MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 885179565290381c8e8e883f1e4c776507c1ddd3bfa8902f432ea31fbf01c683. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 885179565290381c8e8e883f1e4c776507c1ddd3bfa8902f432ea31fbf01c683
SHA3-384 hash: c5d550ad4bba03e92f0a77b8e3751908a9bae9b69297d91d01f6efa219af9867cc980b850211668ad2a214be599e3178
SHA1 hash: 6b59a64f11e6559c1354c8097856593469ecd8bc
MD5 hash: 3e910208a9f1bf03108895af8671078c
humanhash: bacon-winter-hydrogen-colorado
File name:DHL_AWB #1008936572891_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'156'032 bytes
First seen:2020-08-13 09:19:41 UTC
Last seen:2020-08-13 10:26:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:slekszEMhv32HMfjsMJxLQwe4mpLri4L:sPaEY2mth4
Threatray 612 similar samples on MalwareBazaar
TLSH 40A518367A824425D53E063180A9AAC1B375B68B3B56DF1F34CB135C5F0339BBB0B59A
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: de.uitn.com
Sending IP: 144.76.245.34
From: DHL EXPRESS <CUSTOMERSERVICE@DHL.COM>
Reply-To: DHL EXPRESS <soomla6384@yahoo.com>
Subject: Ref: DHL_AWB #1008936572891
Attachment: DHL_AWB 1008936572891_pdf.rar (contains "DHL_AWB #1008936572891_pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45011/
Detection(s):
SecuriteInfo.com.Fareit-FVT3E910208A9F1.2176.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/425627
Signature
Binary contains a suspicious time stamp
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 265377 Sample: DHL_AWB #1008936572891_pdf.exe Startdate: 14/08/2020 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Yara detected MassLogger RAT 2->53 55 11 other signatures 2->55 8 DHL_AWB #1008936572891_pdf.exe 8 2->8         started        12 WEqfDb.exe 2->12         started        14 MassLoggerBinUPDATEProizvodnja.exe 2 2->14         started        16 WEqfDb.exe 2->16         started        process3 file4 41 C:\...\MassLoggerBinUPDATEProizvodnja.exe, PE32 8->41 dropped 43 C:\Users\user\AppData\Local\Temp\...\l.dll, PE32 8->43 dropped 65 Injects a PE file into a foreign processes 8->65 18 DHL_AWB #1008936572891_pdf.exe 2 5 8->18         started        23 MassLoggerBinUPDATEProizvodnja.exe 3 8->23         started        67 Tries to detect virtualization through RDTSC time measurements 12->67 25 cmd.exe 14->25         started        signatures5 process6 dnsIp7 45 specialmetal.ir 5.144.130.34, 49708, 587 HOSTIRAN-NETWORKIR Iran (ISLAMIC Republic Of) 18->45 47 mail.specialmetal.ir 18->47 37 C:\Users\user\AppData\Roaming\...\WEqfDb.exe, PE32 18->37 dropped 39 C:\Users\user\...\WEqfDb.exe:Zone.Identifier, ASCII 18->39 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->57 59 Tries to steal Mail credentials (via file access) 18->59 61 Tries to harvest and steal ftp login credentials 18->61 63 2 other signatures 18->63 27 cmd.exe 1 23->27         started        29 conhost.exe 25->29         started        31 powershell.exe 25->31         started        file8 signatures9 process10 process11 33 powershell.exe 19 27->33         started        35 conhost.exe 27->35         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/885179565290381c8e8e883f1e4c776507c1ddd3bfa8902f432ea31fbf01c683/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 09:21:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbixsvsssa4bzduora7r4tdxmud4dxotx6ujal2df2rr7pyby2bq._file
Verdict:
unknown
Similar samples:
044c48fe42178958d8f55e5404e056ff0f1071d865deda9cc42518ab2c87fda7
AgentTesla
21cea3a243809c8cc06412ffd647e4896b35a246cf8c365484e0419477d94b37
AgentTesla
2793ca2b4f702f2ddfcaeb0ccde6700da8b215b9894cf72adbece6a4d57a8e67
AgentTesla
2a1b3187f7000dfb10dff758fe598e73e58d6864c5a4579e7c35acd88314ca20
AgentTesla
2c7ac0a31c8828ec11ad0c9dd80f8809fb1248f5c36b6b34d8c9974aa8ecaa06
AgentTesla
2eea41fa4b1a202182851d36b3866be43e1ba8c4912c18290caaac84da4dbcce
AgentTesla
5c6a46b8db4713a9679ae9b069515a45d73088d55555111f5f1114af921eabdc
AgentTesla
66be42e48ac5cca62e07acb170e1965756f0556ac5ad9a3070c64c6e74a11fa7
AgentTesla
797c64ffd02f4ed730fc195028cfe6b82928403e75a94d14f8f8de87510818e0
AgentTesla
d4557d36508f2a62bbb7e58cc6b8a5d1f9588810485b04adf4cc100ee925687a
AgentTesla
+ 602 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer family:agenttesla
Link:
https://tria.ge/reports/200813-zw4fvfam4s/
Behaviour
AgentTesla Payload
Agenttesla family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/885179565290381c8e8e883f1e4c776507c1ddd3bfa8902f432ea31fbf01c683

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 1ea26893b98115c9c36c6c1ecb7b4fa28b71ea8dc91f7219c7e54d9f95d4bf8e

AgentTesla

Executable exe 885179565290381c8e8e883f1e4c776507c1ddd3bfa8902f432ea31fbf01c683

(this sample)

  
Dropped by
MD5 cc5d1ba1b2cd9a126ce8cbc974e01f68
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1ea26893b98115c9c36c6c1ecb7b4fa28b71ea8dc91f7219c7e54d9f95d4bf8e
Cape
Cape
https://www.capesandbox.com/analysis/45011/

Comments