MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53e6d9043ae10ef3d3953fd810210b15b3d03a59eb02da5f9fe33e9cc2bf0a0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53e6d9043ae10ef3d3953fd810210b15b3d03a59eb02da5f9fe33e9cc2bf0a0a
SHA3-384 hash: 9ccc02b7f26effe32067be6c4e2c58f4e8ab9eb39f088a41039a46aa0e91391088a8b892e1fd4836bef68c49fa8d52da
SHA1 hash: 27e9b6d99ac89cffa02cef29663cad16a3e018c8
MD5 hash: d415b0ee131130c227ca05b1c81d710c
humanhash: foxtrot-missouri-juliet-oklahoma
File name:DHL DELIVERY(FAILD NOTIFICATION).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:156'840 bytes
First seen:2020-10-22 08:06:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 3072:efshHahftdTiMjmCWVtO/NgfPPPPPPPPPPPPPPPPPPPPPPtPPPPaPPPPPPPPPPPh:eNhTivfPPPPPPPPPPPPPPPPPPPPPPtPQ
Threatray 723 similar samples on MalwareBazaar
TLSH E7E35015F6C61D5FEA71423C87BB028087F1BAFA09A5C3D5ADC466D4C0EA2603F5EB19
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vxadk-22.srv.cat
Sending IP: 46.16.59.31
From: DHL <Noreply@dhl.com>
Subject: DHL DELIVERY(FAILD NOTIFICATION)
Attachment: DHL DELIVERYFAILD NOTIFICATION.zip (contains "DHL DELIVERY(FAILD NOTIFICATION).exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74573/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Enabling autorun
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53e6d9043ae10ef3d3953fd810210b15b3d03a59eb02da5f9fe33e9cc2bf0a0a/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 07:48:54 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kptnsbb24ehphu4vh7mbaiilcwz5aosz5mbnux474m7jzqv7bifa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
14775f3509b2838eb035bc228d9b90f12d31c2724436f1d8a762f6c65d055359
AgentTesla
21539292405e8dca65a5bbfaa4106e02d4dd98b1d1114842232fcdffa5c12c5f
AgentTesla
2fe5ca185c663e5d06d0ade1a4e0f5d9c0994239102a5a1725aa7e25edbbf5fe
AgentTesla
37b6d65727f88fe36849efc718e55c7316daf13e6e72effb96eb715bfc22894c
AgentTesla
876e2467c794536214871c18470cbf405ac358baf5e67bb82b2938e7750f438a
AgentTesla
be4f7ec80edb008a8ce1fdac488f14fb652f21ccd87cda469c80c866ab7ef912
AgentTesla
c267dcca6efe1260863d0b0a8c6358df04adc0b0de700674eaf8de2aafacf3fa
AgentTesla
cb712d69174016e6a25e14b60019cdc2cb86a43456f8b486c04fcb4d023b5c9b
AgentTesla
cea96c40377f340af14e1b6e4e2caab923e3872febb310b95810ad88abf73921
AgentTesla
d622d02dfd5ebd085c835d848b2a25091c06751f150575b9092bb99e98f94e31
AgentTesla
+ 713 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla persistence evasion
Link:
https://tria.ge/reports/201022-edwm2h43p6/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Drops startup file
Turns off Windows Defender SpyNet reporting
AgentTesla
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Unpacked files
SH256 hash:
53e6d9043ae10ef3d3953fd810210b15b3d03a59eb02da5f9fe33e9cc2bf0a0a
MD5 hash:
d415b0ee131130c227ca05b1c81d710c
SHA1 hash:
27e9b6d99ac89cffa02cef29663cad16a3e018c8
Link:
https://www.unpac.me/results/c3e3268b-dae9-430b-8160-451fbf71e535/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ff99ee24914fd759f5cf467e0a329338

AgentTesla

Executable exe 53e6d9043ae10ef3d3953fd810210b15b3d03a59eb02da5f9fe33e9cc2bf0a0a

(this sample)

  
Dropped by
MD5 ff99ee24914fd759f5cf467e0a329338
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74573/

Comments