MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9fd7e1e9b204a2b8fe3c2ee138b05e10b49c76bb29dd20f9d4a0cebfe3b72b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9fd7e1e9b204a2b8fe3c2ee138b05e10b49c76bb29dd20f9d4a0cebfe3b72b8
SHA3-384 hash: 04da06a9abe9bb7f50e357c90327ca0f995be8a591886558578bc92f1a399c5b88ceedae71ca81f213945fcb2d6b5cdc
SHA1 hash: e91d2bb4fdacd5280f838f60ea42c7ae81ca90a4
MD5 hash: 5470553086d83e8eaeb078277e7de498
humanhash: zebra-eighteen-burger-enemy
File name:DHL Express_ AWB#201045829822.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'206'272 bytes
First seen:2023-02-28 08:23:19 UTC
Last seen:2023-02-28 09:29:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:gjgme7uCA6/+or6dcs0tru7RVp8ke5GdvTTZh6Qjopx/6qW:ogme7ua+3dm5Ap8T5GdbTmN1B
Threatray 974 similar samples on MalwareBazaar
TLSH T14945AE4853B344B2FBEB11A11875228C4EB472CB3585F61B5F673751A922AFFB29F102
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 004c4d4d69694c00 (12 x AgentTesla, 5 x SnakeKeylogger, 1 x Loki)
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Express_ AWB#201045829822.exe
Verdict:
Malicious activity
Analysis date:
2023-02-28 08:34:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d97473c3-bdd9-4db5-a0d1-91c89f401156

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370568/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63fdba2366e79c93ba0d3b33/reports/197a6b8f-accc-402c-98d6-47778cab43ac/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b9fd7e1e9b204a2b8fe3c2ee138b05e10b49c76bb29dd20f9d4a0cebfe3b72b8
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0767f4fd-b122-4b6a-a105-d7e0dd436972
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1184062
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 816896 Sample: DHL Express_ AWB#201045829822.exe Startdate: 28/02/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AgentTesla 2->47 49 4 other signatures 2->49 6 hsrhB.exe 3 2->6         started        9 DHL Express_ AWB#201045829822.exe 3 2->9         started        12 hsrhB.exe 2 2->12         started        process3 file4 51 Multi AV Scanner detection for dropped file 6->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->53 55 May check the online IP address of the machine 6->55 59 2 other signatures 6->59 14 hsrhB.exe 14 7 6->14         started        27 C:\...\DHL Express_ AWB#201045829822.exe.log, ASCII 9->27 dropped 57 Injects a PE file into a foreign processes 9->57 18 DHL Express_ AWB#201045829822.exe 17 10 9->18         started        21 hsrhB.exe 12->21         started        signatures5 process6 dnsIp7 29 162.159.138.232, 443, 49706, 49709 CLOUDFLARENETUS United States 14->29 31 104.237.62.211, 443, 49703, 49704 WEBNXUS United States 14->31 39 2 other IPs or domains 14->39 33 discord.com 162.159.128.233, 443, 49701, 49702 CLOUDFLARENETUS United States 18->33 41 3 other IPs or domains 18->41 23 C:\Users\user\AppData\Roaming\...\hsrhB.exe, PE32 18->23 dropped 25 C:\Users\user\...\hsrhB.exe:Zone.Identifier, ASCII 18->25 dropped 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->61 63 Tries to steal Mail credentials (via file / registry access) 18->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->65 35 162.159.135.232, 443, 49708 CLOUDFLARENETUS United States 21->35 37 api.ipify.org 21->37 67 Tries to harvest and steal browser information (history, passwords, etc) 21->67 69 Installs a global keyboard hook 21->69 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b9fd7e1e9b204a2b8fe3c2ee138b05e10b49c76bb29dd20f9d4a0cebfe3b72b8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-28 02:20:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xh6x4hu3ebfcxd7dylxbhcyf4efutr3lwko5ed45jigox7r3ok4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
AgentTesla
41857a1bfb1cda7337d39a4c6bcec253fb44532179f9cb12e919608f227e3dcb
AgentTesla
465a71fa9458ee9162610eae78424a2a3f75561af0a2ce10ab3e6afde10aa74c
AgentTesla
6d4eead03f27551a1c48b4da0e274a7d889002e673b578a5782122fa11eb21dc
AgentTesla
7ea54a151d7340d97ccc3d53dbf82900b2205f0df10b0571a12501ecaad5359d
AgentTesla
9fc6f01a0e05e3ffa8d1391586e36f2a587f38ad3a186dc68ac8a6101fd94b6d
AgentTesla
a530d39c6e1b1505e94f7026eb82191062e6a0f62ddbb03a4bcf0eb295c3d518
AgentTesla
cab8030aedb4d80563698d091a018b5a43d817b31dbe937d5f27f944722cd9ac
AgentTesla
d895ef9ec26a0d27fe790a1b066ab87717f99d3cf482df1c6ffd61fb6a113201
AgentTesla
f33f2b0823a6b41f1632f5d19ebe4d144375781702b3f7b544c6321937f28161
AgentTesla
+ 964 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230228-karjnsad57/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1078583741573767239/JZQPjky8rqPcJghEx5_Yb02_z7KQzE661ZEA5DS0IpEP4tMOOQUK-gcD6l-_DMB3dif_
Unpacked files
SH256 hash:
4c287133e24c51fe862bee6b0c4e6e1a2c91cdfe9a06d8cec13fd631a8f7aab1
MD5 hash:
7cfceb692857d814eda8f0c73a439a0f
SHA1 hash:
f9e1dc29b52a36f453a44997b2a89d616984274c
Link:
https://www.unpac.me/results/19050a7f-edf3-4969-8dbe-32eb995a8d4e/
SH256 hash:
73c8f4faae2c73283258da47e16f5f27950616e61f13d4daed0ccde85c67443e
MD5 hash:
097d6ffc0aeffae55b473e5c868ebc1e
SHA1 hash:
cec11606362a24997a8d3712d062da966f3ae7a5
Link:
https://www.unpac.me/results/19050a7f-edf3-4969-8dbe-32eb995a8d4e/
SH256 hash:
c0528decaa397eef41b71f0eff0a9a0ee8f874680b90d40b5443f2d1d4fe6d84
MD5 hash:
f1358ad035528dc71d8210707576b40e
SHA1 hash:
b5a8a5784e6244e99aebe4f7ccd336cb891c372b
Link:
https://www.unpac.me/results/19050a7f-edf3-4969-8dbe-32eb995a8d4e/
SH256 hash:
472ba32ad64143ca0eb677b1aba85d50a8881d108dc55211f4b46f3ad167248c
MD5 hash:
66247766592bcfcaee5eb3551bc16376
SHA1 hash:
51d9121e302989778c8e2f505536c5793f7ffc6d
Link:
https://www.unpac.me/results/19050a7f-edf3-4969-8dbe-32eb995a8d4e/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/19050a7f-edf3-4969-8dbe-32eb995a8d4e/
SH256 hash:
b9fd7e1e9b204a2b8fe3c2ee138b05e10b49c76bb29dd20f9d4a0cebfe3b72b8
MD5 hash:
5470553086d83e8eaeb078277e7de498
SHA1 hash:
e91d2bb4fdacd5280f838f60ea42c7ae81ca90a4
Link:
https://www.unpac.me/results/19050a7f-edf3-4969-8dbe-32eb995a8d4e/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b9fd7e1e9b20/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9fd7e1e9b204a2b8fe3c2ee138b05e10b49c76bb29dd20f9d4a0cebfe3b72b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/370568/

Comments