MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d48dfdeae66e3e9775045a7e88381be5cca89840df1e05062bdc3f86bfcebb85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d48dfdeae66e3e9775045a7e88381be5cca89840df1e05062bdc3f86bfcebb85
SHA3-384 hash: 5d50ecacc507634769d79a30daa09d5d7c52034f8dfbeb275206acc54a29226476c5952ea3e8ec1acdc525499846b0a9
SHA1 hash: a3ff09fe2f8b364c371b0fadc6219775023f6736
MD5 hash: 38c016c25f09bf2162fc5ceb69212acf
humanhash: kansas-bulldog-low-alabama
File name:DHL PACKAGE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:683'520 bytes
First seen:2023-01-19 10:40:18 UTC
Last seen:2023-01-23 09:08:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:CmTlfnu0b7UG0MT+rqnG+R3XThEcpuBKaxHlY5g6FDIkPT:CmTlf3EM4aG+RnThn6xHO5gQIkPT
Threatray 24'255 similar samples on MalwareBazaar
TLSH T1D4E45A415A7B83E2E4F94E78163CA5182B611CD147ACB13EBD827DBE8CE674F4095B23
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
197
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL PACKAGE.exe
Verdict:
Malicious activity
Analysis date:
2023-01-19 10:41:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5a2134a8-dcd8-4eab-8b5a-a8e13ce389ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354429/
Detection(s):
SecuriteInfo.com.PWSX-gen.8350.27053.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c91e3f8352dc7065e3c897/reports/33f0e91d-8f50-4b6b-ad30-01041ee7bc66/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ff3b786-14b1-44ae-bc91-ed3ec1d3b082
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1154544
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 787276 Sample: DHL PACKAGE.exe Startdate: 19/01/2023 Architecture: WINDOWS Score: 100 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 6 other signatures 2->51 7 DHL PACKAGE.exe 7 2->7         started        11 GLlOzib.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\RoamingbehaviorgraphLlOzib.exe, PE32 7->33 dropped 35 C:\Users\user\...behaviorgraphLlOzib.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp9975.tmp, XML 7->37 dropped 39 C:\Users\user\AppData\...\DHL PACKAGE.exe.log, ASCII 7->39 dropped 53 Writes to foreign memory regions 7->53 55 Allocates memory in foreign processes 7->55 57 Adds a directory exclusion to Windows Defender 7->57 59 Injects a PE file into a foreign processes 7->59 13 RegSvcs.exe 2 7->13         started        17 RegSvcs.exe 7->17         started        19 powershell.exe 21 7->19         started        25 2 other processes 7->25 61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 21 RegSvcs.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 41 mail.azmlogistics.com 192.185.92.210, 49700, 49703, 587 UNIFIEDLAYER-AS-1US United States 13->41 43 windowsupdatebg.s.llnwi.net 13->43 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->65 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->67 27 conhost.exe 19->27         started        69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->69 71 Tries to steal Mail credentials (via file / registry access) 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d48dfdeae66e3e9775045a7e88381be5cca89840df1e05062bdc3f86bfcebb85/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-19 09:15:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2sg732xgny7jo5ielj7iqoa34xgkrgca34pakbrl3q7ynp6oxocq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
011c5a93fcf5f1fda343e254b6be02737381be4df4bdec1aa07c8ad23b540599
AgentTesla
01b0e10d7351007133aa2a5f1cef379b855706256fb70f327990ea142df772ad
AgentTesla
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
AgentTesla
4ec961389dcf825881ba0f1100d9ee32d5f7087e2337425d087fc0c5d768a990
AgentTesla
6e90c85fbcfa669738f0d090ebe3f5dceb5b4796cd523c3f51cc956af3a20cdf
AgentTesla
71f2b84781d797f891bf4e7c9b19de48ccac1928305afa0e8f264c736a3fdb1a
AgentTesla
ce5c147f75c354710869fde43cdc99afb90de8f43d5a0a58cd7456ade759b110
AgentTesla
d6aeb3ff89d6756a14f8a7731c4caa67fa652a5a4709c6804b94879f751a3c6f
AgentTesla
d9d9e3cc542fd9391c9ae953b0071b0a4a450df7d6e3e5563df812b128ab2620
AgentTesla
+ 24'245 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection
Link:
https://tria.ge/reports/230119-mq39hsfg23/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/96cf1f8c-bc4c-4e46-af85-7ed5eb24ab1d
Unpacked files
SH256 hash:
5433a4dd597a39cee9ccb16c8e35d9ab4bfc49f6b68a2ca5b06f807d4aee509f
MD5 hash:
9791b238195cd27927104407fc502513
SHA1 hash:
cedd0676662d804b66b12ee0bc222560b8b06876
Link:
https://www.unpac.me/results/4fee7465-6087-49bb-a8f5-a7b1947d681d/
SH256 hash:
e310822f667b484e3b5e8f60c22d3788872ec28efdfe96af3dec5804ba7b47d4
MD5 hash:
a28b0281fa2686f5507768683077f7fb
SHA1 hash:
7414a1c1d9bbfafb75fa25a665dd061169c0088d
Link:
https://www.unpac.me/results/4fee7465-6087-49bb-a8f5-a7b1947d681d/
SH256 hash:
ab2f8dbc2b147528cecac6ea1a8886951c424be0b2026743b39d97f0cbabb04c
MD5 hash:
77ab42f4bbbf4565846eb8953192d71f
SHA1 hash:
3c662c756cc31867c0473716a74e777a65ced550
Link:
https://www.unpac.me/results/4fee7465-6087-49bb-a8f5-a7b1947d681d/
SH256 hash:
f4b4beea8b88e89957c2f62b578dfe11d8034840d57c425b73dcc94235ade444
MD5 hash:
e8373192e597389b1de05f3b3a748c68
SHA1 hash:
0e18459f0b1c52ae6963c4f83fbf592cfdda6485
Link:
https://www.unpac.me/results/4fee7465-6087-49bb-a8f5-a7b1947d681d/
SH256 hash:
37f75c3f46032e32fb417015280f0617ab79a357b6c5c345e502c90c9147c4d0
MD5 hash:
19a8f36450831bb73c51fec5df16c802
SHA1 hash:
07c7c51379007cef2d847a005e669b88a2768395
Link:
https://www.unpac.me/results/4fee7465-6087-49bb-a8f5-a7b1947d681d/
SH256 hash:
d48dfdeae66e3e9775045a7e88381be5cca89840df1e05062bdc3f86bfcebb85
MD5 hash:
38c016c25f09bf2162fc5ceb69212acf
SHA1 hash:
a3ff09fe2f8b364c371b0fadc6219775023f6736
Link:
https://www.unpac.me/results/4fee7465-6087-49bb-a8f5-a7b1947d681d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d48dfdeae66e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d48dfdeae66e3e9775045a7e88381be5cca89840df1e05062bdc3f86bfcebb85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d48dfdeae66e3e9775045a7e88381be5cca89840df1e05062bdc3f86bfcebb85

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/354429/

Comments