MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70ee06cd66b7d44ee847205461ac43ca346b2515a791d8e0fb3a60474861eea1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70ee06cd66b7d44ee847205461ac43ca346b2515a791d8e0fb3a60474861eea1
SHA3-384 hash: e95445bf901d6e1f888d56755623de9346dd19d529f8cb5e93d63a7360262a097d8ebcb4bd1334e7a68d88e383da4645
SHA1 hash: 012ab3dbdf7d9abc63cf7005058bc79e67c794a9
MD5 hash: 72d3fb6a5e154ffcd0e7a616c7fb4757
humanhash: california-november-idaho-magnesium
File name:eMailShip Consignment #960597804_awb dhl doc(s).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:869'376 bytes
First seen:2021-08-06 13:33:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:aWN4b0wFVMNjC1GL2+tn2BpqrCbrW6iJxb3ZoIqseb1K9o:34YwFShC1+2ICbrW6WxzaAB
Threatray 7'952 similar samples on MalwareBazaar
TLSH T1AE05DF3076FE6314E1BBEB70463591404BFAF53BD722CB8E2C64549C9A73A828712F56
dhash icon 224b89999919477e (1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe Telegram

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eMailShip Consignment #960597804_awb dhl doc(s).exe
Verdict:
Malicious activity
Analysis date:
2021-08-06 13:45:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dbebc4dc-0626-42bd-8d85-d18556d6e755

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177018/
Detection(s):
SecuriteInfo.com.Artemis72D3FB6A5E15.19311.31535.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d39f687b-333a-456b-ad18-90a04cecc030
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/828308
Signature
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460739 Sample: eMailShip Consignment #9605... Startdate: 06/08/2021 Architecture: WINDOWS Score: 68 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 2->46 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->48 50 2 other signatures 2->50 7 eMailShip Consignment #960597804_awb dhl doc(s).exe 4 2->7         started        10 gqdBJdt.exe 3 2->10         started        12 gqdBJdt.exe 2->12         started        process3 dnsIp4 52 Adds a directory exclusion to Windows Defender 7->52 54 Injects a PE file into a foreign processes 7->54 15 eMailShip Consignment #960597804_awb dhl doc(s).exe 2 5 7->15         started        19 powershell.exe 26 7->19         started        22 eMailShip Consignment #960597804_awb dhl doc(s).exe 7->22         started        56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->56 58 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->58 24 powershell.exe 10->24         started        26 gqdBJdt.exe 10->26         started        28 gqdBJdt.exe 10->28         started        40 127.0.0.1 unknown unknown 12->40 signatures5 process6 dnsIp7 34 C:\Users\user\AppData\Roaming\...\gqdBJdt.exe, PE32 15->34 dropped 36 C:\Users\user\...\gqdBJdt.exe:Zone.Identifier, ASCII 15->36 dropped 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->42 38 192.168.2.1 unknown unknown 19->38 30 conhost.exe 19->30         started        32 conhost.exe 24->32         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/70ee06cd66b7d44ee847205461ac43ca346b2515a791d8e0fb3a60474861eea1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 11:04:32 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=odxantlgw7ke52chebkgdlcdzi2gwjivu6i5ryh3hjqeosdb52qq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e05e51ecad336826d8cea59e153989c318a6d85466d33a6344c3e3e52631703
AgentTesla
2c835f6d420ccba02279383c7fd61f0b3729c82d0e0b85793426ff9b57b643fd
AgentTesla
540bb22ebba63642369ea8ff2d1c87db348926c8d0dee112bb883c0148447237
AgentTesla
7aa68607125bef983ddab226fba6d49d5ad2fb35348d981b33a2dc469ab045ea
AgentTesla
8790cd85d203dc819e5322e7cfdbafc8ff674680795a7b5e8fff5b0fcf53bbf2
AgentTesla
993111aa77f08dd30d54452ff8c2ee7b21e3a849a9abc850ca2eecc17dbd987a
AgentTesla
a76de913a4896b5580cfa19f76e19f8a86fd2f7b0d5331735dfe93d113b46a97
AgentTesla
a9a697209f71d50709d9f478079d062b61456682313ed32ff2246c5b57f6264f
AgentTesla
beeb5cb22555b396578142e0f399af295e0108e895ccce899d95cd7801c37511
AgentTesla
+ 7'942 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210806-enbzrx5yea/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocument
Unpacked files
SH256 hash:
aed00f82f1772e5a403cce9c1349202c8371e67ed9ef19a33cac0bf2a411f3c1
MD5 hash:
c273f926e2a29bd62cc8f27b569a0b2a
SHA1 hash:
e08d302cab3e11d776599a6b0537207fce6f9c51
Link:
https://www.unpac.me/results/d7a2b463-325e-45ec-adf0-70343d6b44ad/
SH256 hash:
708c8f2d1c786d4864d31146738e56e8755804d1d4517bb65d1dc49a1036aabf
MD5 hash:
1659fd73e1a3212cee02821d891e0da9
SHA1 hash:
d79193f44ac426923cd179a4005bbd127af5e3cd
Link:
https://www.unpac.me/results/d7a2b463-325e-45ec-adf0-70343d6b44ad/
SH256 hash:
d214ac6ed5f86f45daa79f565b1ace4249239099ef9122cb5178f004cb646dc5
MD5 hash:
85ca43c3eff3c13d640a8b3343da952c
SHA1 hash:
40656bee65e6068cb129665af6a9cd69d22b6dd7
Link:
https://www.unpac.me/results/d7a2b463-325e-45ec-adf0-70343d6b44ad/
SH256 hash:
70ee06cd66b7d44ee847205461ac43ca346b2515a791d8e0fb3a60474861eea1
MD5 hash:
72d3fb6a5e154ffcd0e7a616c7fb4757
SHA1 hash:
012ab3dbdf7d9abc63cf7005058bc79e67c794a9
Link:
https://www.unpac.me/results/d7a2b463-325e-45ec-adf0-70343d6b44ad/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/70ee06cd66b7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70ee06cd66b7d44ee847205461ac43ca346b2515a791d8e0fb3a60474861eea1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177018/

Comments