MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ecfa27b9169773e66a6322bb814e41342b02636f840c4a7f4b46733a407e869. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	4ecfa27b9169773e66a6322bb814e41342b02636f840c4a7f4b46733a407e869
SHA3-384 hash:	aa7e7869dcdc0e29a4ea4ea5edc87a04461787a44beed606489be88e5af6934b755e563fd914dbd44d41000c819eb68e
SHA1 hash:	bfd84672e007f1b2392a0eaf9ce3356234319ab3
MD5 hash:	46e8d8fb6d711339e61d29590e731dc8
humanhash:	utah-mango-echo-early
File name:	DHL_Mexico10106272873.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	942'592 bytes
First seen:	2022-04-01 13:35:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:wLPts0C5UrD72DwcazJEPzc+LAaJ+VOCkIfuWG42VN3e3ruO2n3Me7UuEqH:wLtD8wFIh/CfjG3N3uroMe
Threatray	15'511 similar samples on MalwareBazaar
TLSH	T18715F05A366079EFC86BCD328E941C54EA307877270BD20BA443629C995E9DBCF152F3
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.16837.28917.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6246ffcca19c649412b95253/reports/23401db8-76f6-4bd1-bf63-8172e2a97a14/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ac9ea6af-5d07-4336-be92-7866131c22ea

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/969011

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4ecfa27b9169773e66a6322bb814e41342b02636f840c4a7f4b46733a407e869/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-01 03:23:27 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 42 (59.52%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j3h2e64rnf3t4zvggiv3qfhecnblajrw7bamjj7uwrtthjah5buq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4c1965b55cafd859d44aa8182a042a6d4e40e98c9b0228530390c483dc98052e

AgentTesla

6a24ab81488efe130ff37ee21f06443dd8c23c156ca94a714907798fd1fae44b

AgentTesla

8a0d96c6ab22bc62611c7cad581ca536d766063570117e0ddb1747828b5afc96

AgentTesla

8f1200247d085dbec4f07076dc216b2ebf4a3c85c2aabf6594ac42e3c3f88753

AgentTesla

b70d94fd7da398d1d9a9bb0824bfea4009c441a0852a004fbed4b44c43ee8948

AgentTesla

bcee759ba6f4384dada78adb15816339dde38e2e242c77b8c07bae25d4fed7bb

AgentTesla

ced2482a9d4316028a8ae3edc49a1dbe1ecd1f76b1a4c6a682505d3b7dd78146

AgentTesla

d52fe7af7f5d3a031f670ada720d9d1f9d451a096ce46862e589fb30af397cee

AgentTesla

fd521190e36009a7fafea228266b37eda5cbaec650769ecf2d227eb02f8ebae5

AgentTesla

+ 15'501 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220401-qv8xcagchq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

97fdb83fb4e7927c0271df83273f7eb087181c913b6e550b54de03c77a4d3934

MD5 hash:

f6700c8b616d8381090757b3c4c06c15

SHA1 hash:

b913ca0c22adc0e813375792e79a8d1ca7f6b4f6

Link:

https://www.unpac.me/results/dab97ada-18ba-4d0c-bfdc-54f50af65345/

SH256 hash:

613b2819d35360cbfe6c94b2b998d1a4998c89f5bdef505e0e158e1288ab684c

MD5 hash:

3096cbaf4b5d40f9c61bf7ce13fde62f

SHA1 hash:

6b3c580e51fd306bfdc2e727ca3bc7805aba4b53

Link:

https://www.unpac.me/results/dab97ada-18ba-4d0c-bfdc-54f50af65345/

SH256 hash:

c510aaa756be346304b2fb352770cdc7166287bcfe546a0bfcd9ef1757295518

MD5 hash:

3605c0042bad5bfd4e266b19e1db3105

SHA1 hash:

56f7b14dd91152db615db5fc9a4965fe5748c5eb

Link:

https://www.unpac.me/results/dab97ada-18ba-4d0c-bfdc-54f50af65345/

SH256 hash:

72ff6a93b3dbe9150133363f09b7104c9b94fb806162fb45de69820f21adeae1

MD5 hash:

637d793af6e597f05cc4b39aa99a95e5

SHA1 hash:

52d9110b25504bf35cda235437f2930774c23f4a

Link:

https://www.unpac.me/results/dab97ada-18ba-4d0c-bfdc-54f50af65345/

SH256 hash:

4ecfa27b9169773e66a6322bb814e41342b02636f840c4a7f4b46733a407e869

MD5 hash:

46e8d8fb6d711339e61d29590e731dc8

SHA1 hash:

bfd84672e007f1b2392a0eaf9ce3356234319ab3

Link:

https://www.unpac.me/results/dab97ada-18ba-4d0c-bfdc-54f50af65345/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4ecfa27b9169/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4ecfa27b9169773e66a6322bb814e41342b02636f840c4a7f4b46733a407e869

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample