MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a55c48d0f35b724b84edcf878ab46d8be542560d5cae69c3c3bee1cee2a2bc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a55c48d0f35b724b84edcf878ab46d8be542560d5cae69c3c3bee1cee2a2bc4
SHA3-384 hash: 537b9cc2e7a663c447bc64f924170d41ccab5e82d30639ec6fb9098c20cf4678377d97798a3d2d9cf8b1e555fab7918c
SHA1 hash: 1f3bb347914b0dc68aa7c94c59eda0227f5ce987
MD5 hash: 6826929ae134048862d5a4d4c309895a
humanhash: dakota-november-skylark-thirteen
File name:DHL_09_10_2020_AWB_09_10_2020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:683'520 bytes
First seen:2020-10-12 06:24:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 010f3e42f15e9eb57a4a9a1dad838a51 (10 x Loki, 8 x AgentTesla, 3 x MassLogger)
ssdeep 12288:MAindXhz+XwfE0CQPW7q0dzQNqJHRrUtqCfz3wDa5OP:Di16wf9aNzQ4lFUtqYC
Threatray 2'055 similar samples on MalwareBazaar
TLSH 83E49E22E2E17433C2273A3D9CDB576C982DBE503D2869472BE51C4F5F3D691782A293
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: adminia.mynewserver.com
Sending IP: 46.4.31.103
From: DHL | Express Shipping <manuz-e@marudeni.com>
Subject: Urgent: Shipping Documents (FINAL WARNING)
Attachment: DHL_09_10_2020_AWB_09_10_2020.zip (contains "DHL_09_10_2020_AWB_09_10_2020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69971/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching a process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488062
Signature
.NET source code contains very large array initializations
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a55c48d0f35b724b84edcf878ab46d8be542560d5cae69c3c3bee1cee2a2bc4/
Threat name:
Win32.Trojan.LokibotCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 02:47:38 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tjk4jdipgw3sjoco3t4hrk2g3c7fijla2xfonhb4hpxbz3rkfpca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b4249b0b590b4166f62a4e9fff3dfccc4d46cca9173d9c669311738fd98d2dd
AgentTesla
1e3f14f932364db4904b69fce12e373e6354f4291dcda0d82a8477a21a9a803f
AgentTesla
2c0e567384a59c0f113b5016aae24db45e1a7e39a0c9feb157eb98864af4a51f
AgentTesla
4c3a7099eda494c1353b5a682855c0bda954754a1d9afb8a89beca8df2f070ef
AgentTesla
835de94d6d37297ee0720dff2f6581168a795e25f95ff841c9cb0f634272e445
AgentTesla
8ee2c58f8a8fc555dc2be25df0f819e83f2c6c36a7513c18ddafe160ac94bf11
AgentTesla
9f472d0e4e519e465b9f5a5868354d7f8107f10680186ac301f2b700e762ea95
AgentTesla
a2b0e9c1ea03a3a538fe9ef7f8e6dbf4c08feba8560e238e29fce0dd2f2e144b
AgentTesla
b11dd5b20f65034f4e5d1f6a13019d06a2d26c357d10ee42b9de2f326c72267b
AgentTesla
e0c34f114e453f3bbc87f54c2216141f5b805095e7d72ef8ec01192af5110452
AgentTesla
+ 2'045 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201012-1sgaynfppj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
9a55c48d0f35b724b84edcf878ab46d8be542560d5cae69c3c3bee1cee2a2bc4
MD5 hash:
6826929ae134048862d5a4d4c309895a
SHA1 hash:
1f3bb347914b0dc68aa7c94c59eda0227f5ce987
Link:
https://www.unpac.me/results/0556145b-c211-41df-afb7-0f76a9a4e151/
SH256 hash:
e96cb805e1a19fd4f7dec850409433b583cd20ca3a89da71be86d50d90af0b6e
MD5 hash:
018396151758eb674713aa55fdbba49c
SHA1 hash:
79629f218c9137a6d70274e1428649962a72d52c
Link:
https://www.unpac.me/results/0556145b-c211-41df-afb7-0f76a9a4e151/
SH256 hash:
eba79d780637d15ffe30f62e1a3f132bd9aa8d374cbc2a172463cbfffa144d11
MD5 hash:
06c9437800207053c94793470b5924f3
SHA1 hash:
4cbfd2a52b6bb5a273530c4dc75ae328953a324a
Link:
https://www.unpac.me/results/0556145b-c211-41df-afb7-0f76a9a4e151/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a55c48d0f35b724b84edcf878ab46d8be542560d5cae69c3c3bee1cee2a2bc4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 7594b95ac9fd1c88bb04f155845be0661ad4df21e54ba6b078287329d3ab9fe7

AgentTesla

Executable exe 9a55c48d0f35b724b84edcf878ab46d8be542560d5cae69c3c3bee1cee2a2bc4

(this sample)

  
Dropped by
MD5 fc43eb50ac80eb0299c1aec2d36e9c47
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69971/
  
Dropped by
SHA256 7594b95ac9fd1c88bb04f155845be0661ad4df21e54ba6b078287329d3ab9fe7

Comments