MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85d955830522460b5b0a001b35c7bf6b99962b6a4e8431990f24c077a9474bd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85d955830522460b5b0a001b35c7bf6b99962b6a4e8431990f24c077a9474bd3
SHA3-384 hash: f658aa9dc1f587cc96929d0ba2f729b30ac550be89597b2f401d45dee91a5b7efdd65b49d9d3c4d998bd7fda85f717c5
SHA1 hash: f1a935df27f8307450ece11578a6e798c394276e
MD5 hash: 32637f18fd6b2728d0d023fece62ed0e
humanhash: timing-juliet-connecticut-vegan
File name:DHL Express Shipment Documents.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:809'984 bytes
First seen:2023-02-17 07:11:03 UTC
Last seen:2023-02-17 08:30:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'630 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:uhu4qDSu4Dsv9tXGJriI5+iK6MYWCYnOE7RUv4TvebtMDsv9tYVBjyE0Cb9hNZdt:uhu4qDSub8rG6MYWOE7MOeGZ
Threatray 932 similar samples on MalwareBazaar
TLSH T1DD055BCCB1B0F67ECA0ACD76AB103D14ABE06553672AC592E253B6D95F3D4538E1C0B2
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Express Shipment Documents.exe
Verdict:
Malicious activity
Analysis date:
2023-02-17 07:14:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ef4fcf95-9255-41b6-b3c6-bbbee9f78c9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/367552/
Detection(s):
SecuriteInfo.com.Variant.Lazy.156097.21701.18256.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63ef28c2c75ae5c7ae34a1cd/reports/426f60ae-3457-4b2a-9900-0eeb74177758/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/85d955830522460b5b0a001b35c7bf6b99962b6a4e8431990f24c077a9474bd3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba1c2a87-1ff5-4bbd-9c01-948bbc6ed78c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1177724
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 810547 Sample: DHL Express Shipment Docume... Startdate: 17/02/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 5 other signatures 2->51 6 Skype.exe 3 2->6         started        9 DHL Express Shipment Documents.exe 3 2->9         started        12 Skype.exe 2 2->12         started        process3 file4 53 Multi AV Scanner detection for dropped file 6->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->55 57 May check the online IP address of the machine 6->57 59 2 other signatures 6->59 14 Skype.exe 14 7 6->14         started        29 C:\...\DHL Express Shipment Documents.exe.log, ASCII 9->29 dropped 18 DHL Express Shipment Documents.exe 17 10 9->18         started        21 DHL Express Shipment Documents.exe 9->21         started        23 Skype.exe 7 12->23         started        signatures5 process6 dnsIp7 31 173.231.16.76, 443, 49700 WEBNXUS United States 14->31 41 2 other IPs or domains 14->41 33 discord.com 162.159.137.232, 443, 49698, 49701 CLOUDFLARENETUS United States 18->33 35 api4.ipify.org 104.237.62.211, 443, 49692, 49702 WEBNXUS United States 18->35 43 2 other IPs or domains 18->43 25 C:\Users\user\AppData\Roaming\...\Skype.exe, PE32 18->25 dropped 27 C:\Users\user\...\Skype.exe:Zone.Identifier, ASCII 18->27 dropped 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->61 63 Tries to steal Mail credentials (via file / registry access) 18->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->65 37 162.159.138.232, 443, 49704 CLOUDFLARENETUS United States 23->37 39 api.ipify.org 23->39 67 Tries to harvest and steal browser information (history, passwords, etc) 23->67 69 Installs a global keyboard hook 23->69 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/85d955830522460b5b0a001b35c7bf6b99962b6a4e8431990f24c077a9474bd3/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-17 02:37:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxmvlayfejdawwykaantlr57nomzmk3kj2cddgipetahpkkhjpjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
011c5a93fcf5f1fda343e254b6be02737381be4df4bdec1aa07c8ad23b540599
AgentTesla
1326d9172aa0687e037a43b532cf2fb0e2ba90bff2e35efdebac87c3b06560f2
AgentTesla
6600f2c51ef233a254c85c0a3070eb9a81046692dd9918de53213c23e26a733f
AgentTesla
71d07c6a2d2c936d68d34be26e8db95e47a616d30521f128feb2e79fbbaff469
AgentTesla
7b7b389efc9f4cbf70d147c03f99818173d04ad90764040c313310ed5814eefb
AgentTesla
ba542ce1c5d0e51b1e22b56570886c6b7355c2db9e79c440f03a2116966421d8
AgentTesla
e52d1b25f864cc294fb486870071562f58ae534aaefdd72122dd865b8d189734
AgentTesla
+ 922 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230217-hz2d3adg8y/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1075778535278518443/QQb7Cd08b69uL50e3krm5eUuWTxoJlmNvAzD2e00mUF_DkIk551NHimF6vf-8Owfolb0
Unpacked files
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/fbc98075-8653-4a36-a2fc-f61654c90a44/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
0ba4f7411ed911bebaaa5f650b1ed99cfeaf8e5f1951559c9e8507106eeed6e9
MD5 hash:
4ed2086330e390610d12cdb8b0df9fb6
SHA1 hash:
66ce9f346a2e245583a1aa99f3792e521f1ffe11
Link:
https://www.unpac.me/results/fbc98075-8653-4a36-a2fc-f61654c90a44/
SH256 hash:
c12d2628d984c0b8071e1daa76812d8eae5cd9a18dd99eac444ba00d38977501
MD5 hash:
ec47f2cc8cb2264f192660aa1c81f96d
SHA1 hash:
50b322aa2022e5570911ceb2ca39aeaeca91e540
Link:
https://www.unpac.me/results/fbc98075-8653-4a36-a2fc-f61654c90a44/
SH256 hash:
6a8a166fbdf029e077a3cc3a275c95c97d53f366057995ca105a04e86bdfaa6a
MD5 hash:
0691a53b873ce6a25b990f99a7df1bc8
SHA1 hash:
3915eea5c7690b4eec54b0c6337118f43c362dcb
Link:
https://www.unpac.me/results/fbc98075-8653-4a36-a2fc-f61654c90a44/
SH256 hash:
12a1704fc701d35248cb0ad46070d6745baa928715c451fb3abab5309d23e482
MD5 hash:
f806a951d96d6cbf73297c5867f50e70
SHA1 hash:
1d4185dc32f9d8a9c4201cffaad91df803c9889d
Link:
https://www.unpac.me/results/fbc98075-8653-4a36-a2fc-f61654c90a44/
SH256 hash:
85d955830522460b5b0a001b35c7bf6b99962b6a4e8431990f24c077a9474bd3
MD5 hash:
32637f18fd6b2728d0d023fece62ed0e
SHA1 hash:
f1a935df27f8307450ece11578a6e798c394276e
Link:
https://www.unpac.me/results/fbc98075-8653-4a36-a2fc-f61654c90a44/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85d955830522/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/85d955830522460b5b0a001b35c7bf6b99962b6a4e8431990f24c077a9474bd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 85d955830522460b5b0a001b35c7bf6b99962b6a4e8431990f24c077a9474bd3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/367552/

Comments