MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e511d9f6dbbb6a20e67e82dbd6ecc48b3bccc60237bba12eabb288152ae72838. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e511d9f6dbbb6a20e67e82dbd6ecc48b3bccc60237bba12eabb288152ae72838
SHA3-384 hash: 15bca6a451076ca74247ee1264bd17fc00bedae22392ec75e4d86f8c7008263f649af4b6a6ada4af04f4cf58bc2ac6e0
SHA1 hash: 6ff7c0974c8e56b7d5bc0b12bdbba70daafde62b
MD5 hash: eeed9d769bd3164bafe72e6aaa840489
humanhash: washington-purple-december-happy
File name:SHIPPING DOCUMENT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:273'823 bytes
First seen:2023-03-06 16:05:54 UTC
Last seen:2023-03-06 19:02:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:PYa6p7nlSeDkVu6jGYzgRddMvGMp5EpEFTuVuwICj5Xy45a8O:PYbz4ewVu6jGYzoiFphTlgE45a8O
Threatray 2'011 similar samples on MalwareBazaar
TLSH T18B442245DBF4D0ABEF2343B00D785B26BEB9E81094E8DB4BB7D01B5E7652B88490D351
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe Shipping

Intelligence

File Origin
# of uploads :
3
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SHIPPING DOCUMENT.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 16:09:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6796cf9f-a2db-4cfa-b840-9df28b70834f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372077/
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20230306-1332.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
DNS request
Creating a file in the %temp% directory
Creating a window
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64060f6b0e8ce4beca25dc1e/reports/568b240e-049c-4747-b2da-f8738ff9cdb4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e511d9f6dbbb6a20e67e82dbd6ecc48b3bccc60237bba12eabb288152ae72838
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/adf07248-dff2-45ba-973e-b9fcb9aa3ef1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187919
Signature
Antivirus detection for dropped file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e511d9f6dbbb6a20e67e82dbd6ecc48b3bccc60237bba12eabb288152ae72838/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 13:43:04 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ui5t5w3xnvcbzt6qln5n3germ54zrqcg652clvlwkebkkxhfa4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3d89d938245c8482b052606671e22041cae0ca7b12bb59214726b9dedb59f3a1
AgentTesla
407a3b446f6394fe028e808af4a5e57bcb9a3b351858290abeef7fa1213bd712
AgentTesla
a38130878bd9f54c581173d7e7ed0429ac81d961037788532d4b3d026538a66d
AgentTesla
b86dcd626dbb27b1943ed92b91df1c76fc2110fe2cad04786a18076c7c08660f
AgentTesla
ca0e3813c0c1155a09e9fb2f0e9133fd61c8438d875a3ed797b9bdf3ad79c5fb
AgentTesla
cd5a3db769491e5e9b19fe8f2703456f82dbd128babacf54ac1c494587665f72
AgentTesla
d1e4cc2b2df4de229947e033f6dd65379db0d12d92ec7de9ffcc8336c1c55e9a
AgentTesla
d480e69826b8ab773d632efd5a0649ed1aefecace150c8cab57daf8064daace1
AgentTesla
eb72630f472d5fb65862fd4272ff040ca8e721b38f56a90c8ac5d538b15e341f
AgentTesla
f3b5a33da3982a8854963caf89d4563890e0d195f692843c3932dc99510b2e15
AgentTesla
+ 2'001 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230306-tj267scf3y/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
6d6b0251a48a99d3fdc7a9c8018a57f7eddcaa0fcad64a6bd9311485b83c548b
MD5 hash:
cdb97775576804216035116816e2d292
SHA1 hash:
cd1cb68d5fe38331824947f1c241b4c5b7343a75
Link:
https://www.unpac.me/results/28a3453f-03e2-4370-918b-0e3baa83405e/
SH256 hash:
3854de0b367210e4b7997960d4d0a60b0843e54b3a3af0dc63613153fa1aa58b
MD5 hash:
986f3050e6ba4d807f90dc483c01f951
SHA1 hash:
bd2af1b2fc00e5ea95215bf9b7896ac06eafc719
Link:
https://www.unpac.me/results/28a3453f-03e2-4370-918b-0e3baa83405e/
SH256 hash:
5b3c98579d919f007479feaa7611d5a3d2a6f835eb72d5055eb647d05df08e52
MD5 hash:
1513d79df03d6715d59bf3f6ffd6b52a
SHA1 hash:
93372b8222b909045c02ca2f057d6347f2a9f21d
Link:
https://www.unpac.me/results/28a3453f-03e2-4370-918b-0e3baa83405e/
SH256 hash:
e511d9f6dbbb6a20e67e82dbd6ecc48b3bccc60237bba12eabb288152ae72838
MD5 hash:
eeed9d769bd3164bafe72e6aaa840489
SHA1 hash:
6ff7c0974c8e56b7d5bc0b12bdbba70daafde62b
Link:
https://www.unpac.me/results/28a3453f-03e2-4370-918b-0e3baa83405e/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e511d9f6dbbb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e511d9f6dbbb6a20e67e82dbd6ecc48b3bccc60237bba12eabb288152ae72838

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip c5789b2cac6951941c4719f8457843af7b666fc13619fb6092d4e9225cb06a18

AgentTesla

Executable exe e511d9f6dbbb6a20e67e82dbd6ecc48b3bccc60237bba12eabb288152ae72838

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c5789b2cac6951941c4719f8457843af7b666fc13619fb6092d4e9225cb06a18
Cape
Cape
https://www.capesandbox.com/analysis/372077/
  
Dropped by
MD5 fffa63e01a45d4465d3cf84f401d3bc4

Comments