MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60c5937025d6f55a67d64ba824bb2ea0ba3aedd9dd949429544aaec829b98410. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60c5937025d6f55a67d64ba824bb2ea0ba3aedd9dd949429544aaec829b98410
SHA3-384 hash: 1343e94b423d92c7bc913b1766724e86e10e58fd06ed53da63a57079d1ef3418b6a26538a7d5fd895dcf34359494a8ab
SHA1 hash: 3685904403c90765246897259b781fb9dd90e368
MD5 hash: a05db5ec1464c4281e38f2fc90daba7e
humanhash: bravo-fifteen-equal-london
File name:AWB - Invoice Shipping Documents.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:601'088 bytes
First seen:2020-10-26 10:10:09 UTC
Last seen:2020-10-26 11:58:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:yziADHAuby9CeSETta1gFrve5XrOHYJY9uRvZLucaAjFWH:0DHI1TtaiBG5X6HYJrYiQ
Threatray 845 similar samples on MalwareBazaar
TLSH E6D4F12232889746D17D93F85021D0706BF0BC85DB32D6293DE4BB9F35B2F858A76B16
Reporter abuse_ch
Tags:AgentTesla DHL exe HostGator


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gateway20.websitewelcome.com
Sending IP: 192.185.67.41
From: DHL EXPRESS SHIPPING <fernandomiranda@faprodmir.com.mx>
Subject: Fwd: AWB - Invoice and Shipping Documents
Attachment: AWB - Invoice Shipping Documents.gz (contains "AWB - Invoice Shipping Documents.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/78981/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.5911.27084.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/511537
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60c5937025d6f55a67d64ba824bb2ea0ba3aedd9dd949429544aaec829b98410/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-25 23:19:22 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mdczg4bf232vuz6wjoucjozouc5dv3oz3wkjikkujkxmqknzqqia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20fa81d1aaeb9c0b8a15f71c939d71f6fac6e6a36e6fda77c5c23c50a773b08d
AgentTesla
2323e3fa9e42ca85d8c33196bbb4b5273403e1eae415e42be8b055df1a560337
AgentTesla
263fefe63ffef92b66516f9de917b4af09783ef5e3b6ba93b030d91c624c7925
AgentTesla
26e21e90ec6431d87ffd66ee6f0cce3c2f1854a98390670b1002332632f297de
AgentTesla
2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92
AgentTesla
3f3daa13de0dde36e87f536f9cbcabc3170a6ddc4bd261d8ad3d3cd8515f6790
AgentTesla
586e6d87926659657100318f4efc9407706ceb71106b4d97757c30d100168d41
AgentTesla
6b45c7c7eff3349f69bbe88ee3209c8557e3ec32b1985e1a3053392354ae64ca
AgentTesla
8a525d55d517847b7379170a844775e1ea1ddc79816e4650d74787da63141d65
AgentTesla
bb07625dfa5d6a83097fe8ca97e3b03973086c48f05d0a4af05317ec4ad99449
AgentTesla
+ 835 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201026-lz4x8bpwqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 16000f37090f41ec8a282cb05f6c55def7cdcd1c1d9e971bb648ad77d4952ce9

AgentTesla

Executable exe 60c5937025d6f55a67d64ba824bb2ea0ba3aedd9dd949429544aaec829b98410

(this sample)

  
Dropped by
MD5 9126ac7d92de21742205aa7283ceeeea
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 16000f37090f41ec8a282cb05f6c55def7cdcd1c1d9e971bb648ad77d4952ce9
Cape
Cape
https://www.capesandbox.com/analysis/78981/

Comments