MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9881364f2456dfbf6f142d776af227b74ee59c32d527852ecd59d8f1adb9a454. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9881364f2456dfbf6f142d776af227b74ee59c32d527852ecd59d8f1adb9a454
SHA3-384 hash: c2886ea3b34a53978efe0e9af9caa1c4e58109eac2ffc56c3b02d160b32eb2fd94509c1e5d77bd2875befaf28c9a1752
SHA1 hash: 87fb531955052a926d9eb3548c1a9a6da38f7b0b
MD5 hash: 3f653ffb6873e20afc61d70f17e1013e
humanhash: king-cold-helium-happy
File name:DHL Documents.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:504'950 bytes
First seen:2021-06-22 06:22:45 UTC
Last seen:2021-06-22 06:49:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:B7F+SU3ufu4v/WdU1JYmlhxfOdDNPXlsA0:jpUefjmq1JYmdOdDNP1v0
Threatray 6'008 similar samples on MalwareBazaar
TLSH 36B40201F79081B7E839463249E7CF527378F6D54A52571B23C8BB5B7DA328348A368B
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Documents.exe
Verdict:
Malicious activity
Analysis date:
2021-06-22 06:24:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e3cb4e65-688f-46a5-b4dd-8a1d2f3774a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167442/
Detection(s):
SecuriteInfo.com.Trojan.Loader.839.27556.1725.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/409e3498-9e55-4c3f-a9ad-2e084e5049fe
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805743
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9881364f2456dfbf6f142d776af227b74ee59c32d527852ecd59d8f1adb9a454/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 13:48:29 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tcatmtzek3p363yufv3wv4rhw5holhbs2utyklwnlhmpdlnzurka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
371403b191cb7d2c789b8002beb5ac3c7b7cac6af0750327e7f1b742ef202152
AgentTesla
38d6a9cd400dc5baf23d97e91ca50a1dfd3d689b7a5704567ff1b6ba02fca126
AgentTesla
3d21603ce9082914405c37f775150a30cb44f6e53e7bf35cb78dfeda36c1e8c7
AgentTesla
4aca8284a28707330988003f732d3c96d8c79961eff90138be412b26e6a31717
AgentTesla
4f8ddfeb0d48d3815a6408f908e164ac7538148bab73b7b07885e26049929eae
AgentTesla
6f90e14595a67191a4969df0b85a828346921d6d4656ea793770b47a54d5b790
AgentTesla
ab09bf6380158888810028bc4ceac43d552db7f7b3670a996c6523e583a9eceb
AgentTesla
d8a1d6d264251e89604f5ce4fad4612b346e2b020f560b3841fb98de82b03340
AgentTesla
e2d78233adda371c064661fc267ec4035ae1744ca978f1b0828107f962f8d193
AgentTesla
f482837bcd21caa30b2f7bf2550fb6d13d61aa7e4e0c66219bd085dd16b9481d
AgentTesla
+ 5'998 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210622-wqhsevw686/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
8045c47f5fa1170c1ca34a0ddba998444d7c9853c4fce7408072d2bbf396b820
MD5 hash:
6d45de9b75eb053dde871c1450061705
SHA1 hash:
59b132ebf86c3988e69792517d9d65dc4ce2952d
Link:
https://www.unpac.me/results/8cc18c17-6545-48e3-a2d7-7e1e0efd1a8e/
SH256 hash:
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
MD5 hash:
56a321bd011112ec5d8a32b2f6fd3231
SHA1 hash:
df20e3a35a1636de64df5290ae5e4e7572447f78
Link:
https://www.unpac.me/results/8cc18c17-6545-48e3-a2d7-7e1e0efd1a8e/
SH256 hash:
8f945c00e49bdd8e29f54fc33615bff3a970987d8a74e10ffd234bdef3c1d3f9
MD5 hash:
b3b0dae548e990ac6d12e3e0d1e45f4d
SHA1 hash:
6a4fbae372d890ca308a1c70fe2ddfa3473efe5d
Link:
https://www.unpac.me/results/8cc18c17-6545-48e3-a2d7-7e1e0efd1a8e/
SH256 hash:
9881364f2456dfbf6f142d776af227b74ee59c32d527852ecd59d8f1adb9a454
MD5 hash:
3f653ffb6873e20afc61d70f17e1013e
SHA1 hash:
87fb531955052a926d9eb3548c1a9a6da38f7b0b
Link:
https://www.unpac.me/results/8cc18c17-6545-48e3-a2d7-7e1e0efd1a8e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/9881364f2456dfbf6f142d776af227b74ee59c32d527852ecd59d8f1adb9a454

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9881364f2456dfbf6f142d776af227b74ee59c32d527852ecd59d8f1adb9a454

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/167442/

Comments