MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b71b31d74304616ebc7abb5550e3ac8e9d6456ee819eb8eed14a59c1079c28c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	9b71b31d74304616ebc7abb5550e3ac8e9d6456ee819eb8eed14a59c1079c28c
SHA3-384 hash:	1cd43c603d9a78ed6f1a1123b5634fec82dd1f6d9a6bffbb8c77d64f2b38a77786ef348dcaf2f7c95c8ea70c3ec4fa60
SHA1 hash:	386f938fdd4e008217068b46d956b65b2be3a0b7
MD5 hash:	8ddc283f406f03d818fdc1ed6d93773e
humanhash:	friend-nine-magnesium-uniform
File name:	AWB DHL SHIPPING DOCUMENT_8860.exe
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	617'472 bytes
First seen:	2023-05-11 19:10:24 UTC
Last seen:	2023-05-13 22:47:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:sqUgm1cec5PODk1UqRqk9hsUq9EAhHMfYjCQAJvOd/Ca:ugm1cdIDkWqRqk9h1AFCQAJg/n
Threatray	3'417 similar samples on MalwareBazaar
TLSH	T183D4CE84123BBFE2C9A413F1211474828B7DA51A35B8F0BC7D67B4C9C9EAB114BD4B67
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

267

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

AWB DHL SHIPPING DOCUMENT_8860.exe

Verdict:

Malicious activity

Analysis date:

2023-05-11 19:13:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fa29bff5-9cce-4e2b-a183-2767457f668e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox XorStringsNET

Detection:

XorStringsNET

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/388513/

ClamAV Detected

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/645d3dcb96ddf41720106e5d/reports/244a8b80-4f36-413f-b174-1bd5b0b5c60b/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9b71b31d74304616ebc7abb5550e3ac8e9d6456ee819eb8eed14a59c1079c28c

InQuest UNKNOWN

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Agent Tesla

Malware family:

Agent Tesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c6f2456e-5cd7-4333-a98d-c65bc195762b

Joe Sandbox AgentTesla, zgRAT

Result

Threat name:

AgentTesla, zgRAT

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1231074

Signature

.NET source code contains potential unpacker

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected Telegram RAT

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b71b31d74304616ebc7abb5550e3ac8e9d6456ee819eb8eed14a59c1079c28c/

ReversingLabs TitaniumCloud Win32.Spyware.Negasteal

Threat name:

Win32.Spyware.Negasteal

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-11 09:03:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

9

AV detection:

18 of 36 (50.00%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tny3ghlugbdbn26hvo2vkdr2zdu5mrlo5am6xdxncsszyedzykga._file

Threatray agenttesla

Verdict:

malicious

Label(s):

agenttesla

Alert

Create hunting rule

Similar samples:

14d2f29a80efcfe126628046ae8b02b78722c8bbd7c54c2c8900c44805455bd2

AgentTesla

167ea427613672844817e73ce587a325bbce315affd1636c249249cecbada4b4

AgentTesla

1c3e05c1dc57b82fb25bb8af32bad88ef17a5078818598c30738675ccc4729fd

AgentTesla

3298c3e6f25b777c9f772fb1d5123472df0b1046000598d9ed00bd369a56124d

AgentTesla

43b2d95b4ca603f5007a2d5a389b02d19df2103077146ba3aef9fbd82f2e0770

AgentTesla

58dda17dafc74dd89d83c27483ef35cd298a205d543bb7d1e8305d231705277b

AgentTesla

6e5c020da66ea1b65b6b339dbc32987746a48a112bb75317808ac6c77777f7e7

AgentTesla

bf7d050627a7bf67ad74bed6cf159d30c88423a1c0ef53f9fdc80b6977e79d9e

AgentTesla

d0bbf51d9dc7100fb76b837b5e5ffe89b767351518e76a64fa2748463a1c89e6

AgentTesla

f8361cfd071c7c258b148d194ab3abdea0f5f68c2d0d98f0275c3b335b83d469

AgentTesla

+ 3'407 additional samples on MalwareBazaar

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230511-xvx86sce2y/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot6155153237:AAHwniNOLh5IeMqe3WWu52NIjrXAphPX4U4/

UnpacMe AgentTeslaXorStringsNet

Unpacked files

SH256 hash:

7d315560fe6dd2b7ca6214d539a540938cb148969628ede47f9348f882033a4b

MD5 hash:

9ee7ebc404ce9aa851693ac5302fc0e9

SHA1 hash:

feed60fd6a8ad99b0d41d5e9be3541b0f67af93d

Link:

https://www.unpac.me/results/4fcd9a06-f5da-4750-a6cc-39849e59999c/

SH256 hash:

65e0574f002bc64492c0318ec4bea714a57779577ae7e0f589fd3723776dcea0

MD5 hash:

e7b54e07746855c12c2a83b0613ba33c

SHA1 hash:

d5c4f1d95a0d7ecb9d9319af6f9fb4d268542964

Detections:

AgentTeslaXorStringsNet

Alert

Create hunting rule

Link:

https://www.unpac.me/results/4fcd9a06-f5da-4750-a6cc-39849e59999c/

Parent samples :

1c3e05c1dc57b82fb25bb8af32bad88ef17a5078818598c30738675ccc4729fd
6e5c020da66ea1b65b6b339dbc32987746a48a112bb75317808ac6c77777f7e7
9b71b31d74304616ebc7abb5550e3ac8e9d6456ee819eb8eed14a59c1079c28c
14d2f29a80efcfe126628046ae8b02b78722c8bbd7c54c2c8900c44805455bd2
baa855589cec9a4aeff9575393b8f2a46f5e2251dfc8f8cc009c5a6690ec9409
6b21ac723fcef1a13f74d9e1acfb5ba9f500d0d185bac33f862eb081b13835f0
cca30cba64c9679893c85367083785816667a745a2a382afd3b0311285c7017f

SH256 hash:

0f3ce045af3071d28edb9d4e60d77d333bf0d4b4750d62d58bdc2ebbef4efab5

MD5 hash:

3e91ff32f1a74c31d5e51477e0f04642

SHA1 hash:

a05d8f6c0d6fdb165b5ed277c31d7f0902611e7e

Link:

https://www.unpac.me/results/4fcd9a06-f5da-4750-a6cc-39849e59999c/

SH256 hash:

b68201d617095715babffb5f4bd0d3ff033c54d26d94869a311a9d5e8cc3ead4

MD5 hash:

2d9e413c776b261f871d276f79f17194

SHA1 hash:

886c9e70b77625e82a66e53668992bd76592ca2e

Link:

https://www.unpac.me/results/4fcd9a06-f5da-4750-a6cc-39849e59999c/

SH256 hash:

5640723e3ce36a7da4990c0345a233eee79bd040c668e3ef0482ef3830bc97d5

MD5 hash:

caa2fd4180b063525b2adcda16a2fd56

SHA1 hash:

24565eff9b0cd7c509514eabaa426b37144c436a

Link:

https://www.unpac.me/results/4fcd9a06-f5da-4750-a6cc-39849e59999c/

SH256 hash:

9b71b31d74304616ebc7abb5550e3ac8e9d6456ee819eb8eed14a59c1079c28c

MD5 hash:

8ddc283f406f03d818fdc1ed6d93773e

SHA1 hash:

386f938fdd4e008217068b46d956b65b2be3a0b7

Link:

https://www.unpac.me/results/4fcd9a06-f5da-4750-a6cc-39849e59999c/

VMRay AgentTesla

Malware family:

AgentTesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9b71b31d7430/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/9b71b31d74304616ebc7abb5550e3ac8e9d6456ee819eb8eed14a59c1079c28c

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 9b71b31d74304616ebc7abb5550e3ac8e9d6456ee819eb8eed14a59c1079c28c

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/388513/