MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 9b5025d4f9cc6a69eff210cb9c6a2571fbb82820bba57b174eead2fad4b50dfa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 8
| SHA256 hash: | 9b5025d4f9cc6a69eff210cb9c6a2571fbb82820bba57b174eead2fad4b50dfa |
|---|---|
| SHA3-384 hash: | 7d79d528e07fc602a50163479e5bfab5e6c964c70b6e4e27d0bf6c1d9870145167bb04115e4c3cde858c66004a9b716b |
| SHA1 hash: | d62b3a89f7a34886cd0e5aab89b56eba0f7b5a03 |
| MD5 hash: | ae51edf78e690c95c8660fc9a26fd0e7 |
| humanhash: | aspen-indigo-echo-bravo |
| File name: | Assigned Document.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 492'563 bytes |
| First seen: | 2020-08-06 07:56:32 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic) |
| ssdeep | 12288:9anCldVdZ58kIVfysiqZXWqGHMLe2AbS0tOZyYPo:tdVp8kIVfiwzsTZYA |
| Threatray | 689 similar samples on MalwareBazaar |
| TLSH | 11A412E29A55C0FBFDB94FB0653A1E9137A69E1E54CD230A5F4A3F1820B3153064F8A7 |
| Reporter |  abuse_ch |
| Tags: | AgentTesla DHL exe |
abuse_ch
Malspam distributing unidentified malware:HELO: box.wetranservice.xyz
Sending IP: 142.11.206.237
From: Wiji Krismiati (DHL) <ldh@wetranservice.xyz>
Subject: Description: AGREEMENT, ETC DOC
Attachment: Assigned Documents.img (contains "Assigned Document.exe")
Intelligence
File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a window
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Moving a file to the %AppData% subdirectory
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Signature
Executable has a suspicious name (potential lure to open the executable)
Hijacks the control flow in another process
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.CryptInject
Status:
Malicious
First seen:
2020-08-06 07:57:19 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 679 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
1/10
Tags:
n/a
Behaviour
NSIS installer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.