MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed51a8f4dbf107d4fc9a3d91d8f5876a263fb70ee91d5acca02702de8aac01f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed51a8f4dbf107d4fc9a3d91d8f5876a263fb70ee91d5acca02702de8aac01f8
SHA3-384 hash: 5bd2cc979fbacf545fbe6c5cae1ddac8804df232d3dc42e169cdd45daf643176ad0d31cdc506662957338faf7a7c2b7b
SHA1 hash: 4de0a85dd5b3be04fc24274b35e15a64c83150da
MD5 hash: d0596e13e39e62d461da77d1c0b2be67
humanhash: bluebird-artist-seven-mars
File name:DHL BL_4788200.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:787'968 bytes
First seen:2023-08-22 07:47:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:LUVv25w+cR7AA5x2d1mbTV2t7Qb9hUM6We313lX0PZSBCITuscTlZth3mWES+GN:LdcFW7Qb/UM83XX0gBCITqzth3mI+GN
Threatray 5'482 similar samples on MalwareBazaar
TLSH T1AEF4D01223B8871AE2BE47FAD5704CA487BEBD17E956E31E0C8038ED2572712DB0556F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
colicontjal.org.mx:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
DHL BL_4788200.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-08-22 08:30:40 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/4f84516c-718e-482b-9301-90c9567978aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444075/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin masquerade packed replace
Link:
https://www.filescan.io/uploads/64e468339489ac1ead3c3bec/reports/ce706f05-b77d-44c2-8af7-de56b85e6df8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/ed51a8f4dbf107d4fc9a3d91d8f5876a263fb70ee91d5acca02702de8aac01f8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f68e2204-2ccc-41e1-86ba-9bcdc4a5dc28
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1294955
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ed51a8f4dbf107d4fc9a3d91d8f5876a263fb70ee91d5acca02702de8aac01f8/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-08-21 21:04:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
21 of 37 (56.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5vi2r5g36ed5j7e2hwi5r5mhnitd7nyo5eovvtfae4bn5cvmah4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0025b610d65b8bd7d665320167eced413ca374996636a7553550255a198ab265
AgentTesla
3b4d2193bb4a864857c7ae8d11fbd20330001acf138f81c774dc7ce1e3363ed7
AgentTesla
798a1dd333191702e1ada41a7d113ebf25f611e17562d9466d0bfed0d0f87271
AgentTesla
86233dde1f7f4fc654835a61c19c671d221a8b6c60c2b8bf47971a09a9b834fc
AgentTesla
865a96900b64bb3aca2d50dd65ab111ec881db5935f1dfd753dc48ce6cf21532
AgentTesla
bec9d10adb4629b7438c1450a378f704130f925170978084564a89c2e5f8ccb0
AgentTesla
de96b58170192186f3f118155903287e871cd7c2950900645367527129b375eb
AgentTesla
e3699bdedcf4bebffc1e2e2af639da53dc9abd0e7bcb4e917def61a01a880b69
AgentTesla
fa882068acfc15aaea82a925df6e6bf21a2c24c114f7f382cf524431690c4b0f
AgentTesla
+ 5'472 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230822-jm4t4acc51/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/22c3d3ae-523e-467a-b8d0-aeadbb1d4ae2/
SH256 hash:
6b959869f767cbed167d5169ef0f2375ea56e202a0a8ac8dbb8f05cd1eae661e
MD5 hash:
e845de7a4cd00244a0f9446be285469b
SHA1 hash:
9749766f00920445091f6b27306bf09be01c0ae5
Link:
https://www.unpac.me/results/22c3d3ae-523e-467a-b8d0-aeadbb1d4ae2/
SH256 hash:
ab9766ee2fb05a3ca3ef3e15acaee243ad83c757317219b3361d9f0b5bb41a3f
MD5 hash:
e3fb57dde076e6db33c9accd17b293b7
SHA1 hash:
69a9a5bdcec1c1b807dd0d6a229800bfffd3c1ab
Link:
https://www.unpac.me/results/22c3d3ae-523e-467a-b8d0-aeadbb1d4ae2/
SH256 hash:
10278cf5ab1c5f5546dfb1304bbda18ca675a0e8e1349dcb0ef31ed6194faf8c
MD5 hash:
38fac24186205e7e454668f493ee4be8
SHA1 hash:
0c0b6cf267e9ce8bee16231bd1de791cd19cbb0c
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/22c3d3ae-523e-467a-b8d0-aeadbb1d4ae2/
Parent samples :
10278cf5ab1c5f5546dfb1304bbda18ca675a0e8e1349dcb0ef31ed6194faf8c
d975b68c91c59dddb7b6777f6f2f78300ddd9be5c51f483994ea26106839a017
fa882068acfc15aaea82a925df6e6bf21a2c24c114f7f382cf524431690c4b0f
7b37b945add0e6c872027313e3e011bf368c5cd038d48d3f719e6f08927af861
de96b58170192186f3f118155903287e871cd7c2950900645367527129b375eb
865a96900b64bb3aca2d50dd65ab111ec881db5935f1dfd753dc48ce6cf21532
86233dde1f7f4fc654835a61c19c671d221a8b6c60c2b8bf47971a09a9b834fc
17b7a8bce60617c9f97a3464bbdba87d94da9c08b533fc07f3727376feae538d
798a1dd333191702e1ada41a7d113ebf25f611e17562d9466d0bfed0d0f87271
e3699bdedcf4bebffc1e2e2af639da53dc9abd0e7bcb4e917def61a01a880b69
bec9d10adb4629b7438c1450a378f704130f925170978084564a89c2e5f8ccb0
ed51a8f4dbf107d4fc9a3d91d8f5876a263fb70ee91d5acca02702de8aac01f8
23a188b67111d6c67ba62e1588479154ca23c4c65d768a662b873757a3419ed0
845bd19a89db0310a363f915e1e92d5e1d2943bd4cb0f9422368d563de2d850d
94688cb7dc0518d6dd77ca23bc6b591bb2be55d9006d91e3ef074b96ab638842
b905e2aaf41c07e00b4daf4c1d473a43880057be0c95268a5c4eb8c838f80c2f
7c35caefea294401fee0251043f126c752de452da6e0376e5f959f6dcc688796
6c42ee7167cd0229fd37b09bbfdd37f5454786457284a4c97583832d86af01e2
0b282c5279640f86929276ce1a52be1ec7e892701954362e5568f254101880b5
74a84823c35436e2a73f303aaf86be5d2c59f025c948c0044f948d613da91870
6703706a8c532bece036e36fc650fc082b04c5b771e5c2458adf28fdc667ad97
f74c6a3def1ced2a6e4bc81fec1b4f062eba67ce271ca4a47271631986a6d1c3
ca5c1fefe9b9347b995dc040b7e50b867be70729041afffd475ce7856f394f5b
bccc2a1036cae75070c4f2df937c91cd36f718a7956103abe42b99d01b4ae044
197340e586131099b95d8d2fb46791806f018fd643172e841cde25bd436b90d8
7df6c33cbd852c467ef5a454451436e31a48d360a4959224e11a79ab4ad10f91
f1766635b1f5e7015ff13d8b6998366b45550d8be505f002b8e6192db3e503e7
be10a38e0b54ec2152d5b6094ebe296db7ad897445a7d5a4b1bd82789437dd65
SH256 hash:
ed51a8f4dbf107d4fc9a3d91d8f5876a263fb70ee91d5acca02702de8aac01f8
MD5 hash:
d0596e13e39e62d461da77d1c0b2be67
SHA1 hash:
4de0a85dd5b3be04fc24274b35e15a64c83150da
Link:
https://www.unpac.me/results/22c3d3ae-523e-467a-b8d0-aeadbb1d4ae2/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ed51a8f4dbf1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed51a8f4dbf107d4fc9a3d91d8f5876a263fb70ee91d5acca02702de8aac01f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV4
Create hunting rule
Author:Rony (r0ny_123)
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ed51a8f4dbf107d4fc9a3d91d8f5876a263fb70ee91d5acca02702de8aac01f8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/444075/

Comments