MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a80b0cb92b46426d065139d68d8167aea4c2def2cf9e14cb536cbcafd8948099. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a80b0cb92b46426d065139d68d8167aea4c2def2cf9e14cb536cbcafd8948099
SHA3-384 hash: 5ab2bfc0d7f9b4e9763bd2571dd9359172a592a5ce6b21bc16a1d320281c30e4734326318ce4eaa72e394d7323b286d4
SHA1 hash: d4ddb30960a78b98b15d6d75bdca331837242762
MD5 hash: d07073324b18ed630883560c5562845b
humanhash: glucose-louisiana-shade-lima
File name:ORDER LIST.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:710'144 bytes
First seen:2023-04-26 01:31:07 UTC
Last seen:2023-05-13 22:54:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:QbSJgvmfXik/JLWtMbp1ann1FFyVN9SsxdS2bdMiqKe/2:QbSJgvmfXikhbp1A1FFyVN9jxdS2bdzo
Threatray 568 similar samples on MalwareBazaar
TLSH T135E4383829BD2727C178D7F58FD08427F2A4A96B3021DE6568E767A64316F1225C323F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 38bc3ce4ccc6de0c (6 x AgentTesla, 4 x Loki, 2 x Formbook)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
266
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER LIST.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-26 03:08:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/63458fb8-0ae3-4114-8ade-abc25cb0e393

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/384978/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64487f138615b5d32a53105b/reports/b6d34a4a-4254-4fbc-bbb5-5d420de7d0bc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a80b0cb92b46426d065139d68d8167aea4c2def2cf9e14cb536cbcafd8948099
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b54ebff-c820-4dd4-b4ad-59242ecb6fd0
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1221163
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 854116 Sample: ORDER_LIST.pdf.exe Startdate: 26/04/2023 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Sigma detected: Scheduled temp file as task from temp location 2->67 69 8 other signatures 2->69 7 ORDER_LIST.pdf.exe 7 2->7         started        11 ZlVmHWJOkYuUN.exe 5 2->11         started        13 dRSoYp.exe 5 2->13         started        15 dRSoYp.exe 2->15         started        process3 file4 53 C:\Users\user\AppData\...\ZlVmHWJOkYuUN.exe, PE32 7->53 dropped 55 C:\...\ZlVmHWJOkYuUN.exe:Zone.Identifier, ASCII 7->55 dropped 57 C:\Users\user\AppData\Local\...\tmpF44A.tmp, XML 7->57 dropped 59 C:\Users\user\...\ORDER_LIST.pdf.exe.log, ASCII 7->59 dropped 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 7->83 85 Adds a directory exclusion to Windows Defender 7->85 17 ORDER_LIST.pdf.exe 2 5 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        87 Multi AV Scanner detection for dropped file 11->87 89 Machine Learning detection for dropped file 11->89 91 Injects a PE file into a foreign processes 11->91 26 ZlVmHWJOkYuUN.exe 11->26         started        28 schtasks.exe 1 11->28         started        30 dRSoYp.exe 13->30         started        34 2 other processes 13->34 32 dRSoYp.exe 15->32         started        36 2 other processes 15->36 signatures5 process6 dnsIp7 61 mail.candwmail.com 213.46.255.75, 49695, 49696, 49697 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding Netherlands 17->61 49 C:\Users\user\AppData\Roaming\...\dRSoYp.exe, PE32 17->49 dropped 51 C:\Users\user\...\dRSoYp.exe:Zone.Identifier, ASCII 17->51 dropped 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->71 73 Tries to steal Mail credentials (via file / registry access) 17->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->75 38 conhost.exe 22->38         started        41 conhost.exe 24->41         started        43 conhost.exe 28->43         started        77 Tries to harvest and steal browser information (history, passwords, etc) 32->77 45 conhost.exe 34->45         started        47 conhost.exe 36->47         started        file8 signatures9 process10 signatures11 79 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 38->79
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a80b0cb92b46426d065139d68d8167aea4c2def2cf9e14cb536cbcafd8948099/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-25 06:40:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vafqzojlizbg2bsrhhli3alhv2smfxxsz6pbjs2tns6k7weuqcmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04a42e9d0b1c019989d91249331e0920703296490ab8a565bed15e1a0e1742fc
AgentTesla
38eb61d29ccf5e2246ca870bc6dd624ed7c36cc0dff688ecfa4d7d37a89d5793
AgentTesla
419a7244b06e45c5c11e7c0ce05fec02b8fab5362667003f968c0619112a79d9
AgentTesla
7d6b27a4fd8eec9fd5176dc598d650f8f56eef9a829ff693afa0638cac14e756
AgentTesla
89a2b28ad32817e9be0489ae7fa0a9134f0f0b38f2e93f74c24e9278492ddb5a
AgentTesla
976bfd687346e615512152ded527cf9150c5044573f8b1e2d0ca0106d8e2d2ed
AgentTesla
c45292e83152f9421406c73db9da29551b0c2cfdbb06cc76a2169dbe2fd45acd
AgentTesla
e60dcdd04435bf5ff6935b29b8b524a559e0be5212a6e06fd99f1c444d9f4354
AgentTesla
+ 558 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230426-bxyrtsec35/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/a5ff5f4d-ec95-4057-a24b-3b13a5396260/
SH256 hash:
829795ab5c8a80609cf3e7ce764ebf7fe33fd196b40d799670d23a3fcf85c0c1
MD5 hash:
219d339c63fcefe905193a88f71f2f87
SHA1 hash:
e2ca0aa9c7b1e2d7a52d7126333d34af5bacfb11
Link:
https://www.unpac.me/results/a5ff5f4d-ec95-4057-a24b-3b13a5396260/
SH256 hash:
5c865bf4a0f624a02555b8b9decbb779cc6f3d5cc0fef535b94431b0df7c10d3
MD5 hash:
b3cacd2b257cfc12f3ceb8a820955ea7
SHA1 hash:
d160235fa45fc72362e790ab104bcb163bb42ea3
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/a5ff5f4d-ec95-4057-a24b-3b13a5396260/
SH256 hash:
e8108d9f2f5ad8227f33ef7433c5555245d721d74d6c1b90f5d6e9bd80031ff0
MD5 hash:
36c1b31f10f761d3edd80aa580b4c7c6
SHA1 hash:
a717266a3e7b711b4b2470059b9087374ab0932f
Link:
https://www.unpac.me/results/a5ff5f4d-ec95-4057-a24b-3b13a5396260/
SH256 hash:
14a6da0759e2a7821dd5bb8642f1939dbf1fa53cb544e297360a7a407d8af68f
MD5 hash:
a1a9a61b8a009be00644d49b3a719652
SHA1 hash:
712fc0d7e3a77e80bc1473d4e2a32c7050018c1e
Link:
https://www.unpac.me/results/a5ff5f4d-ec95-4057-a24b-3b13a5396260/
SH256 hash:
a80b0cb92b46426d065139d68d8167aea4c2def2cf9e14cb536cbcafd8948099
MD5 hash:
d07073324b18ed630883560c5562845b
SHA1 hash:
d4ddb30960a78b98b15d6d75bdca331837242762
Link:
https://www.unpac.me/results/a5ff5f4d-ec95-4057-a24b-3b13a5396260/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a80b0cb92b46426d065139d68d8167aea4c2def2cf9e14cb536cbcafd8948099

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a80b0cb92b46426d065139d68d8167aea4c2def2cf9e14cb536cbcafd8948099

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/384978/

Comments