MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b8249728361d92d8d0891d75711b07ee241db22a8ca1bcf2efe2cf14204d9dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b8249728361d92d8d0891d75711b07ee241db22a8ca1bcf2efe2cf14204d9dc
SHA3-384 hash: 5a131ecc31544d684ff6c3ab1c8130ea34275a18bb953c861132362d524f33fd4df19533ef6891a368a88350549039ae
SHA1 hash: 25f3682316d3281291f8ae55bfac6668e40c9a43
MD5 hash: 167032939925b8d9631f7786113350b0
humanhash: ceiling-football-vermont-foxtrot
File name:DHL - OVERDUE ACCOUNT NOTICE - 1301493699-PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:596'480 bytes
First seen:2023-05-16 11:07:23 UTC
Last seen:2023-05-16 18:10:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:bYNv5549XFFTlWC25XgDiWQzHlgwZ45GYBlh74Q3V:+r49X/ZWL5QEp1Z+GQf
Threatray 3'654 similar samples on MalwareBazaar
TLSH T19CC4D07050EE4B90E02FCBB165B8FC72023274F3AED5C9751B66A1C4CE66F506E84A5B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
252
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL - OVERDUE ACCOUNT NOTICE - 1301493699-PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-05-16 11:15:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ad9cf169-7ae9-4ab0-a410-2f34983bddf7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390412/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.28517.2159.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/646364138a6d58e451cec5ee/reports/54f830d6-caff-4142-a3ef-a8f5ebf8d039/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8b8249728361d92d8d0891d75711b07ee241db22a8ca1bcf2efe2cf14204d9dc
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c3647ad-1e8d-4e2d-8eb2-a253eb3593e2
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1234619
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b8249728361d92d8d0891d75711b07ee241db22a8ca1bcf2efe2cf14204d9dc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-16 11:08:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=robes4udmhms3diishlvoenqp3redwzcvdfbxtzo7ywpcqqe3hoa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
005eb1d8df310f308e9ac99c488ea415174fd9aff3fc875117b056e535d08271
AgentTesla
3483bcc8e4d439c0883bd94044e95f23c4b674c0472af8e695594e00bbbf9dbf
AgentTesla
584b466de40e9a985d022ba115ee7301b46261f1526516eaae36760a435be241
AgentTesla
5d9bb423fe6b1cb4fa77edde15ac108d779750606fe6dc904c3190af91b4af75
AgentTesla
9c66ee8408f346d107b9de203506f8006ee635f3cac6efeb4f14b8446b2916de
AgentTesla
9cedcc423c89f58cdef6386a96d9d57237cc0ce9b84622651691ec7e40d1e128
AgentTesla
c6dcc5ea2ef3af8a214da77f1b3d14af29cc066fbcc952b291494ae321279edd
AgentTesla
ccd330005237339918c1ec5dc3bc253a2881a6b14ee8502e6a0f70b4e5847e47
AgentTesla
cd94bb8956e12aa67943b6bb657f17d2680b848b36f8726283a2037d1d588461
AgentTesla
fb8564efb19ac7b2777934eeff430c908f3a3e4989ccffcfe0b82453ac222c8f
AgentTesla
+ 3'644 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230516-m8jylahe2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/4cc9ef76-fb99-4638-9ea4-71ae2acafe49/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
a7485443b331c2fca54197f53638cb11a8c82bac339b66f35b95d0ad0aceb438
MD5 hash:
dfca41d2838170cb07ef445bb7d9c987
SHA1 hash:
7622672bed23f065cafdf2a17879ebf5926aba8b
Link:
https://www.unpac.me/results/4cc9ef76-fb99-4638-9ea4-71ae2acafe49/
SH256 hash:
51fc2f06b5cf5b85c57b1a2e48a9885f5394aae27096efd4ba8a3f17e0a1da03
MD5 hash:
f5f99c3b65e9162cdd95d27766e35d01
SHA1 hash:
4c30932424757c57c191a0f33ebabdd3bb70e462
Link:
https://www.unpac.me/results/4cc9ef76-fb99-4638-9ea4-71ae2acafe49/
SH256 hash:
ba21568d031921d86c0686b6ec3d5531a599940aa4a98f5b4b8e1501afe1c64f
MD5 hash:
feca98cf6bb2a50b484d41adff5371bc
SHA1 hash:
2ee7611eaaf152ebafcbac6fb05f58b4a5d8e4f0
Link:
https://www.unpac.me/results/4cc9ef76-fb99-4638-9ea4-71ae2acafe49/
SH256 hash:
90618f0283ea1bd9489ac121e83e4558927a5de19ea752c65721707aed6f02ae
MD5 hash:
0a6a66d536d763d9eb8ff72a9da4d379
SHA1 hash:
2be820e0c08d2859f30c94fbd0b81f4eb8a6143c
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/4cc9ef76-fb99-4638-9ea4-71ae2acafe49/
Parent samples :
ccd330005237339918c1ec5dc3bc253a2881a6b14ee8502e6a0f70b4e5847e47
584b466de40e9a985d022ba115ee7301b46261f1526516eaae36760a435be241
c6dcc5ea2ef3af8a214da77f1b3d14af29cc066fbcc952b291494ae321279edd
8b8249728361d92d8d0891d75711b07ee241db22a8ca1bcf2efe2cf14204d9dc
e52bf3df9ac10f10f9a9e7e8287950565ba725dce1c6b9315c77b4b361d7edb0
683532549c9b7349442f5dc3466cacc398bb663564eb63f77a2964dd216dce16
90af14f7e125ba4bb6b30152719708b262b08d77b30b02d02ee136d2acf8bfb5
SH256 hash:
8b8249728361d92d8d0891d75711b07ee241db22a8ca1bcf2efe2cf14204d9dc
MD5 hash:
167032939925b8d9631f7786113350b0
SHA1 hash:
25f3682316d3281291f8ae55bfac6668e40c9a43
Link:
https://www.unpac.me/results/4cc9ef76-fb99-4638-9ea4-71ae2acafe49/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8b8249728361d92d8d0891d75711b07ee241db22a8ca1bcf2efe2cf14204d9dc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/390412/

Comments