MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4179d8fb0428a4de8a32d90e394f34540e2003b397523a062e27ed37902dafa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4179d8fb0428a4de8a32d90e394f34540e2003b397523a062e27ed37902dafa5
SHA3-384 hash: 6457273db921fb698146ac40df873e518ae3916dfa078c75a7ac346562ae1472d02e2a76304639fe0c6bfc08801a2c94
SHA1 hash: 21420c8d117c1ab188949ccaf024d6ad3f226d5d
MD5 hash: ef9873675db5ead478d4df49e58db6d5
humanhash: fourteen-lima-island-indigo
File name:RECEIPT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:663'040 bytes
First seen:2021-01-18 18:26:05 UTC
Last seen:2021-01-18 19:33:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f85ebb67bac58f72de974a91d40889a (5 x Formbook, 3 x RemcosRAT, 2 x AgentTesla)
ssdeep 12288:b8WvAMYGY5RFNBeU7vgTOz5dCe8XTe5frhocq+vrF4z8n8UN9Nllu:b8W4T17vgKzJEef6cNDF4o/g
Threatray 307 similar samples on MalwareBazaar
TLSH 15E4CF21B880C032C173253249B9E2B2087EA5305E655ADFBBC819B95F745D2B73977F
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.hostmaden.com
Sending IP: 77.92.141.108
From: DHL Express <noreply@dhl.com>
Subject: enclosed receipt
Attachment: RECEIPT.cab (contains "RECEIPT.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RECEIPT.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 18:41:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/41aaf62e-4c58-4b5a-9141-7f106acf184e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112656/
Detection(s):
SecuriteInfo.com.Variant.Mikey.118306.9951.8926.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/584124
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4179d8fb0428a4de8a32d90e394f34540e2003b397523a062e27ed37902dafa5/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-01-18 18:26:16 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=if45r6yefcsn5crs3ehdstzukqhcaa5ts5jdubroe7wtpebnv6sq._file
Verdict:
unknown
Similar samples:
1c55b3c97920d56dddbc38e6ba3c5dcbc7f3072792915b51e146b3dd92b3f392
AgentTesla
321be1554d0c8aaf169078b16f29bac61f923485fcc124499a6886c4ecadb552
AgentTesla
35f2d31f591a7850c05f86c1124aef7193bdd2f2ad7421d1fb09e1144b3fc3d3
AgentTesla
4630139561d13a1b777368972765fb04cf0b237a850bc94d59ba7d2445d32019
AgentTesla
6fbc3e54a04aeadf268907b5041bdaf5af8980d76eafce3bc5d995c0fa779fd8
AgentTesla
82327e5e44156cddbd2dd77556fc746dad24eeaedc11733c82729c7d0c10a1e7
AgentTesla
adc10139a3870919bf60c4345f1e9d09eec3c590a434e761c55ff3da112e9a68
AgentTesla
ccd9176d26caf90647653816162ea4622ae24e253b7da139fdfacd74a555a8a1
AgentTesla
e2da0284dd6560f4fdfc2a2ec9eafb0c791ebebc7b0ebcc0d792cc791412145e
AgentTesla
fe7c717b3f64d3c721f760c5d62cf09b7bfcdb8fcbf163e7958907a3d7b2dfad
AgentTesla
+ 297 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210118-992by479d2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
0a0c9667f0248a5d84209400247301d4d301803f6ebb0297ee85e3bc1359223a
MD5 hash:
aa533c2d65cb0db44ab742b86386f91f
SHA1 hash:
51fae5e93dd976ce26726dcd6b57f5c9463fd359
Link:
https://www.unpac.me/results/bb593731-9a24-493e-810f-64b4b8c6235f/
SH256 hash:
4179d8fb0428a4de8a32d90e394f34540e2003b397523a062e27ed37902dafa5
MD5 hash:
ef9873675db5ead478d4df49e58db6d5
SHA1 hash:
21420c8d117c1ab188949ccaf024d6ad3f226d5d
Link:
https://www.unpac.me/results/bb593731-9a24-493e-810f-64b4b8c6235f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4179d8fb0428a4de8a32d90e394f34540e2003b397523a062e27ed37902dafa5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab b31bcaaff605cb9a6a096b38c290be56dcee26e43683c81f690a48a16b43d391

AgentTesla

Executable exe 4179d8fb0428a4de8a32d90e394f34540e2003b397523a062e27ed37902dafa5

(this sample)

  
Dropped by
MD5 13d592833aee8839d980b23e947ef86b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112656/
  
Dropped by
SHA256 b31bcaaff605cb9a6a096b38c290be56dcee26e43683c81f690a48a16b43d391

Comments