MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8205b9d316580d43a6c24b3902c08ecc7aeba1e928a50d4a012891e4e2a17f1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8205b9d316580d43a6c24b3902c08ecc7aeba1e928a50d4a012891e4e2a17f1a
SHA3-384 hash: e64c121c2cdc146264816d7c484bdfedcb557cab7a2de3c0247a7f2f84a93980f3a888ba501d62ff5fdf14f7984ca0f3
SHA1 hash: be7ab26421aae3ac498857b7eb7e8226b5a4a806
MD5 hash: 59084f95a9a2733334ead577e5f0aba3
humanhash: victor-music-beer-lion
File name:DHL AWB 0125286 PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:516'096 bytes
First seen:2021-09-01 05:56:12 UTC
Last seen:2021-09-01 06:04:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:/GXP3bXdZ/pv99uk6Ze8U+UAg3g3bZ2kp+wjZKO84kCs7Iko/MD:/G/LNx9Xu9ZlZRg3g3bZlZKl
Threatray 9'255 similar samples on MalwareBazaar
TLSH T1E4B4D0487610B29FC467CD768AA42C20EB21B577631BD243A45716ECEE0DAEBCF111F6
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL AWB 0125286 PDF.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-01 05:59:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d1753f9f-a458-46a4-a514-144b99a207db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184349/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac35c7d3-c029-4fed-906a-7ba2f64686d6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843093
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8205b9d316580d43a6c24b3902c08ecc7aeba1e928a50d4a012891e4e2a17f1a/
Threat name:
Win32.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 03:50:38 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qic3tuywlaguhjwcjm4qfqeozr5oxipjfcsq2sqbfci6jyvbp4na._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
081a8310f26df9370271ce490e266a2ea7491b7fd90940f82e449c85a76b3a0c
AgentTesla
0f3e315bf22ed6028bced3141133fa2d9a2ef9866bdac5d44039750662e190aa
AgentTesla
67377c6c2259974077c2b7476f77823862ed6d5c6ce95c579e101b3d0a81b71e
AgentTesla
6eea5979c54077c3ef28f0a9900fd8779a1aeee9456aec1978c9a56472046408
AgentTesla
acef7155f56a1434770c602a92ebf4945474ad85e9382df19ff5d3ffee461423
AgentTesla
c80f6d5af406da47db5ff57aad799ea02aa10eb99754a8fe18daf6b4e2aefa1f
AgentTesla
db2df52c06b039021ffb4cbbda480c7bc071cacc2d31348ef719025efd48587a
AgentTesla
e34725603d4f0177a6fbb66cff9f073a90cd74e6a65c05f1a704ab390906474f
AgentTesla
e69229b8be53810406136e0a2a1c1638f35a3790d070658bde47ce1be9f3ab12
AgentTesla
+ 9'245 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210901-tfhdmj9nta/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
MD5 hash:
29db2e114b88ae1f6a00c9aa71690043
SHA1 hash:
ec82db71443556a5b320357b0b8b09e70ec1db9c
Link:
https://www.unpac.me/results/c9ec7013-966e-4cfb-ae63-e15b0d5fc0f3/
SH256 hash:
f4a2eb5e87557ef687f5f24d693cf7c39c26c313ff033d522acb94cbfb08b92d
MD5 hash:
05f51d769efc13de03a748e6b9d4de11
SHA1 hash:
d0054c7c7944d35c6f4486d2e6467f672d8252ba
Link:
https://www.unpac.me/results/c9ec7013-966e-4cfb-ae63-e15b0d5fc0f3/
SH256 hash:
fa9249d053a73d9832fd7b82e76e9f9b800e02e2ea9bc9663e401215373d8c1a
MD5 hash:
c60409aa17e6a0f92faa53e23f877c16
SHA1 hash:
5ddd8755e3c6ed4e96f8c5c99f8ec96169d2092e
Link:
https://www.unpac.me/results/c9ec7013-966e-4cfb-ae63-e15b0d5fc0f3/
SH256 hash:
8205b9d316580d43a6c24b3902c08ecc7aeba1e928a50d4a012891e4e2a17f1a
MD5 hash:
59084f95a9a2733334ead577e5f0aba3
SHA1 hash:
be7ab26421aae3ac498857b7eb7e8226b5a4a806
Link:
https://www.unpac.me/results/c9ec7013-966e-4cfb-ae63-e15b0d5fc0f3/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8205b9d31658/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8205b9d316580d43a6c24b3902c08ecc7aeba1e928a50d4a012891e4e2a17f1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8205b9d316580d43a6c24b3902c08ecc7aeba1e928a50d4a012891e4e2a17f1a

(this sample)

  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/184349/

Comments