MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96dc07c4fc7b8ad2d15f5886dd7c59b7b3ef0a393b2a8605fa3e7e4966a5cbf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96dc07c4fc7b8ad2d15f5886dd7c59b7b3ef0a393b2a8605fa3e7e4966a5cbf9
SHA3-384 hash: 98da80c3eeccd4a2e1bec0a368e0b14024f99985faabb695547e24725c293cdce88ae598d1c7af53d187e7e1db15eb36
SHA1 hash: 74b155b196a1b82416f2b5e196c55d76ee047b4e
MD5 hash: d1399aaabd8c5ae0e687e148e7708498
humanhash: green-carbon-yellow-alanine
File name:DHL PO1001910 Sample Arrive.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'068'032 bytes
First seen:2023-03-17 11:54:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:W/jkj+gMWKS0KgvGo9xCEWdrZY3kKzAFlb3w1q:W/jkCSPgeo9AEWszs5
Threatray 1'506 similar samples on MalwareBazaar
TLSH T11135AD88F644EBA0DD299BB96536CC3143636DAEA934E15C1CDE3DEB3BB7B920011447
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter cocaman
Tags:AgentTesla exe Shipping

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL PO1001910 Sample Arrive.exe
Verdict:
Malicious activity
Analysis date:
2023-03-17 11:55:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dfc95519-0662-4642-a5cf-01f4b3edc66c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375076/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/641455192fbc9ad18a02ef8e/reports/fe83a2ce-7f07-4e48-86e5-0a620b73047a/overview
Verdict:
Malicious
Labled as:
Bulz.Generic
Link:
https://www.hybrid-analysis.com/sample/96dc07c4fc7b8ad2d15f5886dd7c59b7b3ef0a393b2a8605fa3e7e4966a5cbf9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/240b5788-937d-486a-9a29-cc2c96894393
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1195772
Signature
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 828669 Sample: DHL_PO1001910_Sample_Arrive.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 60 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 2 other signatures 2->66 7 DHL_PO1001910_Sample_Arrive.exe 7 2->7         started        11 yGbzOMp.exe 5 2->11         started        13 yGbzOMp.exe 2->13         started        15 auvbhlgzl.exe 3 2->15         started        process3 file4 46 C:\Users\user\AppData\Roaming\auvbhlgzl.exe, PE32 7->46 dropped 48 C:\Users\...\auvbhlgzl.exe:Zone.Identifier, ASCII 7->48 dropped 50 C:\Users\user\AppData\Local\...\tmp8B30.tmp, XML 7->50 dropped 52 C:\...\DHL_PO1001910_Sample_Arrive.exe.log, ASCII 7->52 dropped 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->76 78 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->78 80 Uses schtasks.exe or at.exe to add and modify task schedules 7->80 82 Adds a directory exclusion to Windows Defender 7->82 17 DHL_PO1001910_Sample_Arrive.exe 2 5 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        84 Multi AV Scanner detection for dropped file 11->84 86 Machine Learning detection for dropped file 11->86 26 yGbzOMp.exe 11->26         started        28 schtasks.exe 11->28         started        30 yGbzOMp.exe 13->30         started        32 schtasks.exe 13->32         started        signatures5 process6 dnsIp7 54 mail.ppecindia.com 50.87.154.175, 49707, 49710, 49711 UNIFIEDLAYER-AS-1US United States 17->54 56 192.168.2.1 unknown unknown 17->56 58 windowsupdatebg.s.llnwi.net 17->58 42 C:\Users\user\AppData\Roaming\...\yGbzOMp.exe, PE32 17->42 dropped 44 C:\Users\user\...\yGbzOMp.exe:Zone.Identifier, ASCII 17->44 dropped 68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->68 70 Tries to steal Mail credentials (via file / registry access) 17->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->72 34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 conhost.exe 28->38         started        74 Tries to harvest and steal browser information (history, passwords, etc) 30->74 40 conhost.exe 32->40         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96dc07c4fc7b8ad2d15f5886dd7c59b7b3ef0a393b2a8605fa3e7e4966a5cbf9/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-17 09:51:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
59
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s3oaprh4pofnfuk7lcdn27czw6z66crzhmvimbp2hz7eszvfzp4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
499e8fe59f6dd5127cbf40263388b2ad5faac3a7c63db886996ad5ee8b82aed1
AgentTesla
5ce9e55206c2cf89b0066fd00d73adf3ef74f3cd7de665febdfead3e586a91bc
AgentTesla
6d790c94dffa2eda7fd860cb26decc3f27e50582449a544428271b7fdce8f308
AgentTesla
b46224c411113f678ebc8248a753ea79291df2ba219bcef5c97cf0cdacfa16f3
AgentTesla
cd8b38d06c2f0a859dff506de2b2070ee2d0be8e7e6549a36d0ec871f34a4712
AgentTesla
dbb93921edfb232a7f5f924d30ce753ede21c2ef0a3626675fff0df0414d2106
AgentTesla
efa920373efaa4bd26fb1704e6ea6cb05ed8e91b5e552db7ff2a7764ace07758
AgentTesla
+ 1'496 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230317-n3fvesga93/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/8cbc30be-78e6-47e0-93f5-14ff57ea168e/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
7f90991683520d8c2a42c3dbcc24cebff64ce8d40f3f32f9a867779f7ab87a58
MD5 hash:
077af04f55df3bcae678aa624a1de4bb
SHA1 hash:
7affca70ba022fc71d1f4cf5e1f293f60bed1d66
Link:
https://www.unpac.me/results/8cbc30be-78e6-47e0-93f5-14ff57ea168e/
SH256 hash:
1430d5b9f94f1122fb510b93e4855986e3f801f13c30e2a68955b8dbb00d786a
MD5 hash:
51e576da8d1890a1511d4d2610892e30
SHA1 hash:
7a868c2bbcf4bac5e78a6ed6a8f01638ef0747d5
Link:
https://www.unpac.me/results/8cbc30be-78e6-47e0-93f5-14ff57ea168e/
SH256 hash:
f85bb4312dbe1ec4bb96dd235123a1c982390b0afe7ed7faec730e758a67e3b1
MD5 hash:
db3a6e070b86fd016e1588d43238c665
SHA1 hash:
14bf9ea4dc79c762d14d0dbadfd430d599e223a3
Link:
https://www.unpac.me/results/8cbc30be-78e6-47e0-93f5-14ff57ea168e/
SH256 hash:
dcdc45fe092ff70b2d35e87240a2a706ab4268317efd0c9ea46242da9d68d911
MD5 hash:
8c5d728b6c3a6e896f42a70bb5d3da9d
SHA1 hash:
0d0daa0a9fa331847bd15eea3140f8db9c4dc77a
Link:
https://www.unpac.me/results/8cbc30be-78e6-47e0-93f5-14ff57ea168e/
SH256 hash:
96dc07c4fc7b8ad2d15f5886dd7c59b7b3ef0a393b2a8605fa3e7e4966a5cbf9
MD5 hash:
d1399aaabd8c5ae0e687e148e7708498
SHA1 hash:
74b155b196a1b82416f2b5e196c55d76ee047b4e
Link:
https://www.unpac.me/results/8cbc30be-78e6-47e0-93f5-14ff57ea168e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/96dc07c4fc7b8ad2d15f5886dd7c59b7b3ef0a393b2a8605fa3e7e4966a5cbf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z c548ee70242147de73e5bb0f457247679adb045a82930be9c3e90b8c383d74cb

AgentTesla

Executable exe 96dc07c4fc7b8ad2d15f5886dd7c59b7b3ef0a393b2a8605fa3e7e4966a5cbf9

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/375076/
  
Dropped by
SHA256 c548ee70242147de73e5bb0f457247679adb045a82930be9c3e90b8c383d74cb
  
Dropped by
MD5 97f0073853faf6386c475cf2cbdfe757

Comments