MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8d17c9ec9f2b7d059220278660707f12d8434f194753833139d8ea0ef6247e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8d17c9ec9f2b7d059220278660707f12d8434f194753833139d8ea0ef6247e5
SHA3-384 hash: 446d1b961eadff05bd85194738eb5efc5bda9ae8c9e0d5ca0539a84d5fa1d6a96078d085b72a8e214a26993aab75aa3b
SHA1 hash: 79f94ce904c5810199da15ed5b954096b81978f3
MD5 hash: b95698896fae2a12a9ae064dafd90c87
humanhash: oregon-music-massachusetts-mobile
File name:74725794.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:5'869'056 bytes
First seen:2021-01-18 18:15:59 UTC
Last seen:2021-01-18 19:32:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:g0YdULgbQgoTps4OeGuMyhoB5SzRFd9QNV5dSjag+a6gk/VGpIo:gAYQt1sDeGuMyyB5AFd97abdg0IGo
Threatray 150 similar samples on MalwareBazaar
TLSH 5A463313E26CDA20C91038FE4C5B756DAD25D987EA14CAF27B273A2D7C54FC14B8E186
Reporter abuse_ch
Tags:AgentTesla CHN DHL exe geo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: [144.208.127.210]
Sending IP: 144.208.127.210
From: China DHL Express <5idhl_noreply@dhl.com>
Subject: 【中外运-敦豪】电子发票(发票号:74725794)
Attachment: 74725794.zip (contains "74725794.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
74725794.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 18:23:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/548cc40e-ff2a-4e9a-a144-9fffe14095f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112641/
Detection(s):
SecuriteInfo.com.FileRepMalware.29249.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/584106
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341094 Sample: 74725794.exe Startdate: 18/01/2021 Architecture: WINDOWS Score: 80 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected AgentTesla 2->32 34 Machine Learning detection for sample 2->34 36 3 other signatures 2->36 7 74725794.exe 6 2->7         started        process3 file4 22 C:\Users\Public\Desktop\dex\dxn.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\...\74725794.exe.log, ASCII 7->24 dropped 26 C:\Users\Public\...\dxn.exe:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->28 dropped 38 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->38 11 dxn.exe 2 7->11         started        14 cmd.exe 1 7->14         started        signatures5 process6 signatures7 40 Machine Learning detection for dropped file 11->40 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->42 16 dxn.exe 11->16         started        18 conhost.exe 14->18         started        20 reg.exe 1 1 14->20         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8d17c9ec9f2b7d059220278660707f12d8434f194753833139d8ea0ef6247e5/
Threat name:
ByteCode-MSIL.Trojan.QRAT
Create hunting rule
Status:
Suspicious
First seen:
2021-01-18 18:16:11 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zdixzhwj6k35awjcaj4gmbyh6ewyinhrsr2tqmyttwhkb33ci7sq._file
Verdict:
suspicious
Similar samples:
02c430c51fa15522e80f952731fabd0f06d968d1205c2249e30a052a4e96d771
AgentTesla
2a632fa3436f40c7901873fe1ef196c9d4560ea37935fbe123259302fdd043c9
AgentTesla
3090211d3d8dd213717672563c3d2a7181b323d5d7dec438c16dc7e0e2c331ee
AgentTesla
30eb1963753aa4a9d4987f1e43c684d91b1b9ca11202a7f751bc621a0149cb19
AgentTesla
485fcb629691d08260b4066b1261fefbbdd4dd399fb5ebf9df7311c5e0710f68
AgentTesla
4bb974d690e775a23b6b907a22614c47dc88e7b47d0ac0811e53e4bbe0c85f68
AgentTesla
8fde2bd043c16448fe13d733e35e388de4a95938f187682f60725d27da3653c8
AgentTesla
b07f1a61fef552e8f6261abb854ec9b44aa57588c6ae812bf67f6a267a14ff9b
AgentTesla
b3e06e10d739a4e4c6207dba909e57c264994c09543a5101fe52da860e8a09a9
AgentTesla
f4524797f4b1871ce21a139c2eabcd661e3a1c8728a7b40d54d3a8c0ee6ca30a
AgentTesla
+ 140 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210118-ht851rkwb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a60900adc31e8e28ff541b91a55de5d9719c0d1ddc3022eb6f6fb5ac19cc9e4f
MD5 hash:
831fb0609b3509b4fb31ac662ac69217
SHA1 hash:
985c33fa2b01e305995e2ea166b961b01f0f6335
Link:
https://www.unpac.me/results/bd104347-0045-4708-a549-9148b3599f9d/
SH256 hash:
534698b4a6c8b61d9f027d702d3b05e69b0a3b87192c4929325c0943fb309cf9
MD5 hash:
1246d289e63a6f44ab4cdfeda38fae45
SHA1 hash:
751f796f29c21d0dabce5a7f19f96454b1ce407c
Link:
https://www.unpac.me/results/bd104347-0045-4708-a549-9148b3599f9d/
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/bd104347-0045-4708-a549-9148b3599f9d/
SH256 hash:
c8d17c9ec9f2b7d059220278660707f12d8434f194753833139d8ea0ef6247e5
MD5 hash:
b95698896fae2a12a9ae064dafd90c87
SHA1 hash:
79f94ce904c5810199da15ed5b954096b81978f3
Link:
https://www.unpac.me/results/bd104347-0045-4708-a549-9148b3599f9d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8d17c9ec9f2b7d059220278660707f12d8434f194753833139d8ea0ef6247e5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 2eef6e5828edc9bf4189162c53df1fb29c7d13a0e0f2ada4ac61e3925a462a6d

AgentTesla

Executable exe c8d17c9ec9f2b7d059220278660707f12d8434f194753833139d8ea0ef6247e5

(this sample)

  
Dropped by
MD5 6e76c87d6b39e20c65fdd90d148ffa69
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112641/
  
Dropped by
SHA256 2eef6e5828edc9bf4189162c53df1fb29c7d13a0e0f2ada4ac61e3925a462a6d

Comments