MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 aedef2c77ed57c78a04e0744ebd77d6d2dfb743276ca83c39ebb9afd93123704. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 9
| SHA256 hash: | aedef2c77ed57c78a04e0744ebd77d6d2dfb743276ca83c39ebb9afd93123704 |
|---|---|
| SHA3-384 hash: | d0a6ff782a129b64ba0b11e73f2b8d6c1f41df91c9263878d84b10bf1fe9e2066d916b434b4d258d68f115efa02a5de5 |
| SHA1 hash: | af67b05bcd4b7c1fd3e0df1543d8ea85baf7aa26 |
| MD5 hash: | 00317e6f5d589577dcdf2026c1c6ec75 |
| humanhash: | vegan-maine-juliet-virginia |
| File name: | Delivery Note - AWD 200038485852- 2349203968876 .exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 630'784 bytes |
| First seen: | 2020-10-06 06:32:25 UTC |
| Last seen: | 2020-10-06 08:12:22 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 12288:KvCffUZzVsWcHxePEi0VeXx6xIAaEcytkWHicD6vR:yCf8tVP9UA61a6kvbvR |
| Threatray | 342 similar samples on MalwareBazaar |
| TLSH | 7AD4F15A23B8D715E57E577A6420502033F09D07A362F69DFEEA61ADEC23B80CE61B41 |
| Reporter |  abuse_ch |
| Tags: | AgentTesla DHL exe |
abuse_ch
Malspam distributing AgentTesla:HELO: host.greekwebhosting.com
Sending IP: 67.225.208.195
From: DHL Express <katewright_dhl@gmail.com>
Subject: Re:DHL Failed Delivery Notification
Attachment: Delivery Note - AWD 200038485852- 2349203968876 .gz (contains "Delivery Note - AWD 200038485852- 2349203968876 .exe")
AgentTesla FTP exfil server:
ftp.superdragooncar.com:21
AgentTesla FTP exfil user name:
dod@superdragooncar.com
Intelligence
File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Signature
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-10-06 04:12:03 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 332 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
aedef2c77ed57c78a04e0744ebd77d6d2dfb743276ca83c39ebb9afd93123704
MD5 hash:
00317e6f5d589577dcdf2026c1c6ec75
SHA1 hash:
af67b05bcd4b7c1fd3e0df1543d8ea85baf7aa26
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
SH256 hash:
da7f20a92e39e24b27c89aad50d5d0429f1561d9ff60b484eb8e6b760a71bb71
MD5 hash:
4fbad45fef90970594430d09ba2cc472
SHA1 hash:
0f9bf7fb24da6010bce721b1f2c0b07124f51215
SH256 hash:
5fac9b74e38f6e664da8fc75feca01567a1d4a8cfc6b084f99cde517edf6f961
MD5 hash:
db8316c6460be683168df05aa6648cdd
SHA1 hash:
747099b34e3156356adea20e75ad05d291768be6
SH256 hash:
536a3ed0d3fb0b8e0cb2a7fb2cfbc4af59af6dc65889224bc769f2fbfc1418d2
MD5 hash:
1feadf726713f30ee5ecc269bed09aeb
SHA1 hash:
88e5be3bcee669dd947ce0429ceecf18ac46d8ac
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | ach_AgentTesla_20200929 |
|---|---|
| Author: | abuse.ch |
| Description: | Detects AgentTesla PE |
| Rule name: | win_agent_tesla_v1 |
|---|---|
| Author: | Johannes Bader @viql |
| Description: | detects Agent Tesla |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.