MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e122e45cffddf06da2e9b03d259b27cfc77e78f8e0f3d047dca47975a5f81687. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e122e45cffddf06da2e9b03d259b27cfc77e78f8e0f3d047dca47975a5f81687
SHA3-384 hash: 3800bff77d57ec2e2b8bcf8b33d29b99c087dd6c55d4e10cd53b7ef88f518a825acba1de138d1a495ca48bcd68d02055
SHA1 hash: 5d5e1b60459e4c6a0745b4b22075b901e28e0c54
MD5 hash: 6c2d830b0a2ccb22af19300af06eda39
humanhash: shade-mockingbird-rugby-red
File name:DHL_Express_Shipment_Confirmation_BKKR005545473_88700456XXXX.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:914'432 bytes
First seen:2021-04-07 11:21:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:XoSnyElpIV1Fn6OAVo1TJ9Nxf10WwtfzpzY7n4NkySmwyk67Kd7Z5:XTy65o1PrL20MWZ/67K9
Threatray 3'895 similar samples on MalwareBazaar
TLSH A515E02B775C6B5CC34C4B72703A4AB862E49F037166DE2E74C9FE9C4E2221E57161E2
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: sadunjom.com
Sending IP: 138.68.69.228
From: DHL Express<invoicequerys@dhl.com>
Subject: DHL Shipment Notification
Attachment: DHL_Express_Shipment_Confirmation_BKKR005545473_88700456XXXX.arj (contains "DHL_Express_Shipment_Confirmation_BKKR005545473_88700456XXXX.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_Express_Shipment_Confirmation_BKKR005545473_88700456XXXX.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 11:56:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/76678fe6-c0e2-4c02-9c37-d4b5456976a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132841/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Kryptik.fa61592c.1216.6585.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668595
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383226 Sample: DHL_Express_Shipment_Confir... Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected AgentTesla 2->59 61 2 other signatures 2->61 9 DHL_Express_Shipment_Confirmation_BKKR005545473_88700456XXXX.exe 15 7 2->9         started        13 Operaa.exe 14 3 2->13         started        process3 file4 43 C:\Users\user\AppData\Roaming\Operaa.exe, PE32 9->43 dropped 45 C:\Users\user\AppData\...\InstallUtil.exe, PE32 9->45 dropped 47 C:\Users\user\...\Operaa.exe:Zone.Identifier, ASCII 9->47 dropped 49 DHL_Express_Shipme...8700456XXXX.exe.log, ASCII 9->49 dropped 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->65 15 Operaa.exe 3 4 9->15         started        18 cmd.exe 1 9->18         started        67 Multi AV Scanner detection for dropped file 13->67 69 Machine Learning detection for dropped file 13->69 signatures5 process6 signatures7 71 Writes to foreign memory regions 15->71 73 Allocates memory in foreign processes 15->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->75 77 Injects a PE file into a foreign processes 15->77 20 InstallUtil.exe 15->20         started        23 AcroRd32.exe 42 15->23         started        25 conhost.exe 18->25         started        27 reg.exe 1 1 18->27         started        process8 signatures9 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->63 29 RdrCEF.exe 23->29         started        32 AcroRd32.exe 23->32         started        process10 dnsIp11 53 192.168.2.1 unknown unknown 29->53 34 RdrCEF.exe 29->34         started        37 RdrCEF.exe 29->37         started        39 RdrCEF.exe 29->39         started        41 RdrCEF.exe 29->41         started        process12 dnsIp13 51 80.0.0.0 NTLGB United Kingdom 34->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e122e45cffddf06da2e9b03d259b27cfc77e78f8e0f3d047dca47975a5f81687/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 09:58:35 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4eroixh73xyg3ixjwa6slgzhz7dx46hy4dz5ar64ur4xljpyc2dq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e360afe7e5de25783afb92588b7c54eee9413d21727c9379f813db1501c8ce3
AgentTesla
105f2576744d531eaa8515b275542809e6385397b95e735e54c7dad418c4e0c1
AgentTesla
1974eb0632e98cc3277adaa0074d95fe33602c751a27032d93ae03b09dd9e77d
AgentTesla
30872c755e58b1ee3bb273e169b0b965939575af5c3e4626f53622e0f0705cad
AgentTesla
4fa158cc0fa6577b7744c71375daa38ff6ce0818b9cfc82899f7e6e46a8601d4
AgentTesla
702846aefcf07891a049c08818ff3d335b35b01f72ede73d4dc602e9260e3950
AgentTesla
8a249dd65a90624d877633b7f9baf3db4bee9ad8dd5a344e9ee59ca799bec8a7
AgentTesla
ba9401e8bca51c8ba497abf551f24a0aca86ad96facde44a8121ef6d178f0ac4
AgentTesla
c95438b7107da932d24c8a04dcf5ab9adccad56086566765c2f7c96cc08ec8d0
AgentTesla
f07e0500a867708c2b93d0b15504c02faf60a1e69968dd46c246918445975ba6
AgentTesla
+ 3'885 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210407-eg2fgnasaa/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e122e45cffddf06da2e9b03d259b27cfc77e78f8e0f3d047dca47975a5f81687
MD5 hash:
6c2d830b0a2ccb22af19300af06eda39
SHA1 hash:
5d5e1b60459e4c6a0745b4b22075b901e28e0c54
Link:
https://www.unpac.me/results/90b47164-ecb7-4e2b-8b3e-da4da1fb0af0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e122e45cffddf06da2e9b03d259b27cfc77e78f8e0f3d047dca47975a5f81687

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj 65071be9fdceaa1ee27215551ed7ebc6626b95902c461b70379394c5c94048cb

AgentTesla

Executable exe e122e45cffddf06da2e9b03d259b27cfc77e78f8e0f3d047dca47975a5f81687

(this sample)

  
Dropped by
MD5 a7abd5f501803ce742e4a560ff2657ba
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132841/
  
Dropped by
SHA256 65071be9fdceaa1ee27215551ed7ebc6626b95902c461b70379394c5c94048cb

Comments