MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d84e6087b9d0844b022f013a75721001ae5c8dc2ba86a2172b6d5919cd45762. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 7 File information Comments

SHA256 hash:	5d84e6087b9d0844b022f013a75721001ae5c8dc2ba86a2172b6d5919cd45762
SHA3-384 hash:	7846a1ec09bf6c4b3082630e7d23e77c135a36940b63c37c9522071222264c58e02ef8fdb66636cf8c646baf6af49f6f
SHA1 hash:	00e16c77c8721ef5d9a99fe5e1e243f2bfc816a8
MD5 hash:	dd6d2ae3434fb4871d1d8ece6af28fd9
humanhash:	nitrogen-nuts-cat-yellow
File name:	DHL AWB 7890007899.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	679'424 bytes
First seen:	2023-09-12 09:48:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:VjDPYyVF1qET9UgP9+Diu5AU9Q6lytYWxSd81fMnDGcG0oJFn+ES:Vng+F1VT9Z1M5HdSxU81EnqcG9J
Threatray	5'618 similar samples on MalwareBazaar
TLSH	T1F2E40123BA01AFFEC53687F63C29A2010772ED1EAD04A68D59C971E69C727139039F57
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
mail.rivervalleyradio.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

323

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL AWB 7890007899.exe

Verdict:

Malicious activity

Analysis date:

2023-09-12 09:50:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a47de3df-b950-49f3-8454-e45a168e71bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/448138/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

86%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/6500340fea8fa606d7efaadf/reports/8c16f00e-d974-4e5d-b04c-ab14f6029aa2/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5d84e6087b9d0844b022f013a75721001ae5c8dc2ba86a2172b6d5919cd45762

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/58597a4f-9592-49e4-b7f8-931315f93081

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/5d84e6087b9d0844b022f013a75721001ae5c8dc2ba86a2172b6d5919cd45762/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-09-12 08:17:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 22 (68.18%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lwcomcd3tueejmbc6aj2ovzbaanolsg4fouguilsw3kzdhguk5ra._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

76c37956d47aeada7e087a7cca0c1da69b6cd2aaaf791f139164a98c664c3dfb

AgentTesla

80e79e78a00245dbe120085f7d1e4e30e6674bcb9f539540e4de667c5783e545

AgentTesla

b356dd47eba95c4343a483091a1c27261a12fb0819c4899ffbe8f7b138e52329

AgentTesla

b4bcf8d5035166852ef1929c2f708253e1a041ebf2af94e7849f0e399d91bbda

AgentTesla

b8bfa96db841cb95723f5f8645e58d69ca63ecab0cdd50d08ebeb864ec66ae61

AgentTesla

cbabe9d8d2218ede4d631e216f8e0fbe7efab01ad9f52dc2652df994f7950922

AgentTesla

eb6a2478f1702c959b4fa10f4e41a7eacad94b23996244b43e5fca8e16981cc4

AgentTesla

fa355d795ebffe4120aaf97fdb4f1fc6e856b07a2ddffa2555b185a7043e2280

AgentTesla

+ 5'608 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230912-ltb4rseb39/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

9a63b62a1296933300f9cda87fefbdfc9f55ee908575a2130c641c9fd0c4f830

MD5 hash:

651ffbf7723d66c959851ec6c450fba2

SHA1 hash:

f7cf3587def824a298ae36da8ce82c62e2245f48

Link:

https://www.unpac.me/results/ac0cb68b-725c-4879-9dca-c7ec0ea71765/

SH256 hash:

1d9c55f67432ae073863575e37ba67cecfb941c83c8baa384636fff7135c2780

MD5 hash:

98066f81d773a6c49827c0c154f45ec9

SHA1 hash:

99a82501bdfaacc6a800ed488927cf297e8e2627

Detections:

AgentTesla

Link:

https://www.unpac.me/results/ac0cb68b-725c-4879-9dca-c7ec0ea71765/

Parent samples :

fa355d795ebffe4120aaf97fdb4f1fc6e856b07a2ddffa2555b185a7043e2280
5d84e6087b9d0844b022f013a75721001ae5c8dc2ba86a2172b6d5919cd45762
9b4e7c6c203be7ff1f7bf8412cf416ee63e01c5a3f0bf7222c40ec01bcf836f3
5995f87d2503c54045cda91a3ec12136d11af4142950cf28a9566aeb7392fa0b
f02c4c63d826cd009160af01f55af40bef70be0570f7ef840ef08117c45474e2

SH256 hash:

c57c47f7d4eac029c9c94325038cb82c28b34c665f3209eb38043d10696d9953

MD5 hash:

33136f5f20ebae51bac1a99c40340a9b

SHA1 hash:

67ebdf60d1a45211f81e0f15300b25f70d010cff

Link:

https://www.unpac.me/results/ac0cb68b-725c-4879-9dca-c7ec0ea71765/

SH256 hash:

63db33e5cafe85a04361547369622ffd66dfe69ec10d02a0351fe4b43f1c49ae

MD5 hash:

bb2c3362a4b4a9db2fb8d1c37038d16c

SHA1 hash:

354eef38f38b16c84eff9107317bf197dcc61efa

Link:

https://www.unpac.me/results/ac0cb68b-725c-4879-9dca-c7ec0ea71765/

SH256 hash:

5d84e6087b9d0844b022f013a75721001ae5c8dc2ba86a2172b6d5919cd45762

MD5 hash:

dd6d2ae3434fb4871d1d8ece6af28fd9

SHA1 hash:

00e16c77c8721ef5d9a99fe5e1e243f2bfc816a8

Link:

https://www.unpac.me/results/ac0cb68b-725c-4879-9dca-c7ec0ea71765/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5d84e6087b9d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/5d84e6087b9d0844b022f013a75721001ae5c8dc2ba86a2172b6d5919cd45762

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 5d84e6087b9d0844b022f013a75721001ae5c8dc2ba86a2172b6d5919cd45762

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/448138/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample