MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e
SHA3-384 hash: 3c9fcc48e2ac62377a86e0ada7a93c02fc039afcbc5fe00fa93ee32259483feba90d67994a332a03e6ba9331ea0d1d34
SHA1 hash: 9fa904c86283fa018d6b3f3a6c7380a9951cc895
MD5 hash: e11757bfc31294e2b6a9f886a99e012b
humanhash: mike-speaker-johnny-hotel
File name:0703_SHIPDOC KARNAPHULI - SEA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:277'212 bytes
First seen:2023-07-03 08:08:16 UTC
Last seen:2023-07-05 13:04:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya6EHi8cLmTORGEtGpEbUTHDr5U+7FEs7VWBLM5OXPNV2a:/Y6C1LgBr5U+7FEiYhwa
Threatray 5'181 similar samples on MalwareBazaar
TLSH T1CB441240FA74C0A3E83347318A7617BA9F9ED5132076974F17A17B443A757A28A0F793
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe Shipping

Intelligence

File Origin
# of uploads :
4
# of downloads :
254
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
0703_SHIPDOC KARNAPHULI - SEA.exe
Verdict:
Malicious activity
Analysis date:
2023-07-03 08:18:03 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/a9f0a026-dd01-49ce-872d-952240a67a3b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/405755/
Detection(s):
Sanesecurity.Rogue.0hr.20230703-0439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Reading critical registry keys
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/95195/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64a2821f204315fbc16c6c6e/reports/bb4f8700-4556-4152-9da3-7e0dfcb30504/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c75ff67-2921-46cb-912c-7c86bd64385f
Result
Threat name:
AgentTesla, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266149
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-07-03 00:06:35 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
31 of 38 (81.58%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qfrver3gxxuu774yqppdy7ytxoelxxlk6wl36mqxmezsdsxuhm7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d04d01b0189a6d129f0f8dab1afdd3aeef49eafad1d208c93f7bc3dc0b36394
AgentTesla
11362ddbe06b1619b5f1415caaed42d90fcf91f9d35fb38ea72415ebc9526f88
AgentTesla
315ecb120b54f60b17626f16ca7283d002511ac41babfd4da930e94a8a0a3154
AgentTesla
46764f6bb0e5fc87b693d141c14310f3cf18af445451196efc4e9224d1d9e8f0
AgentTesla
6853334661bfcfcba8589d5cedb4c7be7649a28ce0530eee9f216d70ad4d404a
AgentTesla
70b1cf50a59c123dacf50e8f9356e0b65c850e05aa2511bb8d5556b87ce12f8e
AgentTesla
d7c7b36529865307c5fcd20303c9b09c8e53ecd1c85e5c1046ca75ae186fb94a
AgentTesla
dbedc4e6b11ce7e9ba52533b462d7d0a5ab177ed2cce767fbfb4db5f351addb7
AgentTesla
+ 5'171 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230703-j15csafe85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4352ffcfdd1421694142574d7a3efe2f505728ad0b9fbb060973cca0ff435ac4
MD5 hash:
0a9613c2238309ee97565e9511a2ce77
SHA1 hash:
fc5c87489ec2cf7524068e86c0f269bdbc4d5857
Link:
https://www.unpac.me/results/4df5c87e-a64a-4013-b6d3-2917f53c622e/
SH256 hash:
cfb47bc0e75450721fbab6d7e77319be2ff963baa043b0edbbd485d6f18e6f57
MD5 hash:
0255dca41f11beb051faeaf2df41ca9a
SHA1 hash:
45079d80bbf36a65654d288171b6c0e42fd437f5
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/4df5c87e-a64a-4013-b6d3-2917f53c622e/
Parent samples :
0d60b66a4cf05690e7a7afa8a54328fd3b043bb5a77c9c45d59ecdbc8f7af440
37a3df3f3e43cf82060890197d96d5ad5e0b84b0995f1cd70709f96899fe2994
42131014120f6538128d4ca52b1eae8e23a543a5a7c56a42602f8e19fccdafa9
8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e
5cc55879af4ec6a5ded72775f9ae99a0f46496b45caaac6b5f58d67dad355f6f
8a8e0e6bbd082c0517424117627d9a6740892357cdf95555150d87f98f39aad7
73bb3aadb9432efe0971a8211681ed2df1d891997fbcd1add6f4960eb05cda43
e3a4d27630c1d1f5f57a8d490047380ffd6f813b6ffa9eb554632ac915a61447
983378f4b350a997de3cd1d8e1c66a5728c2b34ea0b7937ccac824aeda29f7da
be84687edad29eae1d7819714c65881c1c8bd2bb9170c58f8b5fe5a34ef2a664
8f006585b173e95503af78fe048e5836196340b2e56f3b1b2946a5915e6bb998
980bdbac9ae7d494daaf5e30e23656e81fbff319223f766d8c4ae65412d4d03b
22946068fd1e3e163cd2aa78bd95ac8983fddcbebbd2a7ec07fd2e752caa49d2
94e0979bf69db22ad543fcaeaf820f651a5ab917c74b6e329f7e9ee020cc7a26
cdb512760be3becba1ca6ceaa20786f3428bee9a0037be8a95da3e1910cd067b
1e6d877e28638122cf889cb074d451010ab7aaaab155348d1719c7467e697dac
ad4ef5b118ce9922d0adedc4ee0135aa1bc55a0ce537d7396001cdaf533856b3
d106446fe25932f01efe8164e5dfa001b5c8a05a8d42a3bfd90c306b5814ea54
6c29c5aedf40d9fd44024cd8ee9ecf19b26a10006d88ec3f76f47c70a2ad1122
6fb64f7e90516c0003e7cd104a2370a22c5949871bc653067d0100229f8f9717
7b53084fd46b89ffc9c41b0fcaaecc3e55579eef25037e68f1aee62d86528b61
813490a4f54269088113cdf7e413b2c9eae7ebdd9a88a51195b324ec6a0fcd3a
2f2c5ef0fb2db3d362fcb5ebd1ed82b5a73cd36c9c0ab4ae18dd26f225bb3e63
4cf806a71adea5b039528773d5857e5386af8aa61ad773c2d7857c9e23cc6feb
67f50cbee8d146700d13aba555eee7cef1b007947cf5f6dc6c8262b8a0f01c70
cd5661c73868cc4246d7cb01f785447b6c359ded6aaff8e1e62737032ddaa7e8
0ef8f46933f6388ca0374cda300f534802a54343ecade5f00d9cf2f9a6485638
SH256 hash:
d7db7dc0b7ce792c3ad9dd31daf73c3839155e684c020e688d410acc997fb986
MD5 hash:
09a22943c54114efc8b370f96738d6d8
SHA1 hash:
141cba67a9e9216772ef31306237871ecd5363dd
Link:
https://www.unpac.me/results/4df5c87e-a64a-4013-b6d3-2917f53c622e/
SH256 hash:
4352ffcfdd1421694142574d7a3efe2f505728ad0b9fbb060973cca0ff435ac4
MD5 hash:
0a9613c2238309ee97565e9511a2ce77
SHA1 hash:
fc5c87489ec2cf7524068e86c0f269bdbc4d5857
Link:
https://www.unpac.me/results/4df5c87e-a64a-4013-b6d3-2917f53c622e/
SH256 hash:
cfb47bc0e75450721fbab6d7e77319be2ff963baa043b0edbbd485d6f18e6f57
MD5 hash:
0255dca41f11beb051faeaf2df41ca9a
SHA1 hash:
45079d80bbf36a65654d288171b6c0e42fd437f5
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/4df5c87e-a64a-4013-b6d3-2917f53c622e/
Parent samples :
0d60b66a4cf05690e7a7afa8a54328fd3b043bb5a77c9c45d59ecdbc8f7af440
37a3df3f3e43cf82060890197d96d5ad5e0b84b0995f1cd70709f96899fe2994
42131014120f6538128d4ca52b1eae8e23a543a5a7c56a42602f8e19fccdafa9
8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e
5cc55879af4ec6a5ded72775f9ae99a0f46496b45caaac6b5f58d67dad355f6f
8a8e0e6bbd082c0517424117627d9a6740892357cdf95555150d87f98f39aad7
73bb3aadb9432efe0971a8211681ed2df1d891997fbcd1add6f4960eb05cda43
e3a4d27630c1d1f5f57a8d490047380ffd6f813b6ffa9eb554632ac915a61447
983378f4b350a997de3cd1d8e1c66a5728c2b34ea0b7937ccac824aeda29f7da
be84687edad29eae1d7819714c65881c1c8bd2bb9170c58f8b5fe5a34ef2a664
8f006585b173e95503af78fe048e5836196340b2e56f3b1b2946a5915e6bb998
980bdbac9ae7d494daaf5e30e23656e81fbff319223f766d8c4ae65412d4d03b
22946068fd1e3e163cd2aa78bd95ac8983fddcbebbd2a7ec07fd2e752caa49d2
94e0979bf69db22ad543fcaeaf820f651a5ab917c74b6e329f7e9ee020cc7a26
cdb512760be3becba1ca6ceaa20786f3428bee9a0037be8a95da3e1910cd067b
1e6d877e28638122cf889cb074d451010ab7aaaab155348d1719c7467e697dac
ad4ef5b118ce9922d0adedc4ee0135aa1bc55a0ce537d7396001cdaf533856b3
d106446fe25932f01efe8164e5dfa001b5c8a05a8d42a3bfd90c306b5814ea54
6c29c5aedf40d9fd44024cd8ee9ecf19b26a10006d88ec3f76f47c70a2ad1122
6fb64f7e90516c0003e7cd104a2370a22c5949871bc653067d0100229f8f9717
7b53084fd46b89ffc9c41b0fcaaecc3e55579eef25037e68f1aee62d86528b61
813490a4f54269088113cdf7e413b2c9eae7ebdd9a88a51195b324ec6a0fcd3a
2f2c5ef0fb2db3d362fcb5ebd1ed82b5a73cd36c9c0ab4ae18dd26f225bb3e63
4cf806a71adea5b039528773d5857e5386af8aa61ad773c2d7857c9e23cc6feb
67f50cbee8d146700d13aba555eee7cef1b007947cf5f6dc6c8262b8a0f01c70
cd5661c73868cc4246d7cb01f785447b6c359ded6aaff8e1e62737032ddaa7e8
0ef8f46933f6388ca0374cda300f534802a54343ecade5f00d9cf2f9a6485638
SH256 hash:
d7db7dc0b7ce792c3ad9dd31daf73c3839155e684c020e688d410acc997fb986
MD5 hash:
09a22943c54114efc8b370f96738d6d8
SHA1 hash:
141cba67a9e9216772ef31306237871ecd5363dd
Link:
https://www.unpac.me/results/4df5c87e-a64a-4013-b6d3-2917f53c622e/
SH256 hash:
4352ffcfdd1421694142574d7a3efe2f505728ad0b9fbb060973cca0ff435ac4
MD5 hash:
0a9613c2238309ee97565e9511a2ce77
SHA1 hash:
fc5c87489ec2cf7524068e86c0f269bdbc4d5857
Link:
https://www.unpac.me/results/4df5c87e-a64a-4013-b6d3-2917f53c622e/
SH256 hash:
cfb47bc0e75450721fbab6d7e77319be2ff963baa043b0edbbd485d6f18e6f57
MD5 hash:
0255dca41f11beb051faeaf2df41ca9a
SHA1 hash:
45079d80bbf36a65654d288171b6c0e42fd437f5
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/4df5c87e-a64a-4013-b6d3-2917f53c622e/
Parent samples :
0d60b66a4cf05690e7a7afa8a54328fd3b043bb5a77c9c45d59ecdbc8f7af440
37a3df3f3e43cf82060890197d96d5ad5e0b84b0995f1cd70709f96899fe2994
42131014120f6538128d4ca52b1eae8e23a543a5a7c56a42602f8e19fccdafa9
8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e
5cc55879af4ec6a5ded72775f9ae99a0f46496b45caaac6b5f58d67dad355f6f
8a8e0e6bbd082c0517424117627d9a6740892357cdf95555150d87f98f39aad7
73bb3aadb9432efe0971a8211681ed2df1d891997fbcd1add6f4960eb05cda43
e3a4d27630c1d1f5f57a8d490047380ffd6f813b6ffa9eb554632ac915a61447
983378f4b350a997de3cd1d8e1c66a5728c2b34ea0b7937ccac824aeda29f7da
be84687edad29eae1d7819714c65881c1c8bd2bb9170c58f8b5fe5a34ef2a664
8f006585b173e95503af78fe048e5836196340b2e56f3b1b2946a5915e6bb998
980bdbac9ae7d494daaf5e30e23656e81fbff319223f766d8c4ae65412d4d03b
22946068fd1e3e163cd2aa78bd95ac8983fddcbebbd2a7ec07fd2e752caa49d2
94e0979bf69db22ad543fcaeaf820f651a5ab917c74b6e329f7e9ee020cc7a26
cdb512760be3becba1ca6ceaa20786f3428bee9a0037be8a95da3e1910cd067b
1e6d877e28638122cf889cb074d451010ab7aaaab155348d1719c7467e697dac
ad4ef5b118ce9922d0adedc4ee0135aa1bc55a0ce537d7396001cdaf533856b3
d106446fe25932f01efe8164e5dfa001b5c8a05a8d42a3bfd90c306b5814ea54
6c29c5aedf40d9fd44024cd8ee9ecf19b26a10006d88ec3f76f47c70a2ad1122
6fb64f7e90516c0003e7cd104a2370a22c5949871bc653067d0100229f8f9717
7b53084fd46b89ffc9c41b0fcaaecc3e55579eef25037e68f1aee62d86528b61
813490a4f54269088113cdf7e413b2c9eae7ebdd9a88a51195b324ec6a0fcd3a
2f2c5ef0fb2db3d362fcb5ebd1ed82b5a73cd36c9c0ab4ae18dd26f225bb3e63
4cf806a71adea5b039528773d5857e5386af8aa61ad773c2d7857c9e23cc6feb
67f50cbee8d146700d13aba555eee7cef1b007947cf5f6dc6c8262b8a0f01c70
cd5661c73868cc4246d7cb01f785447b6c359ded6aaff8e1e62737032ddaa7e8
0ef8f46933f6388ca0374cda300f534802a54343ecade5f00d9cf2f9a6485638
SH256 hash:
d7db7dc0b7ce792c3ad9dd31daf73c3839155e684c020e688d410acc997fb986
MD5 hash:
09a22943c54114efc8b370f96738d6d8
SHA1 hash:
141cba67a9e9216772ef31306237871ecd5363dd
Link:
https://www.unpac.me/results/4df5c87e-a64a-4013-b6d3-2917f53c622e/
SH256 hash:
8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e
MD5 hash:
e11757bfc31294e2b6a9f886a99e012b
SHA1 hash:
9fa904c86283fa018d6b3f3a6c7380a9951cc895
Link:
https://www.unpac.me/results/4df5c87e-a64a-4013-b6d3-2917f53c622e/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8163524766bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar aed8c4734d4d18fc98eb07dd8c2ad5b15d063eff7673cb78fbe143e6a5874b6b

AgentTesla

Executable exe 8163524766bde94fff9883de3c7f13bb88bbdd6af597bf3217613321caf43b3e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 aed8c4734d4d18fc98eb07dd8c2ad5b15d063eff7673cb78fbe143e6a5874b6b
Cape
Cape
https://www.capesandbox.com/analysis/405755/
  
Dropped by
MD5 3de320e41b14654e3f6db33859679ad2

Comments