MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5964570b4ebb8b449730df21e4e1da41557c306870b7f11b6321ee4dd8e031e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5964570b4ebb8b449730df21e4e1da41557c306870b7f11b6321ee4dd8e031e7
SHA3-384 hash: e4257c87c1cb1c30b4581502a84088483edaf9683280e7a1296c0adc307e3f3fd223ad954aa411de9a176d45b8e8b3ab
SHA1 hash: ea3fc97d40e1a9071863824ec18649306b4e19ce
MD5 hash: 8bc5674272b60f0e8b996d7ea5235a10
humanhash: hawaii-sink-helium-avocado
File name:DHL-Account Statement.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:699'904 bytes
First seen:2020-08-18 13:18:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:/xAbVGqMcOFV5PB7Uph9C0Zvi32MK/qXeBnXXdW6YUJCgvZc:ac+EPB7U39hZvi32MK/qXeDW6J8KG
Threatray 9'922 similar samples on MalwareBazaar
TLSH 8DE4F1353698EA10D7BA5736CCD9610813FBF4026621DB6DFDDD215C0962BA28B237CB
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.sap-express.com
Sending IP: 103.31.132.106
From: invoicequery@dhl.com
Subject: DHL STATEMENT OF ACCOUNT - Dated 18/08/2020
Attachment: DHL-Account Statement.iso (contains "DHL-Account Statement.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47905/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun by creating a file
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5964570b4ebb8b449730df21e4e1da41557c306870b7f11b6321ee4dd8e031e7/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 13:20:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfsfoc2oxofujfzq34q6jyo2ifkxymdioc37cg3dehxe3whaghtq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2eea41fa4b1a202182851d36b3866be43e1ba8c4912c18290caaac84da4dbcce
AgentTesla
418e6ce3fd66c68a594bada93ee5789ddfc4df367e3c1be735cd07fe078fbe99
AgentTesla
7b1284dfea512883123452d9bd0ed61ab9af5ee56382664aada1914a42944e60
AgentTesla
869db459a0e4bd62ddc3790de35afa73d19b4c242ca20c1a11b6cf58914fbbbc
AgentTesla
91cfa121b109ceaceb8ca6dcef72ac69691291facec3569755f13c4a87f6da75
AgentTesla
9be04012b4927a7e93498068acaaac6e157192df66509a20079fa39084735247
AgentTesla
c298da56eb8b11fd96859a1f9434d6c4e251f574e48a0cc2d066d442b9bf182e
AgentTesla
cadf2a43d7f85a109aed5177e99951fba7031621fa470af37a58f283b0edc886
AgentTesla
ec24550a9fa2fdb2a0e7c739b9ac97387925808dbd832b11675f18e48a93bcc5
AgentTesla
f242ad8f253e4e481529cffa7b3d697683649ba31b8c8500f2d24d2bf591e553
AgentTesla
+ 9'912 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200818-mjmsex5rdj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5964570b4ebb8b449730df21e4e1da41557c306870b7f11b6321ee4dd8e031e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 26280a570fac404d9d67633e3ebd4442866492e84fb52351f551547c80d529c3

AgentTesla

Executable exe 5964570b4ebb8b449730df21e4e1da41557c306870b7f11b6321ee4dd8e031e7

(this sample)

  
Dropped by
MD5 e0a56d2cfdfc732adb1c49dba43c8530
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47905/
  
Dropped by
SHA256 26280a570fac404d9d67633e3ebd4442866492e84fb52351f551547c80d529c3

Comments