MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82bdf8d51de5a8c83057f679e17818ad9b1f644d69467acdca364603c421c700. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82bdf8d51de5a8c83057f679e17818ad9b1f644d69467acdca364603c421c700
SHA3-384 hash: 06097b2494bc282795179610f81c8e47b9679711fff22d437f0071618ab8602c341d24dbe0a097d8b50a5dfa1b4d9b8f
SHA1 hash: e6781b3ce0021797e16325fe686b32884c7fb284
MD5 hash: ea0e96a02377e9e4db32d8f4d6aec75a
humanhash: mike-shade-double-nine
File name:DB_DHL_AWB_001833023AD.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:918'528 bytes
First seen:2023-05-19 11:51:19 UTC
Last seen:2023-05-20 15:19:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:uKG48P0iBY5FQvaKluTpwclGKOUGd9fpfef5HnU:gP0iWHqaFTpwclZgXEi
Threatray 1'501 similar samples on MalwareBazaar
TLSH T11915E05126B48F15E2B66BF95672E13443B22C15F626D3094DE12CDB3DBAF823B017A3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
262
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DB_DHL_AWB_001833023AD.exe
Verdict:
Malicious activity
Analysis date:
2023-05-19 11:53:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/123fae76-c632-4ecb-9317-e4d705026ebe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
86%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/646762e40ac978ca59c409bf/reports/81fb3f86-9e3a-4014-882a-cf66a6032867/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/82bdf8d51de5a8c83057f679e17818ad9b1f644d69467acdca364603c421c700
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cce0b47f-f781-4221-ab8e-bc81223b4566
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1237147
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 870141 Sample: DB_DHL_AWB_001833023AD.exe Startdate: 19/05/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Found malware configuration 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 5 other signatures 2->59 7 DB_DHL_AWB_001833023AD.exe 7 2->7         started        11 rHdwUpLeeILJz.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\...\rHdwUpLeeILJz.exe, PE32 7->37 dropped 39 C:\...\rHdwUpLeeILJz.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmpF753.tmp, XML 7->41 dropped 43 C:\Users\...\DB_DHL_AWB_001833023AD.exe.log, ASCII 7->43 dropped 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 7->63 65 Adds a directory exclusion to Windows Defender 7->65 13 DB_DHL_AWB_001833023AD.exe 2 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 20 7->19         started        27 2 other processes 7->27 67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 71 Injects a PE file into a foreign processes 11->71 21 rHdwUpLeeILJz.exe 11->21         started        23 schtasks.exe 11->23         started        25 rHdwUpLeeILJz.exe 11->25         started        signatures5 process6 dnsIp7 45 smtp.fest-thailand.info 13->45 47 us2.smtp.mailhostbox.com 208.91.199.223, 49695, 587 PUBLIC-DOMAIN-REGISTRYUS United States 13->47 73 Installs a global keyboard hook 13->73 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        49 208.91.199.225, 49696, 587 PUBLIC-DOMAIN-REGISTRYUS United States 21->49 51 smtp.fest-thailand.info 21->51 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->75 77 Tries to steal Mail credentials (via file / registry access) 21->77 79 Tries to harvest and steal browser information (history, passwords, etc) 21->79 33 conhost.exe 23->33         started        35 conhost.exe 27->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82bdf8d51de5a8c83057f679e17818ad9b1f644d69467acdca364603c421c700/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-19 09:42:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qk67rvi54wumqmcx6z46c6ayvwnr6zcnnfdhvtokgzdahrbby4aa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1680422c807dbbb8686d36461be752fbb2ad0d75d48711de16f85eb72d977203
AgentTesla
9375fd07cd429efac657a3735c1787a8f6bf8f8076fec0e61abfb81d0dd28235
AgentTesla
ab8a0181d0835a210e35819cd3e2220e5d683e67eb5678d574ae8f168bba965e
AgentTesla
c3d484451f9d0cf5aa68dfeceed67b5853cd2780512129668e9fdd98bc5490de
AgentTesla
ccb7f3c0b4ca7addbcb2025f46fb9ea42c1eca54bd19a728ca81046cacf3fe0d
AgentTesla
cdd93cdf75bd61ac9b31635647f23d4e7c58aa1d6c82568b3f8036b6f44aa222
AgentTesla
ec2832608abf213a2a622dba1ec894e80b2adfc3d0eb03ee783fa2df47dc6bf0
AgentTesla
+ 1'491 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230519-n1qa3sde82/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
89bac7f590a0051336271533f1df34717cf26caf54198e703f2f7bf28ad3e781
MD5 hash:
0c24b82b6ca2b68b0ef68944334926c8
SHA1 hash:
ac1923bf8852c914ee047c85ca66dbf9ccb572ab
Link:
https://www.unpac.me/results/1befb743-8901-4161-b2bb-24bc323e95d8/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/1befb743-8901-4161-b2bb-24bc323e95d8/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
1763fbcaf703360885c23936019b81bff8d121385ebe19f543c563544e1518ab
MD5 hash:
d8985e520f0fa9c5f738c224d708bb02
SHA1 hash:
7b0786c170332b2129f2b6ec85e5518e424cb4cc
Link:
https://www.unpac.me/results/1befb743-8901-4161-b2bb-24bc323e95d8/
SH256 hash:
40ddf11e4a0f8e8ed6ce55df9c95b21c8a67f1cd9dc0c832504656c57b504868
MD5 hash:
6129f906f1c7fa93833b76902e8d7848
SHA1 hash:
3000553e04b6bf327f3750daf214b0b0ff1dd995
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/1befb743-8901-4161-b2bb-24bc323e95d8/
Parent samples :
cdd93cdf75bd61ac9b31635647f23d4e7c58aa1d6c82568b3f8036b6f44aa222
82bdf8d51de5a8c83057f679e17818ad9b1f644d69467acdca364603c421c700
73ce1d5ddffdbd047c15e2bbdace225e6defc74eff88958911641f5fde726081
eda98286056888838732e3394913161d04b8c3369c49f91edd6dde003b9b69fa
f2168fe0192cc2c215eb36164e3f646177934df2681703551ac90ab73875f37d
444ca22e0385d682a9f56465094ecddbba73cb8b5c6dc3d3dea63539c2e19a5c
SH256 hash:
b178430918654661133e3cc86f68618dac7c1a56092e89c8d474cf3f05390a23
MD5 hash:
a74d4ff639d43c44d7dcf925dfc3b2d1
SHA1 hash:
1db08e8f485ac81d554e836a784589ab4cee8486
Link:
https://www.unpac.me/results/1befb743-8901-4161-b2bb-24bc323e95d8/
SH256 hash:
82bdf8d51de5a8c83057f679e17818ad9b1f644d69467acdca364603c421c700
MD5 hash:
ea0e96a02377e9e4db32d8f4d6aec75a
SHA1 hash:
e6781b3ce0021797e16325fe686b32884c7fb284
Link:
https://www.unpac.me/results/1befb743-8901-4161-b2bb-24bc323e95d8/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/82bdf8d51de5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82bdf8d51de5a8c83057f679e17818ad9b1f644d69467acdca364603c421c700

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 4ff65e8d8e7fb3df64db1f3b895db3f2a0f79d9eb402a6b48dbb8bd5017ff706

AgentTesla

Executable exe 82bdf8d51de5a8c83057f679e17818ad9b1f644d69467acdca364603c421c700

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4ff65e8d8e7fb3df64db1f3b895db3f2a0f79d9eb402a6b48dbb8bd5017ff706
  
Dropped by
MD5 9d5920ec73bb913e120aec43d5a94577

Comments