MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b96eaf9ac03911e5764eb149c9c0235c19c97422a45ba1176c962ad151c87185. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	b96eaf9ac03911e5764eb149c9c0235c19c97422a45ba1176c962ad151c87185
SHA3-384 hash:	127d9712a75dd67e5ceea38806c838a84553856a80a2e8f4531d0cc532a057f2646569e4b9da527ce3fcf2695610bf5f
SHA1 hash:	1d67964686afb1f3d437a9ce4e2d2372ddeec6cc
MD5 hash:	e33c5b67a877ea8bed6c21295162ddcd
humanhash:	violet-queen-south-juliet
File name:	Dhl OB.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	596'992 bytes
First seen:	2020-06-03 12:47:18 UTC
Last seen:	2020-06-03 13:52:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:eNVB4XHR5emf5Du1LsoXVuB8cU/mlj45//GIIRy46ax9p0:oVBOIY8zwFUOB2Yy4pU
Threatray	1'407 similar samples on MalwareBazaar
TLSH	ABC4E0043690BD4FC67F0E77986618005B70E2236E4EF257ACC722EE595FBDA4A0179B
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

abuse_ch

Malspam distributing AgentTesla:

HELO: mail2.static.mailgun.info
Sending IP: 104.130.122.2
From: DHL<yvdploeg@amcorrusa.com>
Subject: DHL:由于发货地址错误而退回发货 - DHL-#AWB130501923096
Attachment: Dhl OB.rar (contains "Dhl OB.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

2

# of downloads :

71

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-03 13:20:53 UTC

File Type:

PE (.Net Exe)

Extracted files:

13

AV detection:

21 of 31 (67.74%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xfxk7gwahei6k5sowfe4tqbdlqm4s5bcurn2cf3msyvncuoiogcq._file

Verdict:

malicious

Similar samples:

0ed8342c19d8ff14d83588ca91cc6b5ab6bd811de15f05e5497d62ba25e56365

1d62f58f38403389ce4079c1002d56ab2d64e440c1bbd358ed23d5d726143581

1e68055f95563948fbacfd1de0b04fd457c108ef8482d2a6642a0067835ce529

3c12197e1c9c3d04c5831d3633fcda64dd51bd7c7d31db7ca42fafe341f7a3ee

7294bdc3333d08ac9c2397b3555c0126928c13600b23de09f21841cfee83f55a

7399fc107327a8ecb09632fd6380f18e3f7c382675b9be0a2613beb831337096

c2df19f344fb1d82a9bb0a0433865874edbd8ca203e843cb6452768d2aa66240

ef1448f905b7a9ac9186f6d076996b9638d37a8b96af5f7c791c4b0aa9a7aace

f036e2aa7615446d2cb3ab689b13aac4055bf2cb8b19b0999db08d7052a80bf1

f91c59a4e7c426578c67ccfeeb3f4ff7a2f131bf1bf8ca891553f398be9d4d01

+ 1'397 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-xeyw8s1xwx/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar e718181e83432ca8b3796f8aad18e3ffa85f18b927aa1a92fb4fa84f7a290efd

exe b96eaf9ac03911e5764eb149c9c0235c19c97422a45ba1176c962ad151c87185

(this sample)

Dropped by

MD5 46bafde2b09db3458e24f590a18e4437

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 e718181e83432ca8b3796f8aad18e3ffa85f18b927aa1a92fb4fa84f7a290efd

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample