash:
d75e34baddce5b3bb6b296a59541f8a651128ea02408db85b5380f7d89fbe5ac
MD5 hash:
d73681f1e528c56024bd7205189c7476
SHA1 hash:
eb546ddb8daff607827c4071212237aa1ffc310d
Link:
https://www.unpac.me/results/384282bd-fbb7-4573-9a34-357042acbb48/
SH256 hash:
dc2c5f7bcb1dc0087e3591f88530fa8a8d8c9874f536050cb716c3f48ebca421
MD5 hash:
72232c45e732849918155a85de149e91
SHA1 hash:
7864403ab93b945b580fab72d5720ee06aa2b18d
Link:
https://www.unpac.me/results/384282bd-fbb7-4573-9a34-357042acbb48/
SH256 hash:
2fa603dd41e95f257403b45ec3cba307ed33aa3d5aa605e8d8796b5ab28cac54
MD5 hash:
36d3e4700d246075bfc4716cc329c894
SHA1 hash:
10697098cbfcb4d6c4be889305aaf9a1dd6a042b
Link:
https://www.unpac.me/results/384282bd-fbb7-4573-9a34-357042acbb48/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2fa603dd41e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fa603dd41e95f257403b45ec3cba307ed33aa3d5aa605e8d8796b5ab28cac54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216851/

Comments