MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca486417bbe56d65022b49b9ed860c04aa07f71c5a5aa9114f180526ac6f1ec8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca486417bbe56d65022b49b9ed860c04aa07f71c5a5aa9114f180526ac6f1ec8
SHA3-384 hash: 16977a4e20a2b2c083b785a436d82af231035a1f8fcc134897fdd7c1d7e8d91b3fe34fefcc571081bdeca2b9ec9a1f31
SHA1 hash: 0198bfaa0a9547f2c86c18ddbdd74fc3618d1428
MD5 hash: 2738b078502b83df67a4e54faa7ac3a2
humanhash: oregon-robert-zebra-idaho
File name:DHL Shipping Document Tracking No Confirmation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:216'064 bytes
First seen:2020-12-17 08:38:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 412434c6590220a26bbf72c7c07a425b (7 x AgentTesla, 4 x Formbook, 1 x NanoCore)
ssdeep 3072:50YsLYlpgAAnTeukx7X429QHLvkI/rbNbzXWITZMh5Mccvo7LZ1FjwhwUawdw8kf:50mAQxvQHL1j1DTZUcvoR1Fiawq8kcO5
Threatray 110 similar samples on MalwareBazaar
TLSH 40241348C63F9521DC0A97B09322B74E5EF203779E9084F715BAD801B47A7787A3B48B
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: box.fujiplaengrg.xyz
Sending IP: 23.238.40.206
From: DHL Express <info@fujiplaengrg.xyz>
Subject: DHL Shipping Document/Tracking No
Attachment: DHL Shipping Document Tracking No Confirmation.iso (contains "DHL Shipping Document Tracking No Confirmation.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a window
Creating a file
Setting a keyboard event handler
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Reading critical registry keys
Creating a file in the %temp% directory
Moving a recently created file
Replacing files
Deleting a recently created file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565253
Signature
Allocates memory in foreign processes
Detected unpacking (creates a PE file in dynamic memory)
Executable has a suspicious name (potential lure to open the executable)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 331712 Sample: DHL Shipping Document Track... Startdate: 17/12/2020 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Detected unpacking (creates a PE file in dynamic memory) 2->43 45 5 other signatures 2->45 7 DHL Shipping Document Tracking No Confirmation.exe 1 2->7         started        process3 signatures4 47 Maps a DLL or memory area into another process 7->47 10 DHL Shipping Document Tracking No Confirmation.exe 2 7->10         started        13 conhost.exe 7->13         started        process5 signatures6 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 53 Installs a global keyboard hook 10->53 55 Injects a PE file into a foreign processes 10->55 15 RegSvcs.exe 15 5 10->15         started        19 RegSvcs.exe 2 10->19         started        21 WerFault.exe 23 9 10->21         started        process7 dnsIp8 23 233.75.3.0.in-addr.arpa 15->23 25 icanhazip.com 147.75.47.199, 49756, 49776, 80 PACKETUS Switzerland 15->25 29 4 other IPs or domains 15->29 31 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->31 33 Tries to steal Instant Messenger accounts or passwords 15->33 35 Tries to steal Mail credentials (via file access) 15->35 27 233.75.3.0.in-addr.arpa 19->27 37 Tries to harvest and steal browser information (history, passwords, etc) 19->37 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca486417bbe56d65022b49b9ed860c04aa07f71c5a5aa9114f180526ac6f1ec8/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 08:39:10 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zjegif534vwwkarljg463bqmasvap5y4ljnksekpdacsnldpd3ea._file
Verdict:
unknown
Similar samples:
048a4bdb5c21a62e9028370b06b2804aaeb3b85b2446f5c47ff3fb3e7f676be8
AgentTesla
086d2a6e11da6e37ab46eb8d75c2eeb3d4aa825001be71e1e109b4578e5a321c
AgentTesla
2d5d89747431e9003471e77e757e6c2d3310cbcac7451c1bb8389d0744543e6f
AgentTesla
344ae78ecc8cac02bb3dcd94c654b74543db829984f903f57dfab395639bfc72
AgentTesla
46e5baf1b4d81819842fa7145a3ec446d956fedbafb1a3d36d77ffa06dbfcb74
AgentTesla
4d302b4fd8564f5e3f9b505c0f342ec0e133fca6e5d0c6b3bd89746351561c5b
AgentTesla
55e7e1cd5e151e8f67b08a11555dc9020318e9924219192f84cd1d5a032b9ee2
AgentTesla
7b7f6b3a38933a9d06d6315b89df48c695b7ee7e35725649572a4abd17c3496c
AgentTesla
ce0e9c38f501c41244755438857cf76ab25727502b344c65d30075ff3338f43c
AgentTesla
ee8e9b7393b01e6f46b1540fde42f6faa87dee2b3104b5e809b3c0219f91a5c8
AgentTesla
+ 100 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201217-7cstnavyfx/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
ca486417bbe56d65022b49b9ed860c04aa07f71c5a5aa9114f180526ac6f1ec8
MD5 hash:
2738b078502b83df67a4e54faa7ac3a2
SHA1 hash:
0198bfaa0a9547f2c86c18ddbdd74fc3618d1428
Link:
https://www.unpac.me/results/c6ddfd9d-62b6-4901-bcf8-3940d9c6ac59/
SH256 hash:
0dbd24b5ff908a84865187b1fe3490cd48d88a725a6a7084f7f9fe3bee652424
MD5 hash:
05647966747b7e6456116c86e4f46c61
SHA1 hash:
aab7e62c3a35f705860bfa92b4eed9e42e01ae0c
Link:
https://www.unpac.me/results/c6ddfd9d-62b6-4901-bcf8-3940d9c6ac59/
SH256 hash:
d01209e4c6358f08e2e82b13389e29aeb8c2c08741b18115b07d4d19c05690e6
MD5 hash:
b952003b1d8c51fddd6052ee43e8b7e6
SHA1 hash:
19d76141246802ee1600ad939ea270889c1a1c32
Link:
https://www.unpac.me/results/c6ddfd9d-62b6-4901-bcf8-3940d9c6ac59/
SH256 hash:
eb1507ec674985f08144b9df8525f9962e0932c3f77a7a30b9d1552ad96c1246
MD5 hash:
46460503108a20c85a684aeabd5be093
SHA1 hash:
64578fe346a786b739cb7424d047d8c4129d3cf8
Link:
https://www.unpac.me/results/c6ddfd9d-62b6-4901-bcf8-3940d9c6ac59/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca486417bbe56d65022b49b9ed860c04aa07f71c5a5aa9114f180526ac6f1ec8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 74089d1c13cc4dc1f2d84f79ae749ccc5511db156c908c24f8b6f8332516f125

AgentTesla

Executable exe ca486417bbe56d65022b49b9ed860c04aa07f71c5a5aa9114f180526ac6f1ec8

(this sample)

  
Dropped by
MD5 a0ae420904118e875caad56de51133a1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 74089d1c13cc4dc1f2d84f79ae749ccc5511db156c908c24f8b6f8332516f125

Comments