MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d01060cd9a636414bd6e2e09712a5d12808fe8d3822ac1bb1e5bc90eb7f9f69c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d01060cd9a636414bd6e2e09712a5d12808fe8d3822ac1bb1e5bc90eb7f9f69c
SHA3-384 hash: 6ab078a5477437b425ff1e41f50d866d320d5ba9e2fd9779a04680ef2abece983635f7c788751a60c5aca66b7b7f386c
SHA1 hash: 687124ac7e7d79f8b00d574494098a394f2110e8
MD5 hash: eb3ef8e245917c9fae37e6738ef114d5
humanhash: two-timing-undress-oranges
File name:ARRIVAL NOTICE WHL050C538369.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:852'992 bytes
First seen:2023-06-20 08:17:36 UTC
Last seen:2023-06-20 13:48:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'612 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:CXzu4CZdOo4dujsFqFgMNS7cabgCq46CL+:Cz6ZYo4MYFq6MNSKe6C
Threatray 1'313 similar samples on MalwareBazaar
TLSH T18E05F11022B84F57E13E87FD4460227097FCA65A742AD70ACEC7B4CE6FA1FC10A59A57
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
8
# of downloads :
262
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ARRIVAL NOTICE WHL050C538369.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 08:19:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b37f4abc-88f0-4edd-bd41-c8c530af5e02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400922/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.2905.5241.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/649160bbde4f3aec0ae63f9f/reports/34e74250-53be-472c-b2bf-098999b4b478/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d01060cd9a636414bd6e2e09712a5d12808fe8d3822ac1bb1e5bc90eb7f9f69c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c677e8c-282d-42d5-b074-fc144c95492a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258049
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 891076 Sample: ARRIVAL_NOTICE_WHL050C538369.exe Startdate: 20/06/2023 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Sigma detected: Scheduled temp file as task from temp location 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 4 other signatures 2->80 7 ARRIVAL_NOTICE_WHL050C538369.exe 7 2->7         started        11 ejewWI.exe 5 2->11         started        13 aCcAwFD.exe 2->13         started        15 aCcAwFD.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\Roaming\ejewWI.exe, PE32 7->52 dropped 54 C:\Users\user\...\ejewWI.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmp6800.tmp, XML 7->56 dropped 58 C:\...\ARRIVAL_NOTICE_WHL050C538369.exe.log, ASCII 7->58 dropped 90 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->90 92 May check the online IP address of the machine 7->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 7->94 96 Adds a directory exclusion to Windows Defender 7->96 17 ARRIVAL_NOTICE_WHL050C538369.exe 17 5 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        98 Multi AV Scanner detection for dropped file 11->98 100 Machine Learning detection for dropped file 11->100 102 Injects a PE file into a foreign processes 11->102 26 ejewWI.exe 11->26         started        28 schtasks.exe 1 11->28         started        30 aCcAwFD.exe 13->30         started        32 schtasks.exe 13->32         started        34 aCcAwFD.exe 15->34         started        36 2 other processes 15->36 signatures5 process6 dnsIp7 60 api4.ipify.org 173.231.16.76, 443, 49702 WEBNXUS United States 17->60 68 2 other IPs or domains 17->68 48 C:\Users\user\AppData\Roaming\...\aCcAwFD.exe, PE32 17->48 dropped 50 C:\Users\user\...\aCcAwFD.exe:Zone.Identifier, ASCII 17->50 dropped 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->82 84 Tries to steal Mail credentials (via file / registry access) 17->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->86 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        62 104.237.62.211, 443, 49704, 49708 WEBNXUS United States 26->62 64 api.ipify.org 26->64 42 conhost.exe 28->42         started        66 64.185.227.155, 443, 49705 WEBNXUS United States 30->66 70 2 other IPs or domains 30->70 44 conhost.exe 32->44         started        72 2 other IPs or domains 34->72 88 Tries to harvest and steal browser information (history, passwords, etc) 34->88 46 conhost.exe 36->46         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d01060cd9a636414bd6e2e09712a5d12808fe8d3822ac1bb1e5bc90eb7f9f69c/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 07:12:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2aigbtm2mnsbjplofyexcks5ckai72gtqivmdoy6lpeq5n7z62oa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
216e8743347dc86b61953a60917a48669dd6d039fdcbff99ea2893959f311a23
AgentTesla
37dc167da39f0b4322d8936d32185c2c99931b63284cc9edb230abd513dffbf1
AgentTesla
6171f1157e6d3840397d27a5f484f8595770ad153d5969aa96a058114243cfa8
AgentTesla
6d9fe81f7f3e7e01b2f0ed86012b129172bbc4a3f3155339f8d2f14bfea2152b
AgentTesla
841c2906a20d94ec86b77f8521073f13981909c97a739a06f84a7bb9dc9cbe6b
AgentTesla
af87ecc512fe3271689f7674ab31070633ac5a85b3a5b2ac585068f3127b77c7
AgentTesla
c27a4d017b1886d697758f747979b46b1f2d6012ba043869d56b07afab0c88c9
AgentTesla
d964a65d39458176447fdb930e03e6534c19dcc556abde4cb522fa2aeb8289e8
AgentTesla
e33e4865fd5388cb8d3b67d1919d3ec2ee596463012327798fed93a2a282e4bb
AgentTesla
+ 1'303 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230620-j6958aca9z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
bf30f7032a6e2fdd6a872718de569645dda2c9e734a4f90a77e5af9a58d75812
MD5 hash:
29432c0db5445ce74b8a1042234187af
SHA1 hash:
fdc1bce5c868fbaed48ff27b3cc73b752bc66e75
Link:
https://www.unpac.me/results/45ae63f4-db80-478b-b5c3-516c9440519d/
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/45ae63f4-db80-478b-b5c3-516c9440519d/
SH256 hash:
e634566a114daa4985284a726fbe0bbc29ed88e369c31065e38dacb3e6b844d8
MD5 hash:
f4ede50a78bb89b3994e46ea1e834ff8
SHA1 hash:
c99a70dc267c5b8493333c8971067d53e6d5d55c
Link:
https://www.unpac.me/results/45ae63f4-db80-478b-b5c3-516c9440519d/
SH256 hash:
404848373bf42d172460262f8b08f68919afb6a642a90ad33f25a17e42e0e6cf
MD5 hash:
1dcc8376b16a741567bb4eb3e1f1f738
SHA1 hash:
5388c71c477cf016473f9400e869e34f9d3d4aef
Link:
https://www.unpac.me/results/45ae63f4-db80-478b-b5c3-516c9440519d/
SH256 hash:
d495833f204e4cf02f08493c2b76edc8aa20e1e801f8ad4a0eae2bdf8481fedd
MD5 hash:
c94d886c503c4b4975cd92e80429ccbc
SHA1 hash:
1e8307717a3812d2321ececd55bebaf52ae1548f
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/45ae63f4-db80-478b-b5c3-516c9440519d/
Parent samples :
1f2f1746667ecb81ee35f0709ad5ff827d12664c17e05b1c50e7bb92305a18be
53f05b8ffba066e35b4b68ca12d913f7b34f449a1956a359060cb6b5709a805a
7ca4331b53cb649259648314c7e8eb267cfba6d16fdbc58273fd1005584f4b91
dcd2a1a571f36c2739e2c358225fb7bfa4c8ff7379755aedcc68e1cbd71bc076
ad641230d3be8895193642d333ed88e1d6e94c209dfcb6c1932cd6a7f324a82f
4e6012a95e4daac2ddb4a6ebfbf11d702fc848da567df7a4094f83abb1f9bfa4
6d731cdb770865654178d35ddd42ed30c749311de73924037707997e363e0bb0
0ffb2f62c79661847214dbf0242b3ccb488782b9a06278a1b66244f9338f2525
8dc3d9b99acd1d95d821aadb8ffc1b2e0796fca16e39a6abfe7c50fe32770b69
d4eb0b351ba85b39db243f72e6aa72111e9db00683f66dde74a5f7b845c89f02
5935b528198306ddd89ca0f4c5772393861626a24253b2de9f7fb74eb20e29b9
d01060cd9a636414bd6e2e09712a5d12808fe8d3822ac1bb1e5bc90eb7f9f69c
9e41cf5174dab99ec8b788e6a0b98747378e04406d7179aa12c832e75f6022d6
c1b407328dfb3df00e409a9c3661b8ed81aea549322104e30929f1d669404d06
SH256 hash:
d01060cd9a636414bd6e2e09712a5d12808fe8d3822ac1bb1e5bc90eb7f9f69c
MD5 hash:
eb3ef8e245917c9fae37e6738ef114d5
SHA1 hash:
687124ac7e7d79f8b00d574494098a394f2110e8
Link:
https://www.unpac.me/results/45ae63f4-db80-478b-b5c3-516c9440519d/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d01060cd9a63/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/d01060cd9a636414bd6e2e09712a5d12808fe8d3822ac1bb1e5bc90eb7f9f69c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 968cf0913cae66409f90e8055d5f8b170c733b515a8fbd62e0209f83685a01c8

AgentTesla

Executable exe d01060cd9a636414bd6e2e09712a5d12808fe8d3822ac1bb1e5bc90eb7f9f69c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/400922/
  
Dropped by
SHA256 968cf0913cae66409f90e8055d5f8b170c733b515a8fbd62e0209f83685a01c8
  
Dropped by
MD5 1f263ce202620a41198ccf99063added

Comments