MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93a14ff6939402cf7f901e957af60c6cde36fc18c0e3b20493c12c5177d04523. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93a14ff6939402cf7f901e957af60c6cde36fc18c0e3b20493c12c5177d04523
SHA3-384 hash: d7895a8c27aec8ee771a0691535fc1203072b87f339fb97a7a2220f9fe05a9e53b9df589368ddfb7311cefb7cc1ee711
SHA1 hash: bf560e28cd6d9f5854b3e334d82db9d80815560c
MD5 hash: 6e4118c7371981515f696082234c7915
humanhash: failed-mexico-network-video
File name:DHL DOCS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:324'608 bytes
First seen:2021-01-19 13:09:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 43f1b4fb55ffa0f3576d845e7070130e (5 x Loki, 5 x Formbook, 4 x AgentTesla)
ssdeep 6144:CwrCpB4qWe494y5LIS85mdoGAFiS4HY9iihjbQm+j/yFJlImjyBliTYG8vVqfbOI:jCpBz49JIS8ydA4HmtbCoJymuB0YPv8l
Threatray 418 similar samples on MalwareBazaar
TLSH B4641215A5C8CFBAD0C080F46F59B8CF097A252153878AE7C7907D7B50AD986E43DA2F
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.nwapastor.com
Sending IP: 5.2.74.87
From: DHL Courier ServiceĀ® <noreply@dhl.com>
Subject: DHL On Demand Delivery
Attachment: DHL DOCS.cab (contains "DHL DOCS.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL DOCS.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 13:35:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f4b21cb5-25d6-4857-b46e-6d58ea12a13b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112910/
Detection(s):
Win.Malware.Filerepmetagen-9822566-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/585034
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93a14ff6939402cf7f901e957af60c6cde36fc18c0e3b20493c12c5177d04523/
Threat name:
Win32.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 12:55:36 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=soqu75utsqbm674qd2kxv5qmntpdn7ayydr3ebetyewfc56qiurq._file
Verdict:
unknown
Similar samples:
61a024421c2b1b7753c079ce5dd6e84902bb406f212b6cb7009334730e8fcfc4
AgentTesla
94e4d23e3ede10365bdc9ebcf52fab0428c693b3c8d768d4090139d9607d3f95
AgentTesla
9980343cf5395db3a941411223c889da9abd8862b7ff5e1dcf30d8e4b2439db6
AgentTesla
9ee67445d4ffeedd7c11e1e14949bf0f6060f34352e3f2c8d2184ffe0b4d235f
AgentTesla
bcacb340582be7a1764da1d56bd4e86d027987eb6a985ca973fa9d1509eb0863
AgentTesla
bfe365fae8e14aae158de051972efe75103b705f7d8cf84061f857d79bb1993b
AgentTesla
c3651ed2c59e56af93418b56a8fc12fd557d37f5905ac00fd8885f748af97c38
AgentTesla
dd9c6267a87c89067d157e28d6f3ca17f958871f3d403609ed72dad80514e226
AgentTesla
e3fceaabe401036d5b259a767747f86c6563db8d122c87e70506ce84ad622638
AgentTesla
f5a88909c2272b7ddba37b210ca2bbf79c4baf80e51f883a36e5887183b84d3b
AgentTesla
+ 408 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210119-na96kck5w6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
17daf235c0ea4849be3cd64a225c0276e3aed183b91b10068cc89d17b354179a
MD5 hash:
8d4b2717266caf93616fe06df1506c80
SHA1 hash:
e00c81aecc9ef9f68c399765ba491e485a5fa613
Link:
https://www.unpac.me/results/c8162e59-f384-4804-9173-4ef6841ea83d/
SH256 hash:
42826cc7a48a420c69b2718766af49349da148eb9470ff6ae6e7ce2c9190f639
MD5 hash:
31e2e6321776bb3010c093460ce63088
SHA1 hash:
139cb12765a6a65200d11d61efa0b79a217e1da0
Link:
https://www.unpac.me/results/c8162e59-f384-4804-9173-4ef6841ea83d/
SH256 hash:
93a14ff6939402cf7f901e957af60c6cde36fc18c0e3b20493c12c5177d04523
MD5 hash:
6e4118c7371981515f696082234c7915
SHA1 hash:
bf560e28cd6d9f5854b3e334d82db9d80815560c
Link:
https://www.unpac.me/results/c8162e59-f384-4804-9173-4ef6841ea83d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/93a14ff6939402cf7f901e957af60c6cde36fc18c0e3b20493c12c5177d04523

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab f3ca7094e010fd54649e9e7d3d3e040b48772e7d6caeaa4631da4fd27ff750f5

AgentTesla

Executable exe 93a14ff6939402cf7f901e957af60c6cde36fc18c0e3b20493c12c5177d04523

(this sample)

  
Dropped by
MD5 51da07df2df7c16f6a9d055fc59531b5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f3ca7094e010fd54649e9e7d3d3e040b48772e7d6caeaa4631da4fd27ff750f5
Cape
Cape
https://www.capesandbox.com/analysis/112910/

Comments