MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9057e198622605317bb2c4d90975a1e5af66f36f5f1b9df4ab5bbaa731db6492. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9057e198622605317bb2c4d90975a1e5af66f36f5f1b9df4ab5bbaa731db6492
SHA3-384 hash: c8ccb1bbc3a28becd0e0cb31bf2396dd4233b6102ff111852f6071cc177b222f7c02a8b823869e64e8a169dc135d66c7
SHA1 hash: aa36cf3d69c6385a5f3700836f7561443181ca4d
MD5 hash: f2b9c9b07422eb0522277646434ac470
humanhash: solar-vermont-leopard-washington
File name:DHL-Shipping Doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:533'504 bytes
First seen:2022-04-07 10:23:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:AYE0ZQB9tUP2mfiKHpYYrgcU0H+tAmYkTtCc/4hFjZg74S:HEdtU+m6qYkUaFS34jZe
Threatray 15'771 similar samples on MalwareBazaar
TLSH T124B4120C66FC176AC6DA073B695A414213F2EA096811F77B9FEC24EF1D31BD04985AE3
File icon (PE):PE icon
dhash icon b2cccccce8b2b28a (21 x AgentTesla, 14 x Formbook, 11 x SnakeKeylogger)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL-Shipping Doc.exe
Verdict:
Malicious activity
Analysis date:
2022-04-07 10:30:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6c2d87d4-dab2-49ce-b781-034addc0b17d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/261688/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/624ebbc4cccdcb9947237cca/reports/0b081bed-bb7f-4ff8-8220-7f68c3ef5324/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32c33b5f-7ba4-4a11-9566-6e83d9553eed
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/972291
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 604778 Sample: DHL-Shipping Doc.exe Startdate: 07/04/2022 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Yara detected AgentTesla 2->35 37 10 other signatures 2->37 7 DHL-Shipping Doc.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\csNbqQCBv.exe, PE32 7->23 dropped 25 C:\Users\...\csNbqQCBv.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp7E63.tmp, XML 7->27 dropped 29 C:\Users\user\...\DHL-Shipping Doc.exe.log, ASCII 7->29 dropped 39 Adds a directory exclusion to Windows Defender 7->39 41 Injects a PE file into a foreign processes 7->41 11 powershell.exe 24 7->11         started        13 schtasks.exe 1 7->13         started        15 DHL-Shipping Doc.exe 2 7->15         started        17 DHL-Shipping Doc.exe 7->17         started        signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9057e198622605317bb2c4d90975a1e5af66f36f5f1b9df4ab5bbaa731db6492/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-07 10:24:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sbl6dgdceyctc65sytmqs5nb4wxwn43pl4nz35fllo5komo3msja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08a29dc6fe654440e5f4381b8394a4dc30da8b994e0d0a2e1cb9ef32591fb13f
AgentTesla
5defd50046db301c82c85cc8306960982f576cbf5446f24062cc570dcf0becec
AgentTesla
69f4101e63fdfdec4a5b6fc4a778619a69f9511416dd90fe9df33502ff8d9d4f
AgentTesla
c2f02ec0e7c7d276c44e839eeb1c2020bd08ebb785bef33f59bbe7631e0a774d
AgentTesla
d34144acce5cadd1c0a70225999c64de95bac0c9f6866a91d64081b83b3c347d
AgentTesla
e400ed848e1fae8bc1cff4357811dd442d6fd2483f040c9b52807c5986e88327
AgentTesla
ead5b65d2655c15436db792be33e38667d12dae64faaa88909864e1310036f87
AgentTesla
ec126ed1137b37d9c36ecfad854764055428cf76293387fe354812d672201691
AgentTesla
fd6615af15cd468d22f07e28c49bef1487c276a3e935b56589bef8157da058e1
AgentTesla
+ 15'761 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220407-mfczksbfcm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
2243bd75cf7586510753cd842721aa574d57177d1a658fe74c37e32544ceeb95
MD5 hash:
27cac36d8718118f3bb62e151769b0fc
SHA1 hash:
86a72d805a7f582dd1bb7760d5691084711eb49b
Link:
https://www.unpac.me/results/c8ec083e-c638-47f6-a659-3cdea98f5bc7/
SH256 hash:
e11871df824c3130e35f2c94d672404e18ebefddf3172d166f2e640ad3686c73
MD5 hash:
4379771ccd9b927712ef2505214161df
SHA1 hash:
6636b7b80e279de67c60b52277f566463afebf8e
Link:
https://www.unpac.me/results/c8ec083e-c638-47f6-a659-3cdea98f5bc7/
SH256 hash:
9057e198622605317bb2c4d90975a1e5af66f36f5f1b9df4ab5bbaa731db6492
MD5 hash:
f2b9c9b07422eb0522277646434ac470
SHA1 hash:
aa36cf3d69c6385a5f3700836f7561443181ca4d
Link:
https://www.unpac.me/results/c8ec083e-c638-47f6-a659-3cdea98f5bc7/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9057e1986226/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9057e198622605317bb2c4d90975a1e5af66f36f5f1b9df4ab5bbaa731db6492

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9057e198622605317bb2c4d90975a1e5af66f36f5f1b9df4ab5bbaa731db6492

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/261688/

Comments