MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab09bf6380158888810028bc4ceac43d552db7f7b3670a996c6523e583a9eceb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	ab09bf6380158888810028bc4ceac43d552db7f7b3670a996c6523e583a9eceb
SHA3-384 hash:	4cc66220c77c53750846becb70feabb8f4a7b38edd240c53e3b15fd06d293771b5f57379e91c318cd8f859044b2789ec
SHA1 hash:	4cc094c527c6d13f2fc7fae88c9615f7c9fb59b7
MD5 hash:	72df3db91800d22823de99e629ead2a5
humanhash:	venus-florida-magazine-twelve
File name:	DHL Shipping 2.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	827'904 bytes
First seen:	2021-05-05 14:23:38 UTC
Last seen:	2021-05-05 15:03:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:ikSFw0yQqn7az/xs8blP1vKAbywQQy8YvAm:fuw0ynabV1vKAWS
Threatray	4'513 similar samples on MalwareBazaar
TLSH	42050189F94056A4CD2E93322136CD711263BC7EA5B9661C3ECE3CBB3EFB1428511657
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/150689/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/ab09bf6380158888810028bc4ceac43d552db7f7b3670a996c6523e583a9eceb/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-05-05 13:17:13 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vme36y4acweiraiafc6ez2wehvks3n7xwntqvglmmur6la5j5tvq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3ef3019867fc829d59b65a986f05ff1fd21c10f88266d10344d92a738746bb50

AgentTesla

4aca8284a28707330988003f732d3c96d8c79961eff90138be412b26e6a31717

AgentTesla

6eae84ece9518036a2bb762dc2e30a32568e20a1f1f8ce50247310b727389150

AgentTesla

8b3a8630800280cdf3e61243a7343e93a6b54b8a51b859d7d52b7dccaace0513

AgentTesla

8d6923c7b88feaea7b9df935e450e606a112643a1cf0abefcf3b836edfeae010

AgentTesla

909b8077e052b8176a40b50c8154344a720576d7c7e3462d39546cef12d28e07

AgentTesla

9c8c8db008eb09c8bd9c70fece2d06bb253f14f205ae6c6d253dcb6a2d7aebcc

AgentTesla

a0fc12b65029f2629cf2b7c69c2179c6503a24a6bdabbf21680886c375959efe

AgentTesla

f8c15465927d5ff0936658b3ea09ef61551436b7107ad0552021bd0960762698

AgentTesla

+ 4'503 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210505-ppyv8zdg6e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87

MD5 hash:

826b29e2a141b055a5491c9d7dc6eea7

SHA1 hash:

af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9

Link:

https://www.unpac.me/results/7c672dd1-cff4-4d7a-b3c8-320605f6b519/

SH256 hash:

ab09bf6380158888810028bc4ceac43d552db7f7b3670a996c6523e583a9eceb

MD5 hash:

72df3db91800d22823de99e629ead2a5

SHA1 hash:

4cc094c527c6d13f2fc7fae88c9615f7c9fb59b7

Link:

https://www.unpac.me/results/7c672dd1-cff4-4d7a-b3c8-320605f6b519/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ab09bf6380158888810028bc4ceac43d552db7f7b3670a996c6523e583a9eceb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/150689/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample