MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3090211d3d8dd213717672563c3d2a7181b323d5d7dec438c16dc7e0e2c331ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3090211d3d8dd213717672563c3d2a7181b323d5d7dec438c16dc7e0e2c331ee
SHA3-384 hash: 2906a76319d54a2c1ea03fd9fc7b3c8cb09395e91a988a35d1e1617bad528b0bcb8a34fe18d5825f1b5daeddf7defde6
SHA1 hash: 972d92ee0755e1e15dc8c7257e7f8a4be8dfe7af
MD5 hash: fdadcc8e32d66b2ae0046e6f3d2fb5de
humanhash: victor-lima-delaware-lake
File name:74725794.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:5'868'544 bytes
First seen:2021-01-18 18:14:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:93078VmQi2jgc1VSvbpsIEQ1BoyqxwsLKgZVSGt6acCPlyk3aTYHN82+fin:JQpQiwgc1VSvbpsgoyq6slsadPlSTcN8
Threatray 108 similar samples on MalwareBazaar
TLSH 30463302F61DD911C65ABD7E8467B3AD4A62C5DBC308DAD237AB381F7440FE11B89887
Reporter abuse_ch
Tags:AgentTesla CHN DHL exe geo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: [144.208.127.210]
Sending IP: 144.208.127.210
From: China DHL Express <5idhl_noreply@dhl.com>
Subject: 【中外运-敦豪】电子发票(发票号:74725794)
Attachment: 74725794.zip (contains "74725794.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
74725794.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 18:20:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/605e7866-259e-48d4-9568-56d68ab7481b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112637/
Detection(s):
SecuriteInfo.com.Generic.mg.fdadcc8e32d66b2a.16950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/584107
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341095 Sample: 74725794.exe Startdate: 18/01/2021 Architecture: WINDOWS Score: 76 30 Multi AV Scanner detection for dropped file 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected AgentTesla 2->34 36 2 other signatures 2->36 7 74725794.exe 6 2->7         started        process3 file4 22 C:\ProgramData\Microsoft\Windows\...\blur.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\...\74725794.exe.log, ASCII 7->24 dropped 26 C:\ProgramData\...\blur.exe:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->28 dropped 38 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->38 11 blur.exe 2 7->11         started        14 cmd.exe 1 7->14         started        signatures5 process6 signatures7 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->40 16 blur.exe 11->16         started        18 conhost.exe 14->18         started        20 reg.exe 1 1 14->20         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3090211d3d8dd213717672563c3d2a7181b323d5d7dec438c16dc7e0e2c331ee/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-18 15:43:28 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gcicchj5rxjbg4lwojldypjkoga3gi6v27pmiogbnxd6bywdghxa._file
Verdict:
malicious
Similar samples:
02c430c51fa15522e80f952731fabd0f06d968d1205c2249e30a052a4e96d771
AgentTesla
295d0bbeb8eeb0956c87e46ad0beeb66bc02f3c72c20a898ae66d3bfc64e670b
AgentTesla
2a632fa3436f40c7901873fe1ef196c9d4560ea37935fbe123259302fdd043c9
AgentTesla
30eb1963753aa4a9d4987f1e43c684d91b1b9ca11202a7f751bc621a0149cb19
AgentTesla
485fcb629691d08260b4066b1261fefbbdd4dd399fb5ebf9df7311c5e0710f68
AgentTesla
9b88304422980e3e7dac534c9aaf77ea5bce8fdbaaa678aa4ca9622186f35e41
AgentTesla
b07f1a61fef552e8f6261abb854ec9b44aa57588c6ae812bf67f6a267a14ff9b
AgentTesla
bd0d59702d2d99ee59e5d10834c234e2fa98bfb4d02b19500f3a67bbff70e7d5
AgentTesla
ef3e4d2d8d25c9193cf0ba20d5f41cab19134f6b78b649709b21667d217ecd8f
AgentTesla
f4524797f4b1871ce21a139c2eabcd661e3a1c8728a7b40d54d3a8c0ee6ca30a
AgentTesla
+ 98 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210118-79cygqzks2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a60900adc31e8e28ff541b91a55de5d9719c0d1ddc3022eb6f6fb5ac19cc9e4f
MD5 hash:
831fb0609b3509b4fb31ac662ac69217
SHA1 hash:
985c33fa2b01e305995e2ea166b961b01f0f6335
Link:
https://www.unpac.me/results/65427195-f83c-4c7e-92f3-0dd28cdf1a2e/
SH256 hash:
534698b4a6c8b61d9f027d702d3b05e69b0a3b87192c4929325c0943fb309cf9
MD5 hash:
1246d289e63a6f44ab4cdfeda38fae45
SHA1 hash:
751f796f29c21d0dabce5a7f19f96454b1ce407c
Link:
https://www.unpac.me/results/65427195-f83c-4c7e-92f3-0dd28cdf1a2e/
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/65427195-f83c-4c7e-92f3-0dd28cdf1a2e/
SH256 hash:
3090211d3d8dd213717672563c3d2a7181b323d5d7dec438c16dc7e0e2c331ee
MD5 hash:
fdadcc8e32d66b2ae0046e6f3d2fb5de
SHA1 hash:
972d92ee0755e1e15dc8c7257e7f8a4be8dfe7af
Link:
https://www.unpac.me/results/65427195-f83c-4c7e-92f3-0dd28cdf1a2e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3090211d3d8dd213717672563c3d2a7181b323d5d7dec438c16dc7e0e2c331ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 4990cfc68eb2af75d6894a7c6859ce185d66cad91b7b307a98f26bdba04c0abc

AgentTesla

Executable exe 3090211d3d8dd213717672563c3d2a7181b323d5d7dec438c16dc7e0e2c331ee

(this sample)

  
Dropped by
MD5 1377803ade5805f642c7d78e1cc1865a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4990cfc68eb2af75d6894a7c6859ce185d66cad91b7b307a98f26bdba04c0abc
Cape
Cape
https://www.capesandbox.com/analysis/112637/

Comments