MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f70cd1568d92c035119e5bb9e8bf1ada495ba6f31c6d042ac1d98ac3060d59a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f70cd1568d92c035119e5bb9e8bf1ada495ba6f31c6d042ac1d98ac3060d59a1
SHA3-384 hash: b03bd0215a5f3e0b754b5ab0173117f8f42e35f8cb7e141f0981a05016f1de62980ce0d7b5a19b5056627e2029ebe37f
SHA1 hash: d7ce953eef214f02d03df4eafa8c73416268ad50
MD5 hash: 711997ec37954514a8ce09446a0750a7
humanhash: music-wyoming-blue-ohio
File name:Dhl.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:728'576 bytes
First seen:2020-07-29 10:51:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'646 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:Vkzwuh8BSfN7Bv16pDBl/vMxTAQkrMMAxCT3KdO6euKY20cRadIGh8z:VYwutfN7BvQjvMxsqMHH7QE
Threatray 277 similar samples on MalwareBazaar
TLSH 89F409B936816002E53DFD33856599F1A2A2AD422F31FE0F24D23B996F11FCB365125E
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: chasie.xyz
Sending IP: 165.227.20.162
From: DHL Customer Support<support@chasie.xyz>
Reply-To: DHL Customer Support<support@chasie.xyz>
Subject: DHL Shipment Notification
Attachment: Dhl Delivey Notification.img (contains "Dhl.exe")

AgentTesla SMTP exfil server:
smtp.mail.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34762/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/402277
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Sigma detected: Add file from suspicious location to autostart registry
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 253487 Sample: Dhl.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 48 29 Yara detected AgentTesla 2->29 31 Sigma detected: Add file from suspicious location to autostart registry 2->31 33 .NET source code contains very large array initializations 2->33 7 Dhl.exe 7 2->7         started        10 pcalua.exe 1 1 2->10         started        12 pcalua.exe 1 2->12         started        process3 file4 25 C:\Users\user\AppData\Roaming\...\Dhl.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->27 dropped 14 cmd.exe 1 7->14         started        16 Dhl.exe 2 7->16         started        process5 process6 18 reg.exe 1 1 14->18         started        21 conhost.exe 14->21         started        23 InstallUtil.exe 16->23         started        signatures7 35 Creates an autostart registry key pointing to binary in C:\Windows 18->35
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f70cd1568d92c035119e5bb9e8bf1ada495ba6f31c6d042ac1d98ac3060d59a1/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 21:56:45 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=64gncvunsladkem6lo46rpy23jevxjxtdrwqikwb3gfmgbqnlgqq._file
Verdict:
unknown
Similar samples:
2579750fc31d553a0c28640684542d667f050c7cfe1fb04964ec03b1a9cf00e7
AgentTesla
2a267254b993ac07447ffa6e2085d2e93f6dafa334c53f65d109d92082d1c350
AgentTesla
37c13fe1e55fbaa196cc1bb6ab1c2e30a326298687cd434f0b116c5ccb12a47e
AgentTesla
78ba6f6da444f33682e0878941f2258ea538b85eb1b7b96d7d15e19656327664
AgentTesla
a157b217186051da0622b17c6ddf722769c60887266c8e439d84514a4ce858ba
AgentTesla
d5a6e15de070836be0fd7d0cf2cde5957a4db1ce81224c5391d45c10bfd0eb4e
AgentTesla
d74a4cdc37bedadf721932a6118039ab332781ccbb8f00d9c763da4602ef6fda
AgentTesla
ec7341298210fae2e147d0ed6b9f9cf9edfd87d7e3901083ac4ab7c7d98519ba
AgentTesla
ecd1ef1a77aef138b3a0ccd5e74c92fa6b770366d4034a152a66e95b649c5282
AgentTesla
f93ca4cd3ed07276972b89aee75211d52551197a2d1c5c8c3f01ed85aa13a4ea
AgentTesla
+ 267 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200729-6v384b7qhn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f70cd1568d92c035119e5bb9e8bf1ada495ba6f31c6d042ac1d98ac3060d59a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img a8c2ccbe6b51094e555fe11b631334150250905d0ee89dfc8aad100be8cc1e98

AgentTesla

Executable exe f70cd1568d92c035119e5bb9e8bf1ada495ba6f31c6d042ac1d98ac3060d59a1

(this sample)

  
Dropped by
MD5 16efd5f4875687e4e417cffee34bedc8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34762/
  
Dropped by
SHA256 a8c2ccbe6b51094e555fe11b631334150250905d0ee89dfc8aad100be8cc1e98

Comments