MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4aef951698cca692c50dce6fa767cb599ef9295d342b63a683a9b74229f878b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments

SHA256 hash: 4aef951698cca692c50dce6fa767cb599ef9295d342b63a683a9b74229f878b0
SHA3-384 hash: bdd8f0860e9c91e061b14d3278247ea61c17b5a14642d3bef96089aeb4f86e2dd066f5870d8eb7ab477470ba96a6a279
SHA1 hash: a29a88c4d68aaf8701561b54c209c5bdcd72298f
MD5 hash: c98ecaa6d9d2abf3fba4d4b64531ef82
humanhash: fish-eight-sixteen-single
File name:DHL Shipping Doc 6532291931.exe
Download: download sample
Signature AgentTesla
File size:568'320 bytes
First seen:2022-07-02 13:45:44 UTC
Last seen:2022-07-02 14:49:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (32'074 x AgentTesla, 11'214 x Formbook, 6'133 x SnakeKeylogger)
ssdeep 12288:3pevmOXLlqWzkyRC2JIec9PDBV/jmRpMf/ZFI0dv:3ovMWVpbcDVLXxFNd
Threatray 17'828 similar samples on MalwareBazaar
TLSH T10BC402782BA855B3D60F07F9E8578CC2E330D0396B03DBF2958851FA592B7A75440AE7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter @abuse_ch
Tags:AgentTesla DHL exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
251
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2022-07-02 06:29:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
1f613b0d347cb487aae742912773462c0693761098a2b2b038a60902d5a24df4
MD5 hash:
095ca563f10941477d8b3f548d2071ea
SHA1 hash:
6bbc1091dec5526c6b16ac1180b137980c5a0018
SH256 hash:
50294822b28a4adbb45ae584a1cdf6de5723a4d42297a9fdd0b9db9a1ed2d15a
MD5 hash:
c6bcf4a7d98b3b2d498a428c29c63594
SHA1 hash:
1009fb5934a9a3067f83ddd65826492f6ffc8e3a
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
SH256 hash:
16b9fc4700292684bae0ef2da4a4f4b393103771e93c0b48747df8a24af40d59
MD5 hash:
12ae0e4078e6e9da25181468d72b7ef4
SHA1 hash:
3f88feb096debc12d2f72bac4dfe7e799c7bbf36
SH256 hash:
afa6cb569c5b132a996ff6990b4e3852bcbef644dba736aee5fdaad4735059f0
MD5 hash:
027a2be7fcd7d5475a864790a56604d5
SHA1 hash:
23c1d95c28595139e8d3d43c7484aae22469c93d
SH256 hash:
4aef951698cca692c50dce6fa767cb599ef9295d342b63a683a9b74229f878b0
MD5 hash:
c98ecaa6d9d2abf3fba4d4b64531ef82
SHA1 hash:
a29a88c4d68aaf8701561b54c209c5bdcd72298f
Malware family:
AgentTesla.v3
Verdict:
Malicious

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments