MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d
SHA3-384 hash: c4e444717bba99b62bc590676dab4b15def811a8f3cf0ea72b2ccc02092b4af3b2f005ac6af4424095da66e80b6f55d8
SHA1 hash: 8943ea38f0a7fe68a90e92eca96a81e7ea665c95
MD5 hash: a4ac1ef92f6343cdb154e90abd912eff
humanhash: hotel-butter-crazy-double
File name:DHL è PRG230411031112
Download: download sample
Signature AgentTesla
Create hunting rule
File size:602'624 bytes
First seen:2023-04-18 08:36:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:KOnbqjcd+jUDF2LUlxuxHONzmp6BFBsMo0fCgGUhyhTVJ:KJ8oUdbBpg6BkMo5gc1X
Threatray 184 similar samples on MalwareBazaar
TLSH T10BD4E028D2369DA2E6AD0B7600043ADADF70A1E3B477C23C4F9675D5AB9F7146C841CB
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL è PRG230411031112
Verdict:
Malicious activity
Analysis date:
2023-04-18 08:37:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8200361c-0506-43e5-9b6b-7846d6252e6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382958/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643e56af7a31c790ffdbc088/reports/7c4177d7-e795-4426-8e0c-4229aeb1dacb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d04e50ba-349c-44b9-9a54-4701420e2bd7
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215744
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 848672 Sample: DHL_#U00e8_PRG230411031112.exe Startdate: 18/04/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 7 other signatures 2->55 7 DHL_#U00e8_PRG230411031112.exe 7 2->7         started        11 uauFLg.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\Roaming\uauFLg.exe, PE32 7->35 dropped 37 C:\Users\user\...\uauFLg.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp68BF.tmp, XML 7->39 dropped 41 C:\...\DHL_#U00e8_PRG230411031112.exe.log, ASCII 7->41 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Writes to foreign memory regions 7->59 61 Adds a directory exclusion to Windows Defender 7->61 63 Injects a PE file into a foreign processes 7->63 13 MSBuild.exe 2 7->13         started        17 MSBuild.exe 7->17         started        19 powershell.exe 21 7->19         started        25 2 other processes 7->25 65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 69 Allocates memory in foreign processes 11->69 21 MSBuild.exe 11->21         started        23 schtasks.exe 11->23         started        signatures5 process6 dnsIp7 43 namebadgesinternational.com.sg 101.100.209.105, 49698, 49699, 587 VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG Singapore 13->43 45 mail.namebadgesinternational.com.sg 13->45 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->71 27 conhost.exe 19->27         started        47 mail.namebadgesinternational.com.sg 21->47 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->73 75 Tries to steal Mail credentials (via file / registry access) 21->75 77 Tries to harvest and steal browser information (history, passwords, etc) 21->77 29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qdi6o3v7jksnmxutuzz3yp6jj7dlg3kqp5gkb5r4pbrsqk26oi6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de
AgentTesla
397ca8a839fae5e6c07fd3036a25e5df37220967ad381ca181da0a97354ed8cd
AgentTesla
74e026864737309f9d0055cd6fd0bed4fc1889f058440d5e9f21df3bb96f2b9c
AgentTesla
9776ff04f5a266245eb0837078897bf8bdc9dac49d9a5cea1f23c146d00c295c
AgentTesla
a036acc68623b42509e807b81be7270e1fc0c626aa15d8164d2f52bd321be1fd
AgentTesla
c442b854fb104644d2c9097e2b702de55797f1ccc23a651027de71d01bc693d3
AgentTesla
c70ed8b0ed3a434cadb2b4fcb796b3f6fb7266a3661c0a60ebe87a1e39613e21
AgentTesla
d5d18f9417c9f5268a707e6c276d8318f0bc399302ff07d8d8319257c9dac063
AgentTesla
d89323dd840c86ee64285f6353eee84089b4c242df329b9b5f0c42a6b8944eb5
AgentTesla
+ 174 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230418-kh5q9scb8w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
5de68856f334417a9a73c2c587df32999fc4cc39b8172b3524cfb2a75356b2f3
MD5 hash:
7630190c8d9dfe2e4c0eef923564e7df
SHA1 hash:
f61a26dcbf69b1f8bd482544b250ab1b2847319f
Link:
https://www.unpac.me/results/65b8bcd1-0b66-42c7-b56b-5eef962a87f6/
SH256 hash:
9c9ac55a1af75c7855f2535b39113939fe99f66693fec61af09bc005800be887
MD5 hash:
4d413380dd5a6c29fee3a6ec7873dbec
SHA1 hash:
d3dc4fa782259e05bffe24edc4c89398bac4b897
Link:
https://www.unpac.me/results/65b8bcd1-0b66-42c7-b56b-5eef962a87f6/
SH256 hash:
0148609a7a27488176bba5afa9bbbd6afa57a48198b80da7523af1e58e58cd43
MD5 hash:
cd26b52c42cf436551d97b80c7efe2d1
SHA1 hash:
c8ea5cc9ffb70d3282815503ae9fbbd55ea343aa
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/65b8bcd1-0b66-42c7-b56b-5eef962a87f6/
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/65b8bcd1-0b66-42c7-b56b-5eef962a87f6/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/65b8bcd1-0b66-42c7-b56b-5eef962a87f6/
SH256 hash:
80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d
MD5 hash:
a4ac1ef92f6343cdb154e90abd912eff
SHA1 hash:
8943ea38f0a7fe68a90e92eca96a81e7ea665c95
Link:
https://www.unpac.me/results/65b8bcd1-0b66-42c7-b56b-5eef962a87f6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80d1e76ebf4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382958/

Comments