MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81f0a85599da0823bf6d6dafeb6186f06125f253d6152935497a0787a5841c82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81f0a85599da0823bf6d6dafeb6186f06125f253d6152935497a0787a5841c82
SHA3-384 hash: 67406ad1a070e4af76da5db272f1f0e2881948a79275cd56ed777bb8122399d3d0e61c98cfe81fd7425b086d93f44263
SHA1 hash: ea6bfe20bde6ecc8be49ef73862306174b796f48
MD5 hash: 2be43b210c1cd07b822a12900ec12e55
humanhash: two-vermont-edward-aspen
File name:WaybillDoc_3227610761.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:703'189 bytes
First seen:2021-06-25 06:40:01 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:zFBrfzcRxoGNWSKiLygk6ZDxavHdJtfWT/NONJC6CQaqrrgTWHYmUiCZHUkLCTWi:HXifhKmyD6Zov92rNPqAW48CZtlDNSn
TLSH 42E43342C55A67A2D4C8B4FB04EBB635FF50FAA108D4B1F46B77AC3FB56EE204418684
Reporter cocaman
Tags:AgentTesla DHL zip


Avatar
cocaman
Malicious email (T1566.001)
From: "DHL Customer Support <support@dhl.com>" (likely spoofed)
Received: "from bizcloud-server.gtepeyac.com (unknown [159.89.112.172]) "
Date: "25 Jun 2021 04:18:33 +0200"
Subject: "DHL Shipment Notification : 3227610761"
Attachment: "WaybillDoc_3227610761.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.867-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/81f0a85599da0823bf6d6dafeb6186f06125f253d6152935497a0787a5841c82
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81f0a85599da0823bf6d6dafeb6186f06125f253d6152935497a0787a5841c82/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 06:40:23 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qhykqvmz3iechp3nnwx6wymg6bqsl4st2ykssnkjpidypjmedsba._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210625-xdj4zqs6jn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/81f0a85599da0823bf6d6dafeb6186f06125f253d6152935497a0787a5841c82

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 81f0a85599da0823bf6d6dafeb6186f06125f253d6152935497a0787a5841c82

(this sample)

AgentTesla

Executable exe c7de31a272c9011e4174cdebfbef70b6af97363aea74da09ad2c184ada4327a4

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 c7de31a272c9011e4174cdebfbef70b6af97363aea74da09ad2c184ada4327a4

Comments