MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 416529937e7d4b862e92650310ecc0ecdcb2aa8f43fcb8fa0dece926e5963203. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 416529937e7d4b862e92650310ecc0ecdcb2aa8f43fcb8fa0dece926e5963203
SHA3-384 hash: a7baa89c1dc132464a027fbd510f236f5809ba9ebb82a7aa6bdf62e0093f7ca114e7ebe2bfe7b9c29157f62b9ececdec
SHA1 hash: fa4b5a1c63c22ec910fba1585131e765915b8075
MD5 hash: a87b60bcbc3facb81d8e5acd16053f0f
humanhash: friend-artist-queen-juliet
File name:fattura e consegna delle informazioni DHL.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:684'032 bytes
First seen:2023-05-26 14:49:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:WKo7z5GoJiGaq5au59x1NeV2dfDVqdWpg3ConGEGKvrZNBE0G:k5GoR5a2pxdfDVuWT2vG
Threatray 4'301 similar samples on MalwareBazaar
TLSH T1B4E4124073AA8B93F67A7BFA1251EA7003F6796B3435E20A0EC3B7CB5662F445442747
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla DHL ESP exe geo


Avatar
abuse_ch
AgentTesla FTP exfil server:
ftp.itvlahita.com.21

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
fattura e consegna delle informazioni DHL.exe
Verdict:
Malicious activity
Analysis date:
2023-05-26 14:55:06 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/1ce0fc0d-f078-4fde-bb61-626c9fad0b15

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392162/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.20466.18058.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6470c71c1fa6a19dfd17b586/reports/77a32340-7d7c-4602-8974-874c13507ccc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/416529937e7d4b862e92650310ecc0ecdcb2aa8f43fcb8fa0dece926e5963203
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca465427-f9c1-4e02-aa1e-658d97e494b4
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243373
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/416529937e7d4b862e92650310ecc0ecdcb2aa8f43fcb8fa0dece926e5963203/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2023-05-26 12:57:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
12 of 24 (50.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifsste36pvfymlusmubrb3ga5tolfkupip6lr6qn5tusnzmwgibq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
088dece027bdaff18c0f6ba9aecc17d2e55bc901ccfef1bbd02ca1f6eb367b1b
AgentTesla
316483bf87a8932bf0d84dd527cce96da936a5612b005f5051b2656c39a9be62
AgentTesla
4708bada9bbf77daade9a3f124eb0f5309ea68bba94c5bb4b332701d1d010185
AgentTesla
5241d93369ff133d1aa4381a074806b10d37f414261f89f2198ef76d238b5ec1
AgentTesla
53823b0378b9a17181fef455b3625e7909e703d600b480ffccc9a1c6d4232c4a
AgentTesla
539b70f704ffff9cf973a032e01e39d31613a4ce7cd9939d84746d587d0a7ac9
AgentTesla
577593e5d16e4c0439339d4345505db0eb1595670ebdb271feaeaab510fd8b56
AgentTesla
7b4164cc352f02f53d9f49d8a5d6df6221b85c5412fcb133462c5d779730dc64
AgentTesla
7ef10437af99524e348b41e33c32a2c7c6270265b535700f3ec8c97f6c4f8a93
AgentTesla
92bc5b745a6e3757f5ffbda877cb0b5725606d214642fc37f16ad0cf98c0cd9d
AgentTesla
+ 4'291 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230526-r7ls1sfh92/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4e07d951264f618e1c017128c72da2000145ec7b9f3af1205f5053fad8adfc2c
MD5 hash:
b9ed84f54700a9a8f4c8184165e0a450
SHA1 hash:
bd02f458357725daa9f77c342eaa133dc3257427
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/18bff6d2-8c50-4df8-a749-2f1c6b5e29f1/
Parent samples :
416529937e7d4b862e92650310ecc0ecdcb2aa8f43fcb8fa0dece926e5963203
49d6624bc410c9c12b48720165564f7b46633f3df09451cd2acf7e2b5bf33318
66b4079397c29474bf588016a173ceb34a8969942bb98f1fc3e32b80a43c8866
371de82ecda3f11d11e98a6265274bb708b2350ad47c77b4319da1d51764f64b
09f60ee4954ee9d0c866353608e34153517a332d696f414303156397a75d4c99
7c01ba932f550fa515252105205ee3d58751fa8a33c386e50104e0cf4251aa2f
0367e00431ccebbb5f8f7b2eba1fffcc2a9aa1899eb053933adb92e576b60399
0bf45acc7254a005ec8699e5dcea5f6354aba927bd72800e7815271f158f7211
e7ad89234b28761afe4f6c21f3d4f4dcd1db37d40f856f92c5983e320d95f423
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/18bff6d2-8c50-4df8-a749-2f1c6b5e29f1/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
6829b89384aff949806fd7bf99342c2279dee9f0bcd927cf6e6fd633d0a42dbd
MD5 hash:
1282730fa7ad3e61b441b380df78b14c
SHA1 hash:
93f03383b6c1362f21f6aab4772da3ded489fc12
Link:
https://www.unpac.me/results/18bff6d2-8c50-4df8-a749-2f1c6b5e29f1/
SH256 hash:
a666bfe9e06063fe6ace3b190965e6f5d0ecfa0f6a196ff119db9b50c1be64f6
MD5 hash:
40f8f73fd9a7caa81803ff57fca4945a
SHA1 hash:
217666820018ef7b88c048c1f14765a6cec3fa44
Link:
https://www.unpac.me/results/18bff6d2-8c50-4df8-a749-2f1c6b5e29f1/
SH256 hash:
aa55a49c4e26b6c0cfb3aa599f5cb5c6eae65e0a7884458e75614092d073cf5f
MD5 hash:
9d9bed3fb41b5b721aafd13220f48c73
SHA1 hash:
069c54846fffaf8ba3abc8f140a60dd9755ff20a
Link:
https://www.unpac.me/results/18bff6d2-8c50-4df8-a749-2f1c6b5e29f1/
SH256 hash:
416529937e7d4b862e92650310ecc0ecdcb2aa8f43fcb8fa0dece926e5963203
MD5 hash:
a87b60bcbc3facb81d8e5acd16053f0f
SHA1 hash:
fa4b5a1c63c22ec910fba1585131e765915b8075
Link:
https://www.unpac.me/results/18bff6d2-8c50-4df8-a749-2f1c6b5e29f1/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/416529937e7d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/416529937e7d4b862e92650310ecc0ecdcb2aa8f43fcb8fa0dece926e5963203

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 416529937e7d4b862e92650310ecc0ecdcb2aa8f43fcb8fa0dece926e5963203

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/392162/

Comments