MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8c9bad9a2a757298bd267b3c311607dbf77f45c82791c8dea30d6d087e65301. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8c9bad9a2a757298bd267b3c311607dbf77f45c82791c8dea30d6d087e65301
SHA3-384 hash: 4e13d3c2e8f020c2bf24e8d34d164575741c4583c0003670ac7e04405bee74d2db82889311cc0db0cdff9bcbc0a338f5
SHA1 hash: cf625bcb86ffacbbd7431f87003013310f019cd7
MD5 hash: e422ad54cab7a11841f7be5a0b6fd124
humanhash: echo-fanta-artist-violet
File name:DHL AWB TRACKING DETAILS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:802'816 bytes
First seen:2025-02-05 07:14:15 UTC
Last seen:2025-02-05 08:57:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:COG/+F3f3EkCcQKrMJeEqhrQmEOjWjRwUpo2a:w+FPNToj6km2twU
TLSH T15B05220D7E56F06AC32D0773E423510B42FA461BF463F26646DAA9E24D3EBCC9A47493
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon e0e698a08088a888 (20 x Formbook, 6 x AgentTesla, 3 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
486
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL AWB TRACKING DETAILS.exe
Verdict:
No threats detected
Analysis date:
2025-02-05 07:56:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ab37c9ee-7bf0-4bf3-9b87-ef95a3e657c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3215.21290.949.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a311012dcee78dd819735c
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67a3100a66fcf02ddcd68b29/reports/96af09a1-805e-4b47-8bef-5d8fd442a26b/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/e8c9bad9a2a757298bd267b3c311607dbf77f45c82791c8dea30d6d087e65301
Result
Verdict:
MALICIOUS
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d16e9fd-aff9-47f4-aaef-b730c06c0dc9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1607182
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1607182 Sample: DHL AWB TRACKING DETAILS.exe Startdate: 05/02/2025 Architecture: WINDOWS Score: 100 31 www.l54354.xyz 2->31 33 www.autoluxmod.xyz 2->33 35 17 other IPs or domains 2->35 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 6 other signatures 2->53 10 DHL AWB TRACKING DETAILS.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 33->51 process4 file5 29 C:\Users\...\DHL AWB TRACKING DETAILS.exe.log, ASCII 10->29 dropped 65 Injects a PE file into a foreign processes 10->65 14 DHL AWB TRACKING DETAILS.exe 10->14         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 14->67 17 SLNpzYAYKf.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 raserver.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Modifies the context of a thread in another process (thread injection) 20->59 61 3 other signatures 20->61 23 SLNpzYAYKf.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 shantimotors.net 216.10.241.228, 49806, 50024, 50025 PUBLIC-DOMAIN-REGISTRYUS India 23->37 39 www.delikost.info 85.13.129.16, 50012, 50013, 50014 NMM-ASD-02742FriedersdorfHauptstrasse68DE Germany 23->39 41 9 other IPs or domains 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e8c9bad9a2a757298bd267b3c311607dbf77f45c82791c8dea30d6d087e65301
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8c9bad9a2a757298bd267b3c311607dbf77f45c82791c8dea30d6d087e65301/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-02-04 09:53:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5de3vwncu5lstc6sm6z4gelapw7xp5c4qj4rzdpkgdlnbb7gkmaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
error
AgentTesla
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250205-h3cvwawkgy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/61727cbc-f929-447c-aa8e-e24adc75904d
Unpacked files
SH256 hash:
e8c9bad9a2a757298bd267b3c311607dbf77f45c82791c8dea30d6d087e65301
MD5 hash:
e422ad54cab7a11841f7be5a0b6fd124
SHA1 hash:
cf625bcb86ffacbbd7431f87003013310f019cd7
Link:
https://www.unpac.me/results/6e1715f4-c2e2-450c-9aeb-5f95e03cb8c4/
SH256 hash:
2a7453e3b660c74d6ddce6fd7c1fd26b78bc1d5a5f69a7941f59a6b26776d6e6
MD5 hash:
416256a618070ca164813ba7d61bb799
SHA1 hash:
72b979b9f2d193b3ea4f12e99717822df4d1d27e
Link:
https://www.unpac.me/results/6e1715f4-c2e2-450c-9aeb-5f95e03cb8c4/
SH256 hash:
6afa88c151a337cc0e7c64b35fea66f1932b9abf0655868769568046c42934b7
MD5 hash:
2089296e0160fb91324856b64aecfd38
SHA1 hash:
8a1a84c7af25a321e25fc9808a281e08aec8225e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6e1715f4-c2e2-450c-9aeb-5f95e03cb8c4/
SH256 hash:
e866ea6407d63c954f2b73b556d5e42f611aade4390abc7eb12fe9b28be0014a
MD5 hash:
dd0f0cb1b9d3a7a24c7a95207316287f
SHA1 hash:
d6978e4588b468098e01917d91f59c86c4f1a0c1
Link:
https://www.unpac.me/results/6e1715f4-c2e2-450c-9aeb-5f95e03cb8c4/
SH256 hash:
cc1df784f66dd277eada2238948fe72f2936d7e1cc6a88a1216fdc28829de239
MD5 hash:
1d558645638d86dfebb9c8c5081e890c
SHA1 hash:
5679696da6741b07f9b50924711fe3e3239cb305
Link:
https://www.unpac.me/results/6e1715f4-c2e2-450c-9aeb-5f95e03cb8c4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e8c9bad9a2a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/e8c9bad9a2a757298bd267b3c311607dbf77f45c82791c8dea30d6d087e65301

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments