MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90d411b4b7650a9098dc9fcc9792dd48749e410d49ef660287fee9336156646b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	90d411b4b7650a9098dc9fcc9792dd48749e410d49ef660287fee9336156646b
SHA3-384 hash:	cc2e380e35d7aa246ff0adf0ba4a9706857670aae9ed2e0f2bd4f5b6b9ab124fdd86af12f99772bfc79a56b01bbf10d5
SHA1 hash:	600b46df2c843afca73c0689cd073b1829ad6d1f
MD5 hash:	3bbf88766418850bf3552358e09341d7
humanhash:	oven-may-indigo-nine
File name:	DHL arrived.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'100'288 bytes
First seen:	2022-10-27 17:09:44 UTC
Last seen:	2022-10-28 16:22:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:+L4+A6w+nGorX3g39NJrQanbCb05i/J1I1gbK:+c+A6w+nGob3GNaab7s/A+K
Threatray	19'475 similar samples on MalwareBazaar
TLSH	T1AB354924EAEDD937F0365B718B8371F54FA9FE729A01909738613AC52673F40885E932
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0884f2c9e0385e27 (3 x AgentTesla, 3 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	AgentTesla DHL exe Telegram

Intelligence

File Origin

# of uploads :

# of downloads :

245

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

DHL arrived.exe

Verdict:

Malicious activity

Analysis date:

2022-10-27 17:17:41 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/9a35912c-cf6b-487d-aa05-ca2a9d899100

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/325042/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Creating a file

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7466dd25-e532-480d-8cc2-166ca6ca32ef

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1099624

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/90d411b4b7650a9098dc9fcc9792dd48749e410d49ef660287fee9336156646b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-10-27 12:03:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sdkbdnfxmufjbgg4t7gjpew5jb2j4qinjhxwmauh73utgykwmrvq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

40eacf74e5f8d9b40c3a70ba66a6c30deee60c2843f94fe387ccb0dbb7a2cd59

AgentTesla

71720ec77fe5f1bf93446abc71b1ae23da1e5bff3d45ca6eb0d52e8739e4a155

AgentTesla

aa6e1ee545dc8999e440c0a7e974425bd0dd2fe548570316b1cee02454057260

AgentTesla

aabe01bd698dff2e015e51939e380454ed77ea1903810bf2ca99ecc8e163a52a

AgentTesla

ab91459253a14ca086ed1b79f0958b331fc09b7d611ef953ca85c045ff43024e

AgentTesla

c12780831455d11678c4f38afa6c20585685c2ba8ada4c0d806b774ea16f4301

AgentTesla

f3ba68ac24bbd5f939b319f7712015fd7b67071b927596a3a78a1f905455b187

AgentTesla

+ 19'465 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection evasion keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/221027-vppzhadabq/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Maps connected drives based on registry

Checks BIOS information in registry

Checks computer location settings

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5646065819:AAF1LifptI6XX-TUofh5eIiiXwvLlkq6Iqw/

Unpacked files

SH256 hash:

89e8877247a68b092fc7444d8fa5f0641024a68b26a27473b722f5c1cad1a337

MD5 hash:

2c60384c965f818303d94d77db43241d

SHA1 hash:

c7871f36e5efcd371233eb432ec8648e01d324bf

Link:

https://www.unpac.me/results/a6a09ef4-e199-455e-95f5-1204541feb6d/

SH256 hash:

f3255ca08e0de16890d94861cd99002e1e8e9a1cc1d74b9d58f2935fae0fd8b9

MD5 hash:

2a050eafe5c404920b0de5532aae7c99

SHA1 hash:

b9eb59045fe41a6c3fdfb3afcc731fad14ea8774

Link:

https://www.unpac.me/results/a6a09ef4-e199-455e-95f5-1204541feb6d/

Parent samples :

1bba79e46b3a57c57208f5b0c0ea9601e7e63ed219fb9c93eb2d75fa1045fb05
cce7ec3b61ede4fdaf44b5b85c6175bc617650155e2913a076b1738dab059487
3805a0d8d5c31e2f0a26230bfbe046b71da707cec6047cfad58aa7fc76de8c36

SH256 hash:

a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59

MD5 hash:

404efdeb9931733904da07f96fabeb72

SHA1 hash:

7ce363cd612f1d9a90b33ec196c4d0a49cdaee02

Link:

https://www.unpac.me/results/a6a09ef4-e199-455e-95f5-1204541feb6d/

SH256 hash:

90d411b4b7650a9098dc9fcc9792dd48749e410d49ef660287fee9336156646b

MD5 hash:

3bbf88766418850bf3552358e09341d7

SHA1 hash:

600b46df2c843afca73c0689cd073b1829ad6d1f

Link:

https://www.unpac.me/results/a6a09ef4-e199-455e-95f5-1204541feb6d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/90d411b4b7650a9098dc9fcc9792dd48749e410d49ef660287fee9336156646b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/325042/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample