MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1a82fd9492e6fb489ec32659817e5fb51f32f07d6a23cce5b8856c8fc3189af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	c1a82fd9492e6fb489ec32659817e5fb51f32f07d6a23cce5b8856c8fc3189af
SHA3-384 hash:	b0f2e843a112b8c7d652627c959dbd9b14cfa38796e57180b1b4d0827f5373349e41f94721eddcf021700368b7b19d7b
SHA1 hash:	f086eed76ffb3651dccc38a415c21bdbb9e6318e
MD5 hash:	ab1523340307633e863f571dccaa65d1
humanhash:	cat-oklahoma-aspen-oranges
File name:	DHL Delivery Invoice.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	339'968 bytes
First seen:	2020-08-17 08:15:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:Dg4gzcXwiRqJIG8u4x2oBO9C2EgX/dPx1eTXz706K:TgzcXwv2G8zx2oB4CSJizzp
Threatray	10'603 similar samples on MalwareBazaar
TLSH	CA74185DAB84B902F13E1D3645DB8B2013B1D2874A12D30F6FC55FE8BB597CA2D892D2
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

abuse_ch

Malspam distributing AgentTesla:

HELO: xv20.508.pinotvineryms.cf
Sending IP: 104.248.29.12
From: DHL EXPRESS <508.pinotvineryms.cf>
Subject: DHL Arrival Notice: WayBill, BL., Packing List & Original Shipping Documents.
Attachment: DHL Delivery Invoice.pdf.gz (contains "DHL Delivery Invoice.pdf.exe")

AgentTesla SMTP exfil server:
smtp.hovventech.com:587

AgentTesla SMTP exfil email address:
pay@hovventech.com

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/46807/

Detection(s):

Win.Malware.AgentTesla-7660762-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/432854

Signature

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/c1a82fd9492e6fb489ec32659817e5fb51f32f07d6a23cce5b8856c8fc3189af/

Threat name:

ByteCode-MSIL.Infostealer.Agensla

Status:

Malicious

First seen:

2020-08-17 04:35:51 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yguc7wkjfzx3jcpmgjszqf7f7ni7glyh22rdzts3rblmr7brrgxq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

54a3195e1eb2acf84a5d65549f7497c30e161c48fc5de9754d99bdd57d1ef4c9

AgentTesla

5a023b9d4e63aab62c95820c69b08fc286f1ff99f7eb9381c5a83b258784063f

AgentTesla

a66ca1e1d94dfbe3e0fe92afd519f9a00b102438f6be1786a988fca58fa19bc6

AgentTesla

b5fd16a3680333bc763cd5c9bdd1ea24a4387653503bef22c61f575f517cb6f0

AgentTesla

c2b44b87549e6b32d9693351bcb48781100e91f1d86ea77c05d85f90b8698a6a

AgentTesla

cadf2a43d7f85a109aed5177e99951fba7031621fa470af37a58f283b0edc886

AgentTesla

cea8cae444dd5dadf01c31def4681b170907b97e0cfb468a9ff317ce7ae736a3

AgentTesla

dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f

AgentTesla

e72bbdfcc56339eb2aca00e01162d7fdd1004d9992150f2dea1b014d6b4469ac

AgentTesla

+ 10'593 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer family:agenttesla

Link:

https://tria.ge/reports/200817-wnv293hadn/

Behaviour

AgentTesla Payload

Agenttesla family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c1a82fd9492e6fb489ec32659817e5fb51f32f07d6a23cce5b8856c8fc3189af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar