MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce398687200202c88e5b3aba433508282e1fab09b0f456edca65418ab40684b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce398687200202c88e5b3aba433508282e1fab09b0f456edca65418ab40684b0
SHA3-384 hash: d833c21f21ce468a38f2e8444bf9725c23c24e56b4ab84113429ab83eea9ed20613d8878a81546014e1305d03470877b
SHA1 hash: f2afff180c67230159a663f5cc9392d54b6fc734
MD5 hash: 7a1add59fe6dfebfaa1e207cfbf01a8a
humanhash: california-alaska-juliet-twelve
File name:Dhl.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:240'114 bytes
First seen:2021-06-22 06:31:14 UTC
Last seen:2021-06-22 07:51:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 3072:BBynOpL12riocbM2EgGRSlX+R1gk3+w2dJlLtB2F2TTbd70EGxjUlcdfhnnQKcvX:BBlL/8ll1jJV2dBB2F8nOEZlAnxCX
Threatray 6'010 similar samples on MalwareBazaar
TLSH 50341229BDD058A3EA2245F2F9775332E2778E5094105AC343A03FA73917AE6FD21E47
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dhl.exe
Verdict:
Malicious activity
Analysis date:
2021-06-22 06:32:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/49a293be-cd5c-4fae-815e-a14edba2346c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167451/
Detection(s):
SecuriteInfo.com.Trojan.Loader.845.24742.15198.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4791feb4-5440-4006-88f4-4279ba7e2b7a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/805756
Signature
.NET source code contains very large array initializations
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ce398687200202c88e5b3aba433508282e1fab09b0f456edca65418ab40684b0/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 01:37:58 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zy4ynbzaaibmrds3hk5egniifaxb7kyjwd2fn3okmvayvnagqsya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
196cb5a816d8bfb1a12710e8d6b836cdda2de48249c22ccb584014f4e1140b37
AgentTesla
2467d796a3133b798ae7c8a27818d6ecc411da142b4dd2eb97edb650d7651bf8
AgentTesla
25f8bda5569c8920933f5a0fa79081a5b72cac66240476af96d9e7e8d4304190
AgentTesla
34380ef9c6381117678077c058c01a7726209854d4bbc0283dd60a25f77e6558
AgentTesla
3455716f81e993173ef1e17b90f9233f70e6ce36a735ca19c40dcf816fc389ce
AgentTesla
c368d46d339548363e8c54693797b04d8aa1e82a9b687ac4305f550e36781d95
AgentTesla
c3ccb5a810da4cb19a71c1fa9edf8096263cc55c00341287b8c8203b8da1e939
AgentTesla
cb43d4ad476d7fec4d0b656c7bd48a52fc46552b58e93b9d3187941bde2ed566
AgentTesla
d6ff339c056def1d5e03ecbfea9e55dbd8f556885b2fdcce27ddff7e040152c8
AgentTesla
fad59266b34827f994eba36a030a5abd4c552c3132801afec5fe74c787e10044
AgentTesla
+ 6'000 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210622-2eevfy1c46/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
MD5 hash:
56a321bd011112ec5d8a32b2f6fd3231
SHA1 hash:
df20e3a35a1636de64df5290ae5e4e7572447f78
Link:
https://www.unpac.me/results/df9fb087-8170-4cff-a956-8cb835ba4d50/
SH256 hash:
5e7e44ca82909f6704b657b21566b1bc90e99cf21b1ed7f22546247ab62226bd
MD5 hash:
2285d860637f204a0cea61882fd5f75a
SHA1 hash:
38a22b5d41066871f25640d2787e41bf0df13428
Link:
https://www.unpac.me/results/df9fb087-8170-4cff-a956-8cb835ba4d50/
SH256 hash:
ce398687200202c88e5b3aba433508282e1fab09b0f456edca65418ab40684b0
MD5 hash:
7a1add59fe6dfebfaa1e207cfbf01a8a
SHA1 hash:
f2afff180c67230159a663f5cc9392d54b6fc734
Link:
https://www.unpac.me/results/df9fb087-8170-4cff-a956-8cb835ba4d50/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/ce398687200202c88e5b3aba433508282e1fab09b0f456edca65418ab40684b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ce398687200202c88e5b3aba433508282e1fab09b0f456edca65418ab40684b0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/167451/

Comments