MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61ae998518441b3cc2de4761cb58b183fd403165fcc6a6e4c2ecea8686c20e26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	61ae998518441b3cc2de4761cb58b183fd403165fcc6a6e4c2ecea8686c20e26
SHA3-384 hash:	34cbe8a79c48fd456667ea405be98e85e05ff4a0b04c3d02b2d1aede9c1b1cad3c2ff18746b35b9ed16982b59960e18a
SHA1 hash:	3547a27d401a2e7c904d1a5f86dc90bf0ddaf7b8
MD5 hash:	fe75946dc21923d8328a47f181792236
humanhash:	oscar-nine-monkey-cup
File name:	DHL_document11022020680908911.doc.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	53'800 bytes
First seen:	2021-03-29 08:20:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	768:I1gNzmQF2KTk3ZN8D8mv1PttdOft3rGflRGflvx/FIwJGun51uHX7/Fo4dTh4:vFFjYv6jjmtEX7/lS
Threatray	75 similar samples on MalwareBazaar
TLSH	AA334FE89B3506E7E96DF874B0A5311A6130B5BB18144A2792F7C0D3C82777E9DD0D2E
Reporter	GovCERT_CH
Tags:	AgentTesla signed

Code Signing Certificate

Organisation:	LFpKdFUgpGKj
Issuer:	LFpKdFUgpGKj
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-03-24T23:48:06Z
Valid to:	2022-03-24T23:48:06Z
Serial number:	8b7369b2f0c313634a1c1dfc4a828a54
Thumbprint Algorithm:	SHA256
Thumbprint:	b0f1f8dd748efd54ad2cea3cc00727fa9c81c301f4bcad6dfc5a6a05a74a2ba7
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL_document11022020680908911.doc.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-29 08:27:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/17bc1bfa-04a1-471e-ac9c-bea2a15f35e0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/127522/

Detection(s):

SecuriteInfo.com.Trojan.DownloaderNET.143.24156.5824.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/656636

Signature

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Uses an obfuscated file name to hide its real file extension (double extension)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/61ae998518441b3cc2de4761cb58b183fd403165fcc6a6e4c2ecea8686c20e26/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-03-25 03:15:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mgxjtbiyiqntzqw6i5q4wwfrqp6uamlf7tdknzgc5tvinbwcbyta._file

Verdict:

suspicious

AgentTesla

2866f5ec70ebbefba6db86a947187a4d283b099e25cca3c25e4e9e21f821c713

AgentTesla

64f7230663961a028299cbdf42863e3402e6325864e453ad5ec743e05f3a5ce6

AgentTesla

750ac1c22fae6298acf85f62700ebbc8ccd8aff1f3ff20b28d8baa075a73c4bf

AgentTesla

7b4405a91c3efb1637ed21a1b2fc3ce965fcd2770513e71d6ba0f2b7608e5822

AgentTesla

7e27cccf7b35b0eb3092c56794510356fdea2326551b1c4c71256bc7d36ecffc

AgentTesla

9d126181ae2105143b0f752266dc20d36c76f5032e3c343df47c96977ec18026

AgentTesla

afd0e2a33836232d156324023353331d3dbc04364b85f61f7e01a7504cf14a18

AgentTesla

d0f193101eb9a5a5a54c191dc7b3fafaf3126b7765faf885bdba255affce6e54

AgentTesla

f01dbed6e7c2bdd717fc4fa8b8924e3ded176c2e7eb8171c5699e118c4f6b69b

AgentTesla

+ 65 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210329-7d852kg6as/

Behaviour

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

61ae998518441b3cc2de4761cb58b183fd403165fcc6a6e4c2ecea8686c20e26

MD5 hash:

fe75946dc21923d8328a47f181792236

SHA1 hash:

3547a27d401a2e7c904d1a5f86dc90bf0ddaf7b8

Link:

https://www.unpac.me/results/584fa54a-f7e4-4b44-b610-0cac0769a31a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.10

Link:

https://yomi.yoroi.company/submissions/61ae998518441b3cc2de4761cb58b183fd403165fcc6a6e4c2ecea8686c20e26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time