MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ad9b102b105787a966e03694a5db89886b5ffcf97e8de4ef340f76b5e9e7e4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ad9b102b105787a966e03694a5db89886b5ffcf97e8de4ef340f76b5e9e7e4f
SHA3-384 hash: 6081385f61b8e16fedfa7b6e3625425c6debffddf3e4ac0505498af6606f752b6b0a4edf5ecc1cfa90ff02cb0fa2a924
SHA1 hash: 33397ac353d05368aa4322e33f081e8234ea3ffa
MD5 hash: 83d7923f4cc03873f987929f69b370cd
humanhash: green-orange-vermont-thirteen
File name:Quote Request - PO 5678980-099_____________________Xls.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:665'088 bytes
First seen:2023-05-18 11:49:10 UTC
Last seen:2023-05-20 15:21:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:VIH0H45yDwEtTa8OtoT8g0xzX6/0wn5oV/Tq6SfgwkK81sBlEXrcureHqb4mnY35:VIHsg8O+TmX3ZTsJSsBlgcuYx3Ur
Threatray 1'451 similar samples on MalwareBazaar
TLSH T19AE4F03027D5CB1BD06A527991E1C3F05775CE84B866C7878FD9FC8FB1CA3AA2252285
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8eae6e6e6e6e46a (13 x AgentTesla, 10 x Loki, 7 x Formbook)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
328
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quote Request - PO 5678980-099_____________________Xls.exe
Verdict:
Malicious activity
Analysis date:
2023-05-18 11:50:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e039baef-a11d-417b-9715-18e29ebfc01c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.17169.774.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/646610eeb84b25b2d4a168aa/reports/1c5bf10c-51bc-4e69-a954-cc27864277d2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8ad9b102b105787a966e03694a5db89886b5ffcf97e8de4ef340f76b5e9e7e4f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/58dc344a-7e3c-4ae2-9740-91b699a93e81
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1235900
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ad9b102b105787a966e03694a5db89886b5ffcf97e8de4ef340f76b5e9e7e4f/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-18 11:37:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 37 (56.76%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rlm3cavrav4hvftoanuuuxnytcdll76ps7un4txtid3wwxu6pzhq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3836e97722f2267266161a857140dfda9731e6bcec5147169c86410a39ac24e7
AgentTesla
7149bce0cf55829579b5e141f8c270f9d9c6f152e37a02695f64f5d6adfa4381
AgentTesla
a4b5f7aed3df1aaffcac4423faf222b78da209a22d2f6bd74cdf46d2b1498670
AgentTesla
ad06dd86354aa9e61e6de1aabf9efa7539fb13edb2e23e1eb63b86d59203e55f
AgentTesla
b0395651726166ef26b1ca3dc82aaf9e4513ca0ef7f9f2a14d3beb0bf85f767e
AgentTesla
b3303273446384f72e2a0f90c455f69598f341164c2bcfded2cf95b30e3a9295
AgentTesla
cdd93cdf75bd61ac9b31635647f23d4e7c58aa1d6c82568b3f8036b6f44aa222
AgentTesla
d89787191bcbb0685fe37fb26409367f1b00a23e4f578081785f7dba7aa2a9ce
AgentTesla
e3e6d851f1598eb145492e46d7431f72436178f1a60ebc4d6742839e12d52200
AgentTesla
+ 1'441 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230518-nzlaqshf2w/
Behaviour
Suspicious use of SetWindowsHookEx
outlook_office_path
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b18de0351ecad68e51a49c050a67dd8d4c8cb238685fec0b5e47f40829c7673d
MD5 hash:
1530b080264647591a8d77c41358c688
SHA1 hash:
f0da477d8059618e0104f5cd08cb343c060a0c05
Link:
https://www.unpac.me/results/63d5beed-4f74-4bcb-bd0e-95156cefeb05/
SH256 hash:
9930c79d1ffa1185d8af9b457de8afbb8afbf8ac99870b7a1cff5bcf12f3d4e6
MD5 hash:
d505f661fe5fc57bc83a8bff45330f05
SHA1 hash:
d055570830e397909ddf69241b4014e9acf4598c
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/63d5beed-4f74-4bcb-bd0e-95156cefeb05/
Parent samples :
8ad9b102b105787a966e03694a5db89886b5ffcf97e8de4ef340f76b5e9e7e4f
6e57cd573de3d14fe09f11364476b54f2b935d545be1258ee843d31573846622
SH256 hash:
2907ceb0aff33154a49177d6e04e822538f3fb439a55264cdf84b162564afea6
MD5 hash:
ae06e9b9c5d6df3bdb39fbbc75d9b9cd
SHA1 hash:
b03aff7dda4462819b1250e44d80c83aca37237f
Link:
https://www.unpac.me/results/63d5beed-4f74-4bcb-bd0e-95156cefeb05/
SH256 hash:
9f3db1f3aa553cc2df75697fca8967ee770a83e9dbf6bd5605befa2446a1699a
MD5 hash:
33aa879071bbf1fe0fa8f90261fa9bcf
SHA1 hash:
a5de9677676072bb1f24515811372f9d42ce33c7
Link:
https://www.unpac.me/results/63d5beed-4f74-4bcb-bd0e-95156cefeb05/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/63d5beed-4f74-4bcb-bd0e-95156cefeb05/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
8ad9b102b105787a966e03694a5db89886b5ffcf97e8de4ef340f76b5e9e7e4f
MD5 hash:
83d7923f4cc03873f987929f69b370cd
SHA1 hash:
33397ac353d05368aa4322e33f081e8234ea3ffa
Link:
https://www.unpac.me/results/63d5beed-4f74-4bcb-bd0e-95156cefeb05/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8ad9b102b105/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/8ad9b102b105787a966e03694a5db89886b5ffcf97e8de4ef340f76b5e9e7e4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8ad9b102b105787a966e03694a5db89886b5ffcf97e8de4ef340f76b5e9e7e4f

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments