MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfcea3e1bdcc865d82ed33a9dad61ca35062404e40ab79be9f97b677e16836b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfcea3e1bdcc865d82ed33a9dad61ca35062404e40ab79be9f97b677e16836b5
SHA3-384 hash: f690536f96bcf717c92357c3df712e9b8a3c4d165561ec9cc54f6043f39754bbee06804f1cd848f0e988f98319a7903f
SHA1 hash: 18f64496ffd4270c7c077b2e6d2706cc6388b212
MD5 hash: f8c6accf590feca932de4403f28cb99c
humanhash: wolfram-fish-bacon-seventeen
File name:DHL Express Delivery.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'141'760 bytes
First seen:2021-09-20 12:52:50 UTC
Last seen:2021-09-20 14:25:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:upoulxEdAjbqZif1EodGNTEE72NbQ6lr03WRwzS9c3xXQxyT8df+9ck65IWGnBUj:upYu9JQECr2aJNfVsKQOeAC05K5NJJN
Threatray 10'014 similar samples on MalwareBazaar
TLSH T1E335DD294D2682F7C7EEC62CD09C0FCEEB72A4837A918F1ED89187D6065770BE58845D
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.esquiresweaters.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Express Delivery.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 12:54:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/974e77f7-4cce-4a87-af70-0a08dcc7dc7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189441/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1037.14969.32346.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Creating a file in the %temp% directory
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fbb68caf-c83e-46d4-8fd3-fc6e253f6c2b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/854046
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dfcea3e1bdcc865d82ed33a9dad61ca35062404e40ab79be9f97b677e16836b5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 12:22:03 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=37hkhyn5zsdf3axngou5vvq4unigeqcoicvxtpu7s63hpylig22q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3d7ff7b5c3895822950678253ac0465c62854af18802895bfd193ff6df0d0572
AgentTesla
4f9e6d626a2aa193431ca948dde9a3e526124f88dec8ed465ec7785d99368432
AgentTesla
5cddd352c21b35aa01f2353d74e3dedef3bde4b4dee56e61c696319ec9237b36
AgentTesla
78db50e8cd5d962b6b80d5b97895189f8fdc97fbcb68c6ab5bd6afa2884ad405
AgentTesla
84fcfd1c71d437667fd51eb8409202b796155e57b40d57bfbedeb4dea9024dde
AgentTesla
b204064e7c3b8739433533196342ff4d6164280efc13919946f8bbf22b433319
AgentTesla
d8c7a33fbfb33a86e7c0b21718e8b1402f2f1bd5886104829360e56972ca83ae
AgentTesla
e4770388b849dea4e5dcc40cb6a38afa5c2f473a03390b054fb2452ea6a91c8b
AgentTesla
f1540e89eeb7046cd265d37ef63a6d282a1ff8a89875193ae775582e74205594
AgentTesla
+ 10'004 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210920-p4mj2aebe7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
a34ec196c6b4fcabb86b76016ca4ab0f32b3e60e8b023b64496137f095587b28
MD5 hash:
c373c94356a55eaaedbc0825b4d925e4
SHA1 hash:
aef3a93a2b6848009c672db6c6af5b8709cecec4
Link:
https://www.unpac.me/results/581de5fe-cd75-4bce-9b01-d8ded4fa327b/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/581de5fe-cd75-4bce-9b01-d8ded4fa327b/
SH256 hash:
106e417a300920b4f98782f61e1ad0e015002f1ec553d364fae3763bbda838ed
MD5 hash:
866c9c0469a9200f31e8287a0ce7c046
SHA1 hash:
2f1be53223424f00490430aa1a9d42ebd64003f2
Link:
https://www.unpac.me/results/581de5fe-cd75-4bce-9b01-d8ded4fa327b/
SH256 hash:
dfcea3e1bdcc865d82ed33a9dad61ca35062404e40ab79be9f97b677e16836b5
MD5 hash:
f8c6accf590feca932de4403f28cb99c
SHA1 hash:
18f64496ffd4270c7c077b2e6d2706cc6388b212
Link:
https://www.unpac.me/results/581de5fe-cd75-4bce-9b01-d8ded4fa327b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/dfcea3e1bdcc865d82ed33a9dad61ca35062404e40ab79be9f97b677e16836b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe dfcea3e1bdcc865d82ed33a9dad61ca35062404e40ab79be9f97b677e16836b5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/189441/

Comments