MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94e66604a68872685d623a036c3dff67af99bcd99ae88d8dc5a398470ba6cb0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94e66604a68872685d623a036c3dff67af99bcd99ae88d8dc5a398470ba6cb0b
SHA3-384 hash: 4bf33059159059ef5aecf7c014d5d653444ef654eb85d74562e68027e360dcd8a3ac6042c4e11371255e534bcfe93119
SHA1 hash: c99b92b619e5095b78661fb193a0cd0167280da6
MD5 hash: 1185ae49871da0b2d32b9c81036b49f2
humanhash: ceiling-south-carolina-steak
File name:DHL_document11022020680908911.doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'141'248 bytes
First seen:2020-12-17 08:36:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:AJuOj79LcoMIAd/GXu81ENnSsRtvSyCWslmy/jT+D9L2nEGr5UoSpmYqeKPuSh2I:o349dGry/mxeKmSh2J6Q/tyh/l1+lTw
Threatray 1'861 similar samples on MalwareBazaar
TLSH 4B358D2436EA6719F077EBB95AE46045CBFAF523B716D44D3C9103CB0622F40DE91A3A
Reporter abuse_ch
Tags:AgentTesla CHN DHL exe geo


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: [193.56.28.17]
Sending IP: 193.56.28.17
From: China@salab-druid-2.localdomain, DHL@salab-druid-2.localdomain, "Express <5idhl_noreply"@dhl.com
Subject: 【中外运-敦豪】电子发票(发票号:74725794
Attachment: DHL_document11022020680908911.doc.zip (contains "DHL_document11022020680908911.doc.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.474.21465.25217.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565268
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 331720 Sample: DHL_document110220206809089... Startdate: 17/12/2020 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Sigma detected: Scheduled temp file as task from temp location 2->37 39 14 other signatures 2->39 7 DHL_document11022020680908911.doc.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming19fgUTnKJv.exe, PE32 7->19 dropped 21 C:\Users\...21fgUTnKJv.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmpFBD3.tmp, XML 7->23 dropped 25 DHL_document110220...0908911.doc.exe.log, ASCII 7->25 dropped 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 Injects a PE file into a foreign processes 7->45 11 DHL_document11022020680908911.doc.exe 15 6 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 mail.privateemail.com 198.54.122.60, 49748, 49749, 587 NAMECHEAP-NETUS United States 11->27 29 nagano-19599.herokussl.com 11->29 31 2 other IPs or domains 11->31 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->47 49 Tries to steal Mail credentials (via file access) 11->49 51 Tries to harvest and steal ftp login credentials 11->51 53 2 other signatures 11->53 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/94e66604a68872685d623a036c3dff67af99bcd99ae88d8dc5a398470ba6cb0b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 04:29:20 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sttgmbfgrbzgqxlchibwypp7m6xztpgztlui3dofuomeoc5gzmfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07599c2094171db70e00c3f917808769d676b406b7c6842ed75cfbe2186e044b
AgentTesla
0b55a1e1d624408e21aba91fc437c256dee64731ea9454700cc0f5448dd00f52
AgentTesla
242045c07ffb6427b046939045d9312f3beaa954ef3ec60316247f7dfdfbca3e
AgentTesla
385c7018cf8debb5955d9009f6c8096cecf124c975306b95c9b24bd84046e97b
AgentTesla
b8d0f5a88fd8d100cc6dc0f63e31c14c9fda07be97422b0ee2355cb73c14bd97
AgentTesla
ca2cea721cdeb2bcb71a5e623076d58b514de145236e8a11b39ab2863e2f975f
AgentTesla
ced74986e807f1b4dd969d4811e20b516b11b39d0d8681ebadf9123a6de30b7c
AgentTesla
d04ab5688b6093908786418a2767df4c7b0c99324fad4fba37036df9b7673e01
AgentTesla
e5d8c5c382b01a400205b1477e89b12f9eea14fdf10c5e4d31640954910661b6
AgentTesla
f64ecad45aae27f037e819a6adfaeebbdf0f769690a46a89a29d4f0da22b6cd4
AgentTesla
+ 1'851 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201217-k5ry4d32ys/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
94e66604a68872685d623a036c3dff67af99bcd99ae88d8dc5a398470ba6cb0b
MD5 hash:
1185ae49871da0b2d32b9c81036b49f2
SHA1 hash:
c99b92b619e5095b78661fb193a0cd0167280da6
Link:
https://www.unpac.me/results/4c6887ef-705f-454c-b0c4-d61651afa971/
SH256 hash:
d1fc716a2d6e2132b3e2daa27820137ed29babf224ac6545902bb388cf7b86cc
MD5 hash:
7e675d697cbeb85c1864ef43a29c6b70
SHA1 hash:
0ca9f369442fd6602dd8e0c92b7b283bc1a42701
Link:
https://www.unpac.me/results/4c6887ef-705f-454c-b0c4-d61651afa971/
SH256 hash:
43635e25d2848d62f5eb80b0f91558acae065eca0d8f8b50e7411c4fdc718823
MD5 hash:
b0b003a639ce04cba1a67e3a7bf6be87
SHA1 hash:
a576f63b97192eea7f260045828d4f876815b3c2
Link:
https://www.unpac.me/results/4c6887ef-705f-454c-b0c4-d61651afa971/
SH256 hash:
6ce7283ffeded9dbe705a75710b8bc65d8e6302fa9d0b591f4a8d01a85bb4e6b
MD5 hash:
2a2824b0d28f9f6c2457472f03858470
SHA1 hash:
d2182b657e500e681ee9f3fb47d5232a7488357f
Link:
https://www.unpac.me/results/4c6887ef-705f-454c-b0c4-d61651afa971/
SH256 hash:
21afc398aa7e05ed3eb9a23a011d0b7572a1178b33dba6b865638fdae2ffd461
MD5 hash:
579f71a60d426d5cfe9b40b74b1d5a52
SHA1 hash:
f130426ab206b90d5b04d47727a27dc5f0749ec1
Link:
https://www.unpac.me/results/4c6887ef-705f-454c-b0c4-d61651afa971/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94e66604a68872685d623a036c3dff67af99bcd99ae88d8dc5a398470ba6cb0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 56d2b240bb23e942e2eb57f3a9897f7db48414e89f49c1c65681237c75f6e030

AgentTesla

Executable exe 94e66604a68872685d623a036c3dff67af99bcd99ae88d8dc5a398470ba6cb0b

(this sample)

  
Dropped by
MD5 3228f8649636ff123e4b7ee2e51b4a20
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 56d2b240bb23e942e2eb57f3a9897f7db48414e89f49c1c65681237c75f6e030

Comments