MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34fef61460f3196f9c4f0f267443302cc5573d935ad73f18eb33aea41d8be5d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34fef61460f3196f9c4f0f267443302cc5573d935ad73f18eb33aea41d8be5d3
SHA3-384 hash: 88ef3b2442f9c51cd17c9971ce2ff4a504d314981806d60d415ce6b5f61e4811c0517df6a38a9d933e1638852dfcebeb
SHA1 hash: 4a001fe7847ee7906335b483b184cf751b2e0d82
MD5 hash: c485b4947a71670ccfa814b73bb8d3a2
humanhash: sodium-speaker-music-king
File name:dhl package delivery paperwork review for you.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:47'080 bytes
First seen:2020-12-07 19:33:25 UTC
Last seen:2020-12-07 21:39:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 768:09nWF2GWtWCWyWPp+EgVb8TicDGTG3VkGp0TEKdRDwQ0d/1dAvt9rQTgPbXz9Ufu:09Y22Mb8Tz6TG3VkGGQKd2Q0d/8l6Tgt
Threatray 1'717 similar samples on MalwareBazaar
TLSH B723D78733088B03E6969B39728362135BF1D1933B7B8BA5A9E527D71C021C46F57B87
Reporter abuse_ch
Tags:AgentTesla DHL scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: box.statusid.net
Sending IP: 64.227.36.91
From: DHL Express <me@statusid.net>
Subject: New delivery on hold
Attachment: dhl package delivery paperwork review for you.img (contains "dhl package delivery paperwork review for you.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dhl package delivery paperwork review for you.scr
Verdict:
Malicious activity
Analysis date:
2020-12-07 19:57:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/30b56539-6f05-4e06-b2cb-541aa5e0b0c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107100/
Detection(s):
SecuriteInfo.com.FileRepMalware.23894.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Sending a TCP request to an infection source
Adding exclusions to Windows Defender
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/557319
Signature
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 327756 Sample: dhl package delivery paperw... Startdate: 07/12/2020 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected AgentTesla 2->40 42 4 other signatures 2->42 7 dhl package delivery paperwork review for you.exe 20 4 2->7         started        process3 dnsIp4 30 pastebin.com 104.23.98.190, 443, 49730 CLOUDFLARENETUS United States 7->30 32 hastebin.com 104.24.127.89, 443, 49729 CLOUDFLARENETUS United States 7->32 44 Adds a directory exclusion to Windows Defender 7->44 46 Hides threads from debuggers 7->46 48 Injects a PE file into a foreign processes 7->48 11 dhl package delivery paperwork review for you.exe 2 7->11         started        16 cmd.exe 1 7->16         started        18 powershell.exe 21 7->18         started        20 2 other processes 7->20 signatures5 process6 dnsIp7 34 mail.privateemail.com 198.54.122.60, 49733, 587 NAMECHEAP-NETUS United States 11->34 28 C:\Windows\System32\drivers\etc\hosts, ASCII 11->28 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->50 52 Tries to steal Mail credentials (via file access) 11->52 54 Tries to harvest and steal ftp login credentials 11->54 56 2 other signatures 11->56 22 conhost.exe 16->22         started        24 timeout.exe 1 16->24         started        26 conhost.exe 18->26         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/34fef61460f3196f9c4f0f267443302cc5573d935ad73f18eb33aea41d8be5d3/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-12-07 19:34:07 UTC
AV detection:
7 of 28 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gt7pmfda6mmw7hcpb4thiqzqftcvopmtlllt6ghlgoxkihml4xjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b02286faa0d5f7a7c239bbb459252a5dbc499562bba488034c75d8c04e29cd3
AgentTesla
0b0497a471a34be0ac2c4719719527d6a73b4a0ad0d7b8f43d9c9af5119ce9cd
AgentTesla
268f89bd4548d21dd1f6133a394327691e479443003cb92cdf9c0568a6b3ec41
AgentTesla
3262041b975c085ac4910cab0c54cafd02bee3accf8f921712f9a626634ea833
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
5ccb4b42592b867c638bc0b10bd75d11865ee1bea36d8242bffe1aba403336e4
AgentTesla
8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f
AgentTesla
ba3548566c5eda9447bd910346549f92ecc5cd51f959f51cc7bc836a2ce49501
AgentTesla
c2df8e72382149481c403e6a2d52dbb93daeb046e8ce23247ec763f50490be96
AgentTesla
d2adec41dcdb2142c210a4025572e29e1c011d079fa04504b35ab55c03376a16
AgentTesla
+ 1'707 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201207-hsewl5s11a/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Windows security modification
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Modifies Windows Defender Real-time Protection settings
Windows security bypass
AgentTesla
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
34fef61460f3196f9c4f0f267443302cc5573d935ad73f18eb33aea41d8be5d3
MD5 hash:
c485b4947a71670ccfa814b73bb8d3a2
SHA1 hash:
4a001fe7847ee7906335b483b184cf751b2e0d82
Link:
https://www.unpac.me/results/11edc5b5-ff74-466f-81a2-1901c90445d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34fef61460f3196f9c4f0f267443302cc5573d935ad73f18eb33aea41d8be5d3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

cd6321a9b5c5095d748364e7d9c5841c

AgentTesla

Executable exe 34fef61460f3196f9c4f0f267443302cc5573d935ad73f18eb33aea41d8be5d3

(this sample)

  
Dropped by
MD5 cd6321a9b5c5095d748364e7d9c5841c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/107100/

Comments