MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ebab1052de946555f1e0e4a7f60d8a65473600b199662479bdd9054b135fadc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ebab1052de946555f1e0e4a7f60d8a65473600b199662479bdd9054b135fadc
SHA3-384 hash: b58e6ec9ea8025c619c9316995e26dff294352c35c70cdf535da2c7682b9f3ed69d790aac77e541101293d3ccc529014
SHA1 hash: ec78cf4edb5755a7436f405514f7915bee8453c1
MD5 hash: c80973c70f85bd1306dde3638c065b4d
humanhash: grey-indigo-undress-cardinal
File name:DHL_46773482.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'465'856 bytes
First seen:2024-04-16 07:38:43 UTC
Last seen:2024-04-16 08:28:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:jCfeRVeaNWTOFd2GwGba52FW21pX/9xd3vlKqNLzCpy+katRjthXibCHn:xOTOFd2GwCa5D+pX/zl9RzvCR7Sm
Threatray 4'298 similar samples on MalwareBazaar
TLSH T14465331428FC4B92DBB907FAE6254514B3B386265472FFDC0DF120DB0DB5B208A59B6B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon e9e098ae9aba8ab2 (12 x AgentTesla, 2 x Formbook, 1 x DarkCloud)
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
305
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
8ebab1052de946555f1e0e4a7f60d8a65473600b199662479bdd9054b135fadc.exe
Verdict:
Malicious activity
Analysis date:
2024-04-16 07:48:10 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/3b53ddd2-3dc4-4286-8440-b8e08983fcbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8ebab1052de946555f1e0e4a7f60d8a65473600b199662479bdd9054b135fadc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03b1e6d0-9170-4f92-8b0f-89644246bc72
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1426538
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426538 Sample: DHL_46773482.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 31 mail.dion-olympos.gr 2->31 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 9 DHL_46773482.exe 4 2->9         started        signatures3 process4 signatures5 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->49 51 Adds a directory exclusion to Windows Defender 9->51 53 Injects a PE file into a foreign processes 9->53 12 DHL_46773482.exe 3 9->12         started        15 powershell.exe 23 9->15         started        process6 signatures7 55 Adds a directory exclusion to Windows Defender 12->55 57 Injects a PE file into a foreign processes 12->57 17 DHL_46773482.exe 2 12->17         started        21 powershell.exe 12->21         started        59 Loading BitLocker PowerShell Module 15->59 23 conhost.exe 15->23         started        process8 dnsIp9 29 mail.dion-olympos.gr 185.25.23.64, 49725, 587 POINTERGR Greece 17->29 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->33 35 Tries to steal Mail credentials (via file / registry access) 17->35 37 Tries to harvest and steal browser information (history, passwords, etc) 17->37 39 Loading BitLocker PowerShell Module 21->39 25 WmiPrvSE.exe 21->25         started        27 conhost.exe 21->27         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8ebab1052de946555f1e0e4a7f60d8a65473600b199662479bdd9054b135fadc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ebab1052de946555f1e0e4a7f60d8a65473600b199662479bdd9054b135fadc/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-04-15 12:40:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r25lcbjn5fdfkxy6bzfh6ygyuzkhgyaldglger433wifjmjv7loa._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
03eaf5508873192e98217c09dd3c737fe090039e216f78748a88334d20c1dbb0
AgentTesla
450add1beb1f7e147fe1bad4703b3cff106ec962e8137dcc3136cf681e9293be
AgentTesla
65c4d932a71d1f36d1c57b7ed319c20446d3c935b60f8f1262bc047e1c6556ff
AgentTesla
dec1092840220a627e2bf5aba68107a16f702c62d4edd4d6305f1a707cfb352c
AgentTesla
e9a3a2b3229b0c1b7c3d7d9958bccec2d0d64815542d5ca35feb402e2824619a
AgentTesla
+ 4'288 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240416-jgy2naed4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
22b9cf2506bb0035f7647c78dc56f7c0f9fbe3ece4a587aeda93709cb3833c09
MD5 hash:
bf857e499c01d6d307bd50790e44ea0d
SHA1 hash:
e5482ab1fc1a500fe2a3c5c44626ef90a12885c1
Link:
https://www.unpac.me/results/3b194109-5a65-4fc2-8451-42c3bfc1b21b/
SH256 hash:
e42e57eff08a1fb0f0ec4cdbb7fb5c875d09d771827fb99079c5e71c79e1b7c8
MD5 hash:
fc31a41790ae50b25980a91f65e99357
SHA1 hash:
91a4dc4fd96cec631ff15cf52a58406e9fe216d4
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/3b194109-5a65-4fc2-8451-42c3bfc1b21b/
Parent samples :
6682d4c801b131d5de5810898709e48f858f7204de3fbe9eedd08d7649202a4b
8ebab1052de946555f1e0e4a7f60d8a65473600b199662479bdd9054b135fadc
SH256 hash:
523ef3f09ba28f852dff22e87afce3d83277bea8abb87bee52b3f83711c438f0
MD5 hash:
8650562a875913cd54dfe29bff61b394
SHA1 hash:
35621fbc56dc2e8d4ef6d0987a812ea7c4bfefb0
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/3b194109-5a65-4fc2-8451-42c3bfc1b21b/
SH256 hash:
71f96796bf5b22d26d47bac3dfdc4cca2d7880eb0e79b67083a66e565b542b93
MD5 hash:
fe346a5652469c78106f9d51ff93901e
SHA1 hash:
8acd81ec84cfc5a26c6b6062860bc95f3e5c76d4
Link:
https://www.unpac.me/results/3b194109-5a65-4fc2-8451-42c3bfc1b21b/
SH256 hash:
b327822692c1e8ca46454f7633a10f2927b88004169cb61e66ad52c41fbff564
MD5 hash:
b3b5fa731d500be26a60b164e44fe67e
SHA1 hash:
2d5976b7d8ea52232d1b29cf374f8b9428f23ca3
Link:
https://www.unpac.me/results/3b194109-5a65-4fc2-8451-42c3bfc1b21b/
SH256 hash:
8ebab1052de946555f1e0e4a7f60d8a65473600b199662479bdd9054b135fadc
MD5 hash:
c80973c70f85bd1306dde3638c065b4d
SHA1 hash:
ec78cf4edb5755a7436f405514f7915bee8453c1
Link:
https://www.unpac.me/results/3b194109-5a65-4fc2-8451-42c3bfc1b21b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8ebab1052de9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ebab1052de946555f1e0e4a7f60d8a65473600b199662479bdd9054b135fadc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments