MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 845552c3b6efd3b155eebf54ef7cbff7d2e5072da68575c243dfa44e39d9aeb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 845552c3b6efd3b155eebf54ef7cbff7d2e5072da68575c243dfa44e39d9aeb4
SHA3-384 hash: 42a357aee5cc98262f7f671c9e45f731059c57ef3817f843ec2b5677a76448bee7e1733498b27dcd45a43a0bd16f1af7
SHA1 hash: 1442f5d904447ba9ce1b58cceefd2553a0409018
MD5 hash: 60af55f38e55b51673a35139fdbf6963
humanhash: lithium-minnesota-michigan-mirror
File name:DHL Receipt_#AWB811470484778.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:565'248 bytes
First seen:2022-05-12 07:22:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Ytfy0713i1urgs5JF7tWUh/oRd6E/xV3+ZEcBvRm0rp9UhgmQPTS9dA5vmhHge:Y5yI13surgsRtjO5+2G86p9UhQDv6Hg
Threatray 17'586 similar samples on MalwareBazaar
TLSH T136C41214239933B6D5AE07F0CE2691ED33B41D02DE65D3A79C9479CE8673F4900A2A6F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.datsun-nepal.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269915/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/627cb62248eb7f6a7cdd7a61/reports/e9379278-9a1e-4aa1-948f-b08d252763e1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/540078e4-2401-40af-a13a-0f2973eadcff
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/992694
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 625189 Sample: DHL Receipt_#AWB811470484778.exe Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 9 other signatures 2->57 6 DHL Receipt_#AWB811470484778.exe 3 2->6         started        10 QktAUm.exe 2 2->10         started        12 QktAUm.exe 3 2->12         started        process3 file4 25 C:\...\DHL Receipt_#AWB811470484778.exe.log, ASCII 6->25 dropped 59 Injects a PE file into a foreign processes 6->59 14 DHL Receipt_#AWB811470484778.exe 2 5 6->14         started        19 DHL Receipt_#AWB811470484778.exe 6->19         started        21 QktAUm.exe 2 10->21         started        61 Multi AV Scanner detection for dropped file 12->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->63 65 Machine Learning detection for dropped file 12->65 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->67 23 QktAUm.exe 2 12->23         started        signatures5 process6 dnsIp7 31 datsun-nepal.com 103.227.176.16, 587 A2HOSTINGUS Singapore 14->31 33 192.168.2.1 unknown unknown 14->33 35 mail.datsun-nepal.com 14->35 27 C:\Users\user\AppData\Roaming\...\QktAUm.exe, PE32 14->27 dropped 29 C:\Users\user\...\QktAUm.exe:Zone.Identifier, ASCII 14->29 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->39 41 Tries to steal Mail credentials (via file / registry access) 14->41 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->43 37 mail.datsun-nepal.com 21->37 45 Tries to harvest and steal ftp login credentials 21->45 47 Tries to harvest and steal browser information (history, passwords, etc) 21->47 49 Installs a global keyboard hook 21->49 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/845552c3b6efd3b155eebf54ef7cbff7d2e5072da68575c243dfa44e39d9aeb4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 03:42:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
11 of 41 (26.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qrkvfq5w57j3cvpox5ko67f767jokbznu2cxlqsd36se4oozv22a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2ca7a35579bc73bc645f69cc98dad04e9d85cc3e62467221c42a266cc0e80452
AgentTesla
605ade46e2008848c5d97ab59b76fa42ae845e3833545bf933b945ae6db9839f
AgentTesla
9c071afc054e8a65329317a6b449e9f4119a5546c2b3a5c2ce9bf2cb1a04a46e
AgentTesla
9eeac4773d7f0e7f4303baed25c04f0b138e55f9fa7e7c718e3e6599a2e41513
AgentTesla
aa288789e0bbf9a2cfd314f1518f9493191b22ded097da6c32fc99667cde0d78
AgentTesla
ba40d672744d9fea782381b7b609bc2cb381437d94afdaf458e17e8be0271fc2
AgentTesla
c36ec3f847b81b6e59ee1e6d17544ee886a3a85105d1aa06646df073f8590838
AgentTesla
eedd8e36fccdd66ba60d50f2c187b6600550332a3d377338f3641eb8cff7f1e3
AgentTesla
+ 17'576 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220512-h7r6csdgen/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c206122a7336385be557580c114ac0923192f61bc8f77aa58c898135438399f9
MD5 hash:
6c9e813248a01432890c476813d210b8
SHA1 hash:
fd54aa3af58fc3a88cb3fd6753d773cd6c51b7f8
Link:
https://www.unpac.me/results/499e8f80-2c28-411c-ac65-b7248196ad4a/
SH256 hash:
0f910d3f764e612d0d7f4e28fec00a42dc92bf2ec9357ff6da426e7ddddccf09
MD5 hash:
bdb3591363f2a69d7ad25967e2f44ed1
SHA1 hash:
e20fb57fb074a96396af91c1b3278a9b4f3e6b08
Link:
https://www.unpac.me/results/499e8f80-2c28-411c-ac65-b7248196ad4a/
SH256 hash:
b5349898c18a7b7fe8787dfca5c259ab03fae59927aa210e220aaec47e662c62
MD5 hash:
91e562bb99f7118d27251c123399e0e0
SHA1 hash:
a88f80a0f616a4ff06f0155a90c2fc347ad8b997
Link:
https://www.unpac.me/results/499e8f80-2c28-411c-ac65-b7248196ad4a/
SH256 hash:
2f4a0f1739788fe2b9efd355e20814d7b0900ec900253c0fe93241a22e7d1129
MD5 hash:
9d786ebeca961874bc56c51a5556587c
SHA1 hash:
17562f3c0eb4759cfd327ae65ba809fbbf5c6497
Link:
https://www.unpac.me/results/499e8f80-2c28-411c-ac65-b7248196ad4a/
SH256 hash:
845552c3b6efd3b155eebf54ef7cbff7d2e5072da68575c243dfa44e39d9aeb4
MD5 hash:
60af55f38e55b51673a35139fdbf6963
SHA1 hash:
1442f5d904447ba9ce1b58cceefd2553a0409018
Link:
https://www.unpac.me/results/499e8f80-2c28-411c-ac65-b7248196ad4a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/845552c3b6efd3b155eebf54ef7cbff7d2e5072da68575c243dfa44e39d9aeb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269915/

Comments