MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ea30252cf20d5db927ed45f477a20c02a6ebe21f052b778c9868cdf17b42b38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ea30252cf20d5db927ed45f477a20c02a6ebe21f052b778c9868cdf17b42b38
SHA3-384 hash: 8e26f7970cbd48d9d56c34cc3df7f87b0e9a3bfbbdd5dff5fdf3c3c6f173a9b1427d3a75a09649bee681f13760e10d12
SHA1 hash: e67a2f6607da4aa525a138a9494d69de9bac1750
MD5 hash: 5900e167df01aab3c41c691bff35b745
humanhash: connecticut-robert-queen-paris
File name:DHL Express Receipt_ AWB#20448299082.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:625'664 bytes
First seen:2023-09-07 06:44:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:7lgQ2x7Ds87oTHm5QluW5ml4Bl2ErIA6wRBK1G/Tt5fVsbR:7y3xMchCluyS02uNF/TttO
Threatray 5'543 similar samples on MalwareBazaar
TLSH T1F0D4220552911FB8DAE1C3F70166285A5BFFAA841064D74C1ECBA3CECB74F6142A39A7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e2983a9393ba98e2 (9 x AgentTesla, 2 x Formbook, 2 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
DHL Express Receipt_ AWB#20448299082.exe
Verdict:
Malicious activity
Analysis date:
2023-09-07 06:48:03 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/eddc1d26-9ded-4c9b-a519-3bda1209d063

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446865/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20230907-0544.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64f97171b7dd6394f712540e/reports/34cb0a54-b980-4ca8-b498-05c6832e8131/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/3ea30252cf20d5db927ed45f477a20c02a6ebe21f052b778c9868cdf17b42b38
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/abb841c7-0ce9-42ee-8456-09d996a1a9e1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1304973
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ea30252cf20d5db927ed45f477a20c02a6ebe21f052b778c9868cdf17b42b38/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-07 03:12:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h2rqeuwpedk5xet62rpuo6rayavg5prb6bjlo6gjq2gn6f5ufm4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
129f85ae2da5c30f9439ef123d09d75e2930f1c025e9913a91c212bbe5758c0b
AgentTesla
1870568f702f6dace356e56e859fa30674e6388dfdfd76c056e446f12d356128
AgentTesla
24c957cdb333eb129fa5cde3ab365273ec1fb07e4a03e7bb92e7d8ae41301e8c
AgentTesla
4fe57538924814acf2ab05750afb4ec0059dd8283f72bc96134ed41f69510a98
AgentTesla
793e60744aa163e0da636233df2fc83f43d447cddf4a89b28ff15a0ca95e69f9
AgentTesla
85080c93fed815e1de0896f7e79b99c9d6895572f9223f95ba6f52d132c52b26
AgentTesla
bd8c4eb8ae0047367c1d20d2132d3a2fe2bdf0d197001ea4ecaa3816d59c84e9
AgentTesla
c3d7784b55f0d1d5bc37f3d850039ccac92dfd94257ccd4b8fe04307ad46d617
AgentTesla
eb165c358ce343ca66739853792465030d14206e1ef6a68fea94fe0dd57c606e
AgentTesla
f7531ebec6015698d037d4d8f66128e138e11d86a3901976001a4060ce90340a
AgentTesla
+ 5'533 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230907-hh292afb78/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1148882670558916618/-c2mLB9uAP04CggVnzmAi7xVYAGBc9_CJCL304_-wC47FN4z_EO_rujQqf3lGQuvSU30
Unpacked files
SH256 hash:
40bc7cbcb1c6f215985580dfd1ce3c5ab203787a3263ef82dd8428f9e83c4bb6
MD5 hash:
515c64a2dc729f5a3794aa5fa9d90c61
SHA1 hash:
dffe3889785cd3e1b24f7bc58684887cb7126367
Link:
https://www.unpac.me/results/546bba27-525d-404c-9fbb-43493a0d7192/
SH256 hash:
7d5f95f330f6751b21aa33047c3c66a98b594ce3490bc68c3b80e834485da680
MD5 hash:
95085355ca1031299f618c3f6fdaf8ba
SHA1 hash:
68e88d52333f8d96c42e6ebe4125fa627d477d15
Link:
https://www.unpac.me/results/546bba27-525d-404c-9fbb-43493a0d7192/
SH256 hash:
c2da651161d296bc90484fdd0d33421a90c4b5e438a1d25365538e60fea2f81b
MD5 hash:
c2992f78b34d4178542eba7177fa5eca
SHA1 hash:
684e24cfeb7700e9b6d111f84c73d0c68734429d
Link:
https://www.unpac.me/results/546bba27-525d-404c-9fbb-43493a0d7192/
SH256 hash:
6a41af11cfbe01403198b7b6dec0ea1f51ea851fbcc71f1e8bdcb2a353b65412
MD5 hash:
a907b928fe2eabb52be64440c24e5d2e
SHA1 hash:
64e261e4514010d61fa4d9c0f2504b7e7c7a43db
Link:
https://www.unpac.me/results/546bba27-525d-404c-9fbb-43493a0d7192/
SH256 hash:
3ea30252cf20d5db927ed45f477a20c02a6ebe21f052b778c9868cdf17b42b38
MD5 hash:
5900e167df01aab3c41c691bff35b745
SHA1 hash:
e67a2f6607da4aa525a138a9494d69de9bac1750
Link:
https://www.unpac.me/results/546bba27-525d-404c-9fbb-43493a0d7192/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ea30252cf20/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/3ea30252cf20d5db927ed45f477a20c02a6ebe21f052b778c9868cdf17b42b38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 3ea30252cf20d5db927ed45f477a20c02a6ebe21f052b778c9868cdf17b42b38

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/446865/

Comments