MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 862376a9e48e0c84820bfd7b013cb14f9e2a41151785f3558e7912e2e8041d39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara 3 Comments

SHA256 hash: 862376a9e48e0c84820bfd7b013cb14f9e2a41151785f3558e7912e2e8041d39
SHA3-384 hash: 62a962d4268fe12232bbf63a2f07673f739818ac28683461c1138cb65c5f8f0b4554449b8c0e5dba9c8a75beee508e54
SHA1 hash: d2ea031d7928e421d57925c0e4108051d7d1d652
MD5 hash: fd847645836a66a79e9158f45f863edd
humanhash: neptune-social-steak-south
File name:dhl_customers_form_pdf.exe
Download: download sample
Signature AgentTesla
File size:1'030'656 bytes
First seen:2020-06-30 13:48:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:VcD/0VupuTyxwIzqNBP+E/JSvI7Yf4H444l:gjpumW6qz+OSvUo4H444l
TLSH 772593197F80A535D43DBD3243995770E363AD822722CB0F6D89379A5EA22D73F0325A
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: clubspace8.vacationpubsandclubs.com
Sending IP: 69.36.182.206
From: DHL Express <customersservice@dhl.com>
Subject: DHL EzyBill – Invoice No: TNSR000153181
Attachment: dhl_customers_form_pdf.img (contains "dhl_customers_form_pdf.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 35
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/17251/
ClamAV No detection
CERT.PL MWDB Detection:agenttesla
Link: https://mwdb.cert.pl/sample/862376a9e48e0c84820bfd7b013cb14f9e2a41151785f3558e7912e2e8041d39/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Kryptik
First seen:2020-06-30 13:50:07 UTC
AV detection:20 of 31 (64.52%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   8/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-91w66917cj/
Tags:spyware
VirusTotal:Virustotal results 22.22%

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

9af594dc0a7f54b0e820fd6418e3ce21

AgentTesla

Executable exe 862376a9e48e0c84820bfd7b013cb14f9e2a41151785f3558e7912e2e8041d39

(this sample)

  
Dropped by
MD5 9af594dc0a7f54b0e820fd6418e3ce21
  
Delivery method
Distributed via e-mail attachment

Comments