MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e600c0403e5f3c3416684354c5c3a9a44c2b6942439377f9fbc81980a44d2615. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e600c0403e5f3c3416684354c5c3a9a44c2b6942439377f9fbc81980a44d2615
SHA3-384 hash: 9a753f266bb068854d7a1a829e19564df01117b96f028e7d16791f117bd6f7f5df43294c94da8ca56d6bb59e6d6b23c0
SHA1 hash: 2b2df6c470621741c78d174733208ec8fc97d271
MD5 hash: 798f2512990dde2ac89b0054d5861dc4
humanhash: avocado-illinois-batman-kentucky
File name:DHL Express _Konşimento Takip Numarası - İthalat Gönderisi.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:456'704 bytes
First seen:2023-10-27 15:45:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:6CKjEasJm3yyXsuZxBvcAVo5JRwBZGEKosN7+Iby6dwC4WEa1SqpYE2Odtyqd72Y:6fjEyvsuZxlO58GEKDjwxOSsYrOiqoY
Threatray 825 similar samples on MalwareBazaar
TLSH T1CDA412DE8F6DBE2EE12322F58635C8A00B6D65B26405DB1FA90770471F75782F882EC5
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 6ce0ccccd4f0f0d4 (3 x RemcosRAT, 2 x SnakeKeylogger, 2 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla DHL exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
DHL Express _Konşimento Takip Numarası - İthalat Gönderisi.exe
Verdict:
Malicious activity
Analysis date:
2023-10-27 16:01:47 UTC
Tags:
sinkhole agenttesla stealer
Link:
https://app.any.run/tasks/6f0eb2d2-e28a-4d20-9699-69c5b4331cbb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456730/
Detection(s):
SecuriteInfo.com.Trojan.KeyloggerNET.54.12189.26312.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed remcos
Link:
https://www.filescan.io/uploads/653bdb3cb38131f117a96ba0/reports/a1aef476-fd3b-4291-8a74-0a1d2e034469/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/e600c0403e5f3c3416684354c5c3a9a44c2b6942439377f9fbc81980a44d2615
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/023d6ef5-40dc-4b21-85b1-82b91dd85fa4
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1333384
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Creates executable files without a name
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Copy file to startup via Powershell
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1333384 Sample: DHL_Express__Kon#U015fiment... Startdate: 27/10/2023 Architecture: WINDOWS Score: 100 50 mail.atasoygumrukleme.com 2->50 52 atasoygumrukleme.com 2->52 70 Snort IDS alert for network traffic 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 13 other signatures 2->76 8 DHL_Express__Kon#U015fimento_Takip_Numaras#U0131_-_#U0130thalat_G#U00f6nderisi.exe 3 2->8         started        11 xbUuw.exe 2->11         started        13 .exe 3 2->13         started        15 xbUuw.exe 2->15         started        signatures3 process4 signatures5 78 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->78 80 Bypasses PowerShell execution policy 8->80 82 Injects a PE file into a foreign processes 8->82 17 DHL_Express__Kon#U015fimento_Takip_Numaras#U0131_-_#U0130thalat_G#U00f6nderisi.exe 1 5 8->17         started        21 powershell.exe 13 8->21         started        84 Antivirus detection for dropped file 11->84 86 Multi AV Scanner detection for dropped file 11->86 88 Machine Learning detection for dropped file 11->88 90 Contains functionality to register a low level keyboard hook 11->90 23 xbUuw.exe 11->23         started        25 powershell.exe 11->25         started        27 .exe 4 13->27         started        30 powershell.exe 11 13->30         started        32 xbUuw.exe 15->32         started        34 powershell.exe 15->34         started        process6 dnsIp7 44 C:\Users\user\AppData\Roaming\...\xbUuw.exe, PE32 17->44 dropped 46 C:\Users\user\...\xbUuw.exe:Zone.Identifier, ASCII 17->46 dropped 56 Tries to steal Mail credentials (via file / registry access) 17->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->58 60 Installs a global keyboard hook 17->60 48 C:\Users\user\AppData\Roaming\...\.exe, PE32 21->48 dropped 62 Creates executable files without a name 21->62 64 Drops PE files to the startup folder 21->64 66 Powershell drops PE file 21->66 36 conhost.exe 21->36         started        38 conhost.exe 25->38         started        54 atasoygumrukleme.com 94.199.206.56, 49731, 49732, 587 AEROTEK-ASTR Turkey 27->54 40 conhost.exe 30->40         started        68 Tries to harvest and steal browser information (history, passwords, etc) 32->68 42 conhost.exe 34->42         started        file8 signatures9 process10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e600c0403e5f3c3416684354c5c3a9a44c2b6942439377f9fbc81980a44d2615
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e600c0403e5f3c3416684354c5c3a9a44c2b6942439377f9fbc81980a44d2615/
Threat name:
Win32.Trojan.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-10-26 10:30:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4yamaqb6l46diftiinkmlq5jurgcw2kciojxp6p3zamybjcneykq._file
Verdict:
malicious
Similar samples:
02c5fead904f60ca2323e29856fc67df8e091fe877d68d60a5f00ec6b2a16240
AgentTesla
04f59143e6d05f2b94cd081c398b7e4dc6ab486fa83e67194b13582faaa8727a
AgentTesla
4a793a9dfa5fac79c6e6b8f1d36e8719cc8f2849849259f364ee8e4af08d9613
AgentTesla
7404e54f6f5eca18b5a8bcc5c542c898c46ccfc2f2c5c11951da86700a368c61
AgentTesla
9fe9a0edbf56394c7f65764f1fe3a567ef7689716ee94cd1b415a00f907520bf
AgentTesla
d9c4218b65cfc6623714bfb0c253dbc00b5fbd539ef8c23d9619b9513933e83c
AgentTesla
ee7432148405e04f7d9f06bf7705fdcd737a50b0f8b8f0fe7c0c7e01a51e75cb
AgentTesla
f5f279dacaad0ec61ae22c2619bb2fabf308be3b841cd0311e7b97b16a1a1432
AgentTesla
fab88e2ebbe4f3ba70e7c08cbedde59af3b9da39ca50c0b252cb547f3dbddd0d
AgentTesla
+ 815 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231027-s7l98ahb29/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops startup file
Unpacked files
SH256 hash:
1382dc893ed60b3d652c390ef75b008701eb13702819829c5b14d2b6e0a26a66
MD5 hash:
798b47923ffa2628f0340bf70644ae6f
SHA1 hash:
b5efeb45154926ca57de73e1bc614d3a94def26c
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/94211690-dba1-49fc-aec4-40e8050c0aa1/
Parent samples :
e600c0403e5f3c3416684354c5c3a9a44c2b6942439377f9fbc81980a44d2615
da4b946c45a9bcb19f8af098f68be62f7d58eb98a7184472a911cc19720da402
SH256 hash:
79d6cf6cf4f69cf5fccf1d1228e9b644af762720b377f52ad1af36ae1a67c1df
MD5 hash:
c6ed54fa66601b3d683829343694ae42
SHA1 hash:
b420dc517d88b7e2b7c20db4b72a3835aab4e5e5
Link:
https://www.unpac.me/results/94211690-dba1-49fc-aec4-40e8050c0aa1/
SH256 hash:
2df81b7a7580dd8099502f1caaf6ecf3af80d9b04ffe32cf2ac7834d944cc1f2
MD5 hash:
4cfae6afed1c1626499592c0d6711f93
SHA1 hash:
9f41bbd487e22867d3942e0db7a394ae00a69009
Link:
https://www.unpac.me/results/94211690-dba1-49fc-aec4-40e8050c0aa1/
SH256 hash:
e600c0403e5f3c3416684354c5c3a9a44c2b6942439377f9fbc81980a44d2615
MD5 hash:
798f2512990dde2ac89b0054d5861dc4
SHA1 hash:
2b2df6c470621741c78d174733208ec8fc97d271
Link:
https://www.unpac.me/results/94211690-dba1-49fc-aec4-40e8050c0aa1/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e600c0403e5f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e600c0403e5f3c3416684354c5c3a9a44c2b6942439377f9fbc81980a44d2615

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/456730/

Comments