MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a03b8808de5dc90141e961a89350e8e50ad3f8410ec4e2d5b4fa64cfc310519. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a03b8808de5dc90141e961a89350e8e50ad3f8410ec4e2d5b4fa64cfc310519
SHA3-384 hash: b3e9994cafaff3a6fac1c3d3dbebe433bd980c2d99a18984355d77266c7f88bb862bcbfad6bfd3b8381c16821abf899f
SHA1 hash: 15ab048438c5efe93d2eb3cc84bd277b9356ca85
MD5 hash: 83859598673d88500359d6a85a03f065
humanhash: muppet-robert-tango-dakota
File name:TransportLabel_6543076210065_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:525'824 bytes
First seen:2023-04-13 06:48:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:covFBjEVIvFz+Vl6VkCg4BxktVw7nii3Oqy3yB2OWbXTUc:H9FY+zVg4hiyOIWbX
Threatray 2'030 similar samples on MalwareBazaar
TLSH T1C0B4121377A1157FC1FE56F65A11882503B7E834B221E2CC8ED474FA26E2B815F61EA3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000c4c4e4c47000 (17 x AgentTesla, 7 x SnakeKeylogger, 6 x Loki)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TransportLabel_6543076210065_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-13 06:50:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7dd72e70-0bb7-43be-8b26-72e37835ec74

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381957/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed remcos
Link:
https://www.filescan.io/uploads/6437a5def4a1f6ede14e8ca0/reports/8638da6c-2910-4184-8669-87fea2a94cf2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8a03b8808de5dc90141e961a89350e8e50ad3f8410ec4e2d5b4fa64cfc310519
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf55a48d-9fdd-422c-b4d8-ffd5beba17c3
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213057
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a03b8808de5dc90141e961a89350e8e50ad3f8410ec4e2d5b4fa64cfc310519/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-13 03:21:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rib3raen4xojafa6synisniorzik2p4ecdwe4lk3j6tez7braumq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
099dfc4278cbcfc8c1e84bd46bde0b5ddbdc86b20d95b8ba6b98b66b4436a345
AgentTesla
1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562
AgentTesla
22966ba42f0a0adda0c87caa3aa1b8b9fcc8537081b2a6c2791df3b37a4ca5cf
AgentTesla
66b54ac951afcaae39c61d837f9f38543e164f8fa93e1479fb458e8e445f7e59
AgentTesla
9b2b9f8f70057a1d60700f490e59ae93972ce2fdfb852770ae08fdfff72a0611
AgentTesla
a8fe73642ab1caf476e2b0f547261adf305a85f6b25776393e543a7a6a15511d
AgentTesla
c65c1eef6d3baaae27776338e327dd6a93bf40c40925a3a82587a2378b7446ec
AgentTesla
d7008c06acb178629eef3b665c729b7b13eb8c3c3713369cf71dd754572d731d
AgentTesla
f86378105b4028797386149c63ced3dfb596164326381b99257b49ae61d90db9
AgentTesla
+ 2'020 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230413-hlb71sbc4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
bcaef0e069cb2cbe0fc9b4283907d54ee6473010d7d4f4f0631d21e9e0b8b990
MD5 hash:
598a72b6432aae3aece3da8eda0043f3
SHA1 hash:
f8f975cca6872dc971cf1ac0497bd6446428c9b5
Link:
https://www.unpac.me/results/583846e5-1276-4d82-a8a3-781cfee07291/
Parent samples :
721cd7be724330f00dce933ea88b8a6abda0f2e83543a6c0f5bf0ce3754ccdbd
ec2832608abf213a2a622dba1ec894e80b2adfc3d0eb03ee783fa2df47dc6bf0
fb2945c4344dbf6a9de214dcb4fcc52ab7b039b17b2ab924558eb08f8fd13c71
05220984bed944b5743d4a9b640a42788d53ef523a8f9dc81c983b9da74eb6da
8573f0b0ca38799192fa3c6d6bfc928a2f1383f529e65c43f8c324b825735bd5
fe0dc5415b9e4a0aaab85349ca18704f10b02a3f5fe6de959b3e39d12a9a07a2
d6497995d3f65551d193a651e10534d71d249b8e722290bc3c1f0fd4f7156c72
74184f7d76c799408c51a411c56eaaeab7adbf28a16cc3729bb0e96f11b55488
SH256 hash:
df559376520acab1129905ac03d77f6f01b2d1f6448e8fcbed3ae04b0d958613
MD5 hash:
a48a583eca3411c919883cd252f148b8
SHA1 hash:
b35637146dbb2681a93e98e69f2d9b2e9b989550
Link:
https://www.unpac.me/results/583846e5-1276-4d82-a8a3-781cfee07291/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/583846e5-1276-4d82-a8a3-781cfee07291/
SH256 hash:
c09fa585cb623ce4973b76dec7de67211c9ba8dc6a6d7f03a5966cac6713dd2b
MD5 hash:
7016124e16a8e4c24b6fb013d9776e36
SHA1 hash:
553c6070c1e74fdf33e5e1acc0e4c597e5339843
Link:
https://www.unpac.me/results/583846e5-1276-4d82-a8a3-781cfee07291/
SH256 hash:
7c49f5ab6066b78568b89539004dd38e864878a575eb4ca41eb2901a8d1750a1
MD5 hash:
98427e4c1bc95f8dda52d9ccf94f7b8f
SHA1 hash:
5025000b485a7e17f2d5e4a675e257bed4802894
Link:
https://www.unpac.me/results/583846e5-1276-4d82-a8a3-781cfee07291/
SH256 hash:
8a03b8808de5dc90141e961a89350e8e50ad3f8410ec4e2d5b4fa64cfc310519
MD5 hash:
83859598673d88500359d6a85a03f065
SHA1 hash:
15ab048438c5efe93d2eb3cc84bd277b9356ca85
Link:
https://www.unpac.me/results/583846e5-1276-4d82-a8a3-781cfee07291/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a03b8808de5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a03b8808de5dc90141e961a89350e8e50ad3f8410ec4e2d5b4fa64cfc310519

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8a03b8808de5dc90141e961a89350e8e50ad3f8410ec4e2d5b4fa64cfc310519

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381957/

Comments