MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c968707cc9776419643ca1f0887a31954614629813f222ecc0e025b2efa3a815. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c968707cc9776419643ca1f0887a31954614629813f222ecc0e025b2efa3a815
SHA3-384 hash: d09c46ef80d2beeca3a2d7db3461b59e787481a1b34abe594302962b028ed3f36811219e325f0dd4c82e4277931649bf
SHA1 hash: e3192a349933acbd29c8d4b3300eebe0b1e015fe
MD5 hash: af4bf930b464dc57a630c3a8d325941e
humanhash: jupiter-hotel-may-fish
File name:DHL_FORM.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:739'840 bytes
First seen:2020-06-17 11:05:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8eeec669d894212fb1f97c60d41a6bc8 (2 x HawkEye, 2 x NanoCore, 2 x AgentTesla)
ssdeep 12288:JXQnh0qccj0S0G5Vrfg2hHCmoQp7satRKhwAtRebbH3g0uw:9gqcj0og2smoQBBRKvzCLf
Threatray 11'377 similar samples on MalwareBazaar
TLSH 3FF4AE26E6D0C43FC3161579DC0BDF785C26BED06A1825B72BE9EC48AF392913939193
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ej-email.beyaz.net
Sending IP: 207.154.196.223
From: ihsan.gokcek@12m.com.tr
Reply-To: customerservice@dhl.com
Subject: DHL Delivery e-Notification for Incorrect Address
Attachment: DHL_FORM.IMG (contains "DHL_FORM.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19520/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-06-17 11:36:24 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zfuha7gjo5sbszb4uhyiq6rrsvdbiyuycpzcf3ga4as3f35dvakq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0592333ddc8cbc8651ba7b782a70b972e4627b1505ba9b1812a97046f0484df1
AgentTesla
4eca97dcf2f3dca0c97c0af76722945ad060e59482104c2b851dabdd1bcf0afd
AgentTesla
5a6511cdd0a862e1dc404538fa8895b924b9ed153215099958b07bd10a90ea71
AgentTesla
5d8edb52dabb7850b75a9bf3f899756425401e26b221fba7117c9627ae844590
AgentTesla
619d55dafa6cfdc23580e3a1e8a57ef3a246a0163385f4a61a591ac0517d85f6
AgentTesla
6253680a2bb3fbbf658ae3418e7b3964709c60650230ff73fb9825cdaa9d62dc
AgentTesla
6ee05acf3d5f5180f7c89274a4d8c5018b50b59b699f4eb13935db42b6646762
AgentTesla
a498ac74ffd2f4ceccc802b5a42f33e067a7eb6f0b2125c3cf3668dd5c0c7833
AgentTesla
a81b58feebb60b6aba3ccc7adefade4332c13b95dabe08e91509703fb1fd401c
AgentTesla
cea1d36e04dc9357211734f659dfe352056afc40779ee251fee4e72ceec619bf
AgentTesla
+ 11'367 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/200624-qc1c8566ks/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 578064196deed18d6fb580ec7bdc46238be3c9f235501912c2affd0fc93c38db

AgentTesla

Executable exe c968707cc9776419643ca1f0887a31954614629813f222ecc0e025b2efa3a815

(this sample)

  
Dropped by
MD5 937c5e5300f4ee12b9d04f3f65eae73b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 578064196deed18d6fb580ec7bdc46238be3c9f235501912c2affd0fc93c38db
Cape
Cape
https://www.capesandbox.com/analysis/19520/

Comments