MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73124a960239d7be8aa1718bee96dccb2714b983a9a7ecf208fd21d2e18da782. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73124a960239d7be8aa1718bee96dccb2714b983a9a7ecf208fd21d2e18da782
SHA3-384 hash: 6b250902a34e3cd83bff51b970535c88a24e4aa9494fb4a2475baa8dd375564e0eebf0b2feac8224a6f6dfadd2f0dc3f
SHA1 hash: 41d719fcab35526695c2c9a07894ea18cc8b3a8f
MD5 hash: 90f01c1f9c34a52e1777cbce1c18d2e2
humanhash: violet-sad-bluebird-freddie
File name:DHL_AWB_1928493383.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:763'904 bytes
First seen:2021-01-04 07:37:11 UTC
Last seen:2021-01-04 09:30:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:+6uwgwYmQLuNnPgptAWUu9W+nK6O4IbyuPwU1vob7zZlKuIImIBpgvZu800Sd:iwmlCNnPg7ISRnKquIeo7nHnYvb0x
Threatray 11'008 similar samples on MalwareBazaar
TLSH 5DF4BE1523A86B2AE1BF673A81305100D7F5B85BD725D2BEBDE4E0CE9A71F814671332
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: relaycs.serverbrand.com
Sending IP: 27.254.174.247
From: DHL Express <engeki0725@gmail.com>
Subject: AWB 1928493383 出荷到着
Attachment: DHL_AWB_1928493383.iso (contains "DHL_AWB_1928493383.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_AWB_1928493383.exe
Verdict:
Malicious activity
Analysis date:
2021-01-04 07:40:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/41b794eb-4033-40c7-9710-624840190bfc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110370/
Detection(s):
SecuriteInfo.com.Artemis90F01C1F9C34.21514.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/573230
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/73124a960239d7be8aa1718bee96dccb2714b983a9a7ecf208fd21d2e18da782/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=omjevfqchhl35cvbogf65fw4zmtrjomdvgt6z4qi7uq5fymnu6ba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ca8c0c5ebf25e694725d965acf1d3db4a299c633fd895ea6f2dab80082d7337
AgentTesla
3ddfcc0ce0a57e7f3131d0ba603d6516f00c6cf94f67e79ab38a7e8f922f74bc
AgentTesla
3de5c485f705f1cdf6088142033fb366aafa369044f74cf5a01a8c3517daa831
AgentTesla
4843c3600fa75fd8e78f04641b3fc363a3ae5e453ecd72a1e7b8b6c25408e376
AgentTesla
4ba3daeca73f3cde751424f8ec9972e274e0ffe915ce7c58eac0bf4d278920b1
AgentTesla
616ab10592901307ae43cc24dd1387523a9f4998a7cef709354f304beadfb299
AgentTesla
653f9230a0dfc61996a0213363c938cc629fe374f877febd3df485369d1f476a
AgentTesla
6b289f4c862c4205a7debaa7217dfad7e66b56dcd3274e9b4ee530aa0e380037
AgentTesla
956741cfb963a29651abae4b0bee9185ad7688cdc0f97f2336c891daab84976e
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
+ 10'998 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210104-srwjtren2j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
81d0f8951680442e423e7a7f1644c7e2201bf20ca48966e905acffa1747465da
MD5 hash:
1cbb1e3bb21e6309de801fcbd10019cf
SHA1 hash:
21c4b3808479f58a0598c98e0a3f1a814f80c1e7
Link:
https://www.unpac.me/results/503ea553-3b67-40a5-8efb-97365e9168a7/
SH256 hash:
44106a7753790a12c522849b3f7da238337bd0342e5664021e25f79b2705ae9a
MD5 hash:
d43e8dcc8f8b23c144f820eaa9bdbee4
SHA1 hash:
41faa61eb543ac1386e59ef1e3c485a19458ff68
Link:
https://www.unpac.me/results/503ea553-3b67-40a5-8efb-97365e9168a7/
SH256 hash:
346a51b154de5b8c8a9b87b847e0a13290994ffbeb86accbe57cab3cddbd0900
MD5 hash:
18f4b9561bc929b017b11f9ab942ad4d
SHA1 hash:
5d3083343d1cf71ba96e15d5068705b4637315b9
Link:
https://www.unpac.me/results/503ea553-3b67-40a5-8efb-97365e9168a7/
SH256 hash:
cbb42c7e1cfc4b968a1c62dc9f59d55a589afbbe5f09e83f48968e12bbba2be4
MD5 hash:
a1a5e85e1603cf405b61c6b4ffb95967
SHA1 hash:
d56e364d425396db14a0e974c2d15a5044c8eac7
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/503ea553-3b67-40a5-8efb-97365e9168a7/
SH256 hash:
73124a960239d7be8aa1718bee96dccb2714b983a9a7ecf208fd21d2e18da782
MD5 hash:
90f01c1f9c34a52e1777cbce1c18d2e2
SHA1 hash:
41d719fcab35526695c2c9a07894ea18cc8b3a8f
Link:
https://www.unpac.me/results/503ea553-3b67-40a5-8efb-97365e9168a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73124a960239d7be8aa1718bee96dccb2714b983a9a7ecf208fd21d2e18da782

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:agent_tesla_2019
Create hunting rule
Author:jeFF0Falltrades
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso d77450b3dfd6cb27ed41c66bbbd88458cf7f0c8ac5972956f3ad9395ff4d724e

AgentTesla

Executable exe 73124a960239d7be8aa1718bee96dccb2714b983a9a7ecf208fd21d2e18da782

(this sample)

  
Dropped by
MD5 9b17aaa7300f600819ad41e9e8616864
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d77450b3dfd6cb27ed41c66bbbd88458cf7f0c8ac5972956f3ad9395ff4d724e
Cape
Cape
https://www.capesandbox.com/analysis/110370/

Comments