MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f873aff34af07e0be6364498ef313f9e21454ba6fcab0a24c5da2a438de2770c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f873aff34af07e0be6364498ef313f9e21454ba6fcab0a24c5da2a438de2770c
SHA3-384 hash: 2bad5ef67465752c6596e2f26b10145ce9a5b403cb3e92f23eac5ea8b1b37e4c1cef5c19a93f44954cdc21d7dba7bb4f
SHA1 hash: ea26d03d8328a01c97f1fcd77fe9cac9c6a198c0
MD5 hash: dab21f843b8186f92d53e92a2815c90e
humanhash: blue-kitten-virginia-illinois
File name:DHL AWB SHIPMENTS DOCS#.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:314'197 bytes
First seen:2023-01-23 18:50:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya6xXRdUZuZIOHJ5+95vLWSjkS6amD5fhZMxyCtA0PRuzT:/YLXRdakT+9LWYkSUfzGL7Ruv
Threatray 19'994 similar samples on MalwareBazaar
TLSH T18F641289B3F1D867D4EA8F324EB815167A56EA22102DC75B13809A48BD327D3EC5F770
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL AWB SHIPMENTS DOCS#.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 19:03:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9e4417c3-456a-4918-9c36-99e88d4ace19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356052/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62556/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
83%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63ced6e1447edb203a006f00/reports/763ced5b-4df3-4ad8-b73d-d52f6894b848/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0697209b-c7fe-4bb3-bd09-f7a21011753f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1157295
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790036 Sample: DHL AWB SHIPMENTS DOCS#.exe Startdate: 23/01/2023 Architecture: WINDOWS Score: 96 22 Multi AV Scanner detection for submitted file 2->22 24 Machine Learning detection for sample 2->24 8 DHL AWB SHIPMENTS DOCS#.exe 19 2->8         started        process3 file4 20 C:\Users\user\AppData\Local\...\kplzgil.exe, PE32 8->20 dropped 11 kplzgil.exe 1 8->11         started        process5 signatures6 26 Multi AV Scanner detection for dropped file 11->26 28 Detected unpacking (changes PE section rights) 11->28 30 Detected unpacking (creates a PE file in dynamic memory) 11->30 32 4 other signatures 11->32 14 kplzgil.exe 2 11->14         started        16 conhost.exe 11->16         started        process7 process8 18 WerFault.exe 24 9 14->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f873aff34af07e0be6364498ef313f9e21454ba6fcab0a24c5da2a438de2770c/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7bz2742k6b7axzrwismo6mj7tyquks5g7svqujgf3ivehdpco4ga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1143b577b1f61ea03807acd45383937486fd8f7873df1d1485848e0af7bc8780
AgentTesla
2539c6afb8cadcca6bff6d5c73e3d345577681b31de03809b7431c1f15ae85b8
AgentTesla
2a5098792b07f38355f0e06fee170432226013a21bc18c129212bb868e98f478
AgentTesla
4ec961389dcf825881ba0f1100d9ee32d5f7087e2337425d087fc0c5d768a990
AgentTesla
a7d2bd1e968aea0e81664aa5aabd428a57d12bc8573611543ad72a57661180b8
AgentTesla
aa724992c2ca0d11c006a4b8d8f4a26a20b8b08d82f3afba1ad85ebeb5129344
AgentTesla
d548bfcde55e09b8314b273b6fc1eff79563961b965cb83a763f4bb1b6c424ac
AgentTesla
d9d9e3cc542fd9391c9ae953b0071b0a4a450df7d6e3e5563df812b128ab2620
AgentTesla
f7ff5363ab3abab34b14cd4a9962d092a506a00c0ceca50f8666aa3bd93da5d0
AgentTesla
+ 19'984 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230123-xgy9baeg48/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
6f6f04a8664089353420c5b7f36c97b1df56a0c95b43c392bda2e0ec6ccd3fe3
MD5 hash:
46dd3b82333734560eebfa1d9f831d52
SHA1 hash:
9c1408bb17ba7c6856b2287eb1efe26fb561bfe6
Link:
https://www.unpac.me/results/cbd4e138-b177-4cfe-b5ba-24fef0c30aee/
SH256 hash:
cd38ae38de6c51d9df06eae48b4499de3393f0862bffc322f1022c23e06300fc
MD5 hash:
0d0b7a364a12b68e8c91dfc2eb47bf09
SHA1 hash:
7c5828de471e60888c35fd05f73715fe4075e7ef
Link:
https://www.unpac.me/results/cbd4e138-b177-4cfe-b5ba-24fef0c30aee/
SH256 hash:
bc1315928875abf9ea1041ef43e3a934e612219c452037bc8a648b5eb71dc276
MD5 hash:
2d2f23a4d6d1c0d5354893982508594a
SHA1 hash:
937a9bf8a8cfba1cd803512adae1d1eb48d79aa1
Link:
https://www.unpac.me/results/cbd4e138-b177-4cfe-b5ba-24fef0c30aee/
SH256 hash:
f873aff34af07e0be6364498ef313f9e21454ba6fcab0a24c5da2a438de2770c
MD5 hash:
dab21f843b8186f92d53e92a2815c90e
SHA1 hash:
ea26d03d8328a01c97f1fcd77fe9cac9c6a198c0
Link:
https://www.unpac.me/results/cbd4e138-b177-4cfe-b5ba-24fef0c30aee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f873aff34af07e0be6364498ef313f9e21454ba6fcab0a24c5da2a438de2770c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f873aff34af07e0be6364498ef313f9e21454ba6fcab0a24c5da2a438de2770c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/356052/

Comments