MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94e4d23e3ede10365bdc9ebcf52fab0428c693b3c8d768d4090139d9607d3f95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94e4d23e3ede10365bdc9ebcf52fab0428c693b3c8d768d4090139d9607d3f95
SHA3-384 hash: 2dad294652092b1d990a78943d86baa70a53fc4966610a23313617025576e2fcd0d2fd51a450a4da4b36ea831278debf
SHA1 hash: 43be31d907ec599edcd6c64b61a5d464c02a981b
MD5 hash: bedc66c12a9045e1d8e89fd47ccd4ebb
humanhash: harry-spaghetti-july-hotel
File name:INVOICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:490'496 bytes
First seen:2021-01-19 07:35:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 616765ca1e3c367f5f3771d38d13b610 (7 x Loki, 4 x RemcosRAT, 4 x AgentTesla)
ssdeep 12288:7f9HmdvtKCeUunEkQPQDBZ7+nl/U8exvJAnmtt2Od:r9Gn6UAVQYDBZSn1axAnpo
Threatray 394 similar samples on MalwareBazaar
TLSH 42A4E13071C1D431D0B302B641B4ABA209BEBE355B764C9FAFE59D9D19B80E1A336763
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.hostmaden.com
Sending IP: 77.92.141.108
From: DHL Express <noreply@dhl.com>
Subject: ORDER REQUEST
Attachment: INVOICE.cab (contains "INVOICE.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-19 08:20:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8f9bed89-d89d-41b5-b302-3bcc4509919e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112802/
Detection(s):
PUA.Win.Adware.Bang5mai-6804572-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584668
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94e4d23e3ede10365bdc9ebcf52fab0428c693b3c8d768d4090139d9607d3f95/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 07:36:13 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=stsnepr63yidmw64t26pkl5laqumne5tzdlwrvajae45syd5h6kq._file
Verdict:
unknown
Similar samples:
2347a0e7713f626fa94f646b3a410e5262236f9af04219bb1263f4d9a054a3fe
AgentTesla
32a62159880333e8affae98b4bd37658b480974f0f3842687929b3bb3d4e8faf
AgentTesla
408c3a039687374437b479a9015742baa3ee058399144146af314141aa810e20
AgentTesla
43e7e33417e21b41c839b367474714e1b889eeb68f13838a7d2ddbdaa8ddf6b6
AgentTesla
445e1ae4fb515ce4fca81255fc4f569ba238d2a7b3ba0c093f4d55bc8fa5ae08
AgentTesla
86879b01844ab067722fd2ca12bf5a666136348ca9a7f72a33ca42d9707e84d0
AgentTesla
c2aa09fda8ed6089db384994dc58fe814ff5a725ea05cd1ccca910b0d901301a
AgentTesla
c4527be43e6ad0e3eb7e8ca1bf26c120c0c5eef996716178a87bbe2b807efa57
AgentTesla
f0c5ea35abfdcdb2308311ff102c729fc064bd53703d5876f81eceff098d5336
AgentTesla
f45429329da30ae0032b202f9e9165b0a6b3bba97389590026c17b8c71f03f11
AgentTesla
+ 384 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210119-c5jh9f7l76/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
0a0c9667f0248a5d84209400247301d4d301803f6ebb0297ee85e3bc1359223a
MD5 hash:
aa533c2d65cb0db44ab742b86386f91f
SHA1 hash:
51fae5e93dd976ce26726dcd6b57f5c9463fd359
Link:
https://www.unpac.me/results/78dea729-d70b-4f00-aad3-1a782edde294/
SH256 hash:
cb0d9995216e5a92da679c275938736065f10361d9da7a5b660ac844bf6beb57
MD5 hash:
79165c687e5354f135c71a0a67dd4c87
SHA1 hash:
426a69aa060124555d7e63d844c145cebc7d7dfb
Link:
https://www.unpac.me/results/78dea729-d70b-4f00-aad3-1a782edde294/
SH256 hash:
94e4d23e3ede10365bdc9ebcf52fab0428c693b3c8d768d4090139d9607d3f95
MD5 hash:
bedc66c12a9045e1d8e89fd47ccd4ebb
SHA1 hash:
43be31d907ec599edcd6c64b61a5d464c02a981b
Link:
https://www.unpac.me/results/78dea729-d70b-4f00-aad3-1a782edde294/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94e4d23e3ede10365bdc9ebcf52fab0428c693b3c8d768d4090139d9607d3f95

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab bd4b26d62cde6136822be4ef474978995a21a034895a8888479775d14e2126fa

AgentTesla

Executable exe 94e4d23e3ede10365bdc9ebcf52fab0428c693b3c8d768d4090139d9607d3f95

(this sample)

  
Dropped by
MD5 053ae14a68f83dbf0e6b0033b09095a5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112802/
  
Dropped by
SHA256 bd4b26d62cde6136822be4ef474978995a21a034895a8888479775d14e2126fa

Comments