MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9413edeb35a7695bd1ce1abef97e816197d0f3c0c8ec1dbeb540dec6ba24c459. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9413edeb35a7695bd1ce1abef97e816197d0f3c0c8ec1dbeb540dec6ba24c459
SHA3-384 hash: 26f9d4065f96861599f39dfa12e898f4b05502aa5cab9a24002db4b184bb26fb6cf27d073ce34272bdff2316c0066990
SHA1 hash: 830f3daa0af922b16da3f54ffc54ecc4124a823d
MD5 hash: 1ebb4fe803327f3fc520e3d8eada9a36
humanhash: carolina-tennis-whiskey-video
File name:DHL AWB - 453968867878_Shipping Documents 2022.gz.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:488'960 bytes
First seen:2022-01-24 10:48:25 UTC
Last seen:2022-01-24 12:59:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:qgDQDNcUdXMTP25oV9tqKW4rW6bfaEM/fKtd:nDQDNney5oV9txWaA
Threatray 14'515 similar samples on MalwareBazaar
TLSH T1DEA4024973D4B2AFC867CE7ADEA04D10E7A4B4AA1313D747684B125D894E787CF01AB3
Reporter cocaman
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221907/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.17146.18396.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
keylogger obfuscated packed
Link:
https://www.filescan.io/uploads/61ee84240f8c757253e1a0bc/reports/6eadff79-cd42-4a29-a55a-4ab4207dccb6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7298e799-f337-4309-850a-125cd3e371d2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/926247
Signature
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9413edeb35a7695bd1ce1abef97e816197d0f3c0c8ec1dbeb540dec6ba24c459/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-24 08:40:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqj632zvu5uvxuoodk7ps7ubmgl5b46azdwb3pvvidpmnoreyrmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2e193e5bdb8c96b567f65f85cc77a6e334947b09ab081684adfecdd70c3d3c17
AgentTesla
62c3cafccdb3fcf9eaabbb2c6802bbd3c9bdba93a5fbf0f1ac9061a0e8023016
AgentTesla
67e900002f5cff55084abd74646c25e1d22cf652cb0142315ab4bdc2906aad53
AgentTesla
876d9c40235667ad9182ca0357110a558534a1c7d672f8a636a966fe2d016eda
AgentTesla
8966234482a7b23bdf771b10efa29986ad7019978444f2fa4a49854d2036ebfa
AgentTesla
ce1fd1beffea8eb14b0e25eed6ba449090bda9d0ee4f487c637449cca6df6529
AgentTesla
f6e560ce19f29365583a29c5b5bc2128dcc0d8e1c021b54f79f6ecadd723e21d
AgentTesla
+ 14'505 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220124-mwpcjsedbr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
bac3993c255d7d5f3757526936df3c133a3e327fc4c9af431eceba8b96cc2a38
MD5 hash:
aee228cf207c3f481ba60494da1ac751
SHA1 hash:
fbd77f308b6a8f834c1f920ce3de6115fe086272
Link:
https://www.unpac.me/results/0bd4b3bc-a771-4e56-9048-ed94d7a104e2/
SH256 hash:
f8e7ac8510537e2ecc71cdd95a674992fbe6c0719682284424aa4c4c6966a3d3
MD5 hash:
8eaa260302b46d3d349ac13d9ba7f1ee
SHA1 hash:
c844a2053696d68f2c449e740c5fd92895042279
Link:
https://www.unpac.me/results/0bd4b3bc-a771-4e56-9048-ed94d7a104e2/
SH256 hash:
add1cf89a34122270d470be6dd0e950b4e7b36e8adbdc9938fdfddea710faf82
MD5 hash:
aa99a7938b9d7bc08b8c1824e2914d1f
SHA1 hash:
c6719966b383d31692cd9c4ec876d47b09eff17e
Link:
https://www.unpac.me/results/0bd4b3bc-a771-4e56-9048-ed94d7a104e2/
SH256 hash:
9413edeb35a7695bd1ce1abef97e816197d0f3c0c8ec1dbeb540dec6ba24c459
MD5 hash:
1ebb4fe803327f3fc520e3d8eada9a36
SHA1 hash:
830f3daa0af922b16da3f54ffc54ecc4124a823d
Link:
https://www.unpac.me/results/0bd4b3bc-a771-4e56-9048-ed94d7a104e2/
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9413edeb35a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/9413edeb35a7695bd1ce1abef97e816197d0f3c0c8ec1dbeb540dec6ba24c459

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 16489d4e625dfa52f959de1d07e0eb32f7122c981557bfb8f9354895b9284bcc

AgentTesla

Executable exe 9413edeb35a7695bd1ce1abef97e816197d0f3c0c8ec1dbeb540dec6ba24c459

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 16489d4e625dfa52f959de1d07e0eb32f7122c981557bfb8f9354895b9284bcc
Cape
Cape
https://www.capesandbox.com/analysis/221907/

Comments