MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2dda5a5b01e4a02112fbe04d2c7ceea4a7ec0b37c7b4821ae5cb285d22ba6cbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2dda5a5b01e4a02112fbe04d2c7ceea4a7ec0b37c7b4821ae5cb285d22ba6cbd
SHA3-384 hash: f880b70de183dd197d18ebadc156e66d7255ada125c93dd290da19645d63eee9da448c54d64b4f2f42c4deaf57eabcef
SHA1 hash: b1878ccfc95197b9118e29f8d75c0b021a8986cd
MD5 hash: 6917e37cc49ab94d2a4dad578d11b7eb
humanhash: montana-hot-nineteen-batman
File name:Orden - PO-23-016827.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:565'760 bytes
First seen:2023-04-20 10:16:55 UTC
Last seen:2023-05-13 22:54:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'604 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:cRQZIPPokWHUfSxQYkQV1J6axEShU0FjwIEttLcW/kcaGL:QKIPwkW06xQYkQnJ6YHh5ytLcfcaGL
Threatray 2'356 similar samples on MalwareBazaar
TLSH T134C4F1F813C4971EDC012BBD5A04A8883BF648F9C4D4DE9DDA7AF48B5DBD7219004E9A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
243
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Orden - PO-23-016827.pdf.gz
Verdict:
Malicious activity
Analysis date:
2023-04-13 12:29:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0b269ca2-fb2e-43b6-b343-457684c02788

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383732/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/64411149cf53491c998884dd/reports/f1d32457-979a-42fb-b13a-8f6804d3aaf0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2dda5a5b01e4a02112fbe04d2c7ceea4a7ec0b37c7b4821ae5cb285d22ba6cbd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/992d83cf-8ce7-489c-8e1d-3476f926d188
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217867
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2dda5a5b01e4a02112fbe04d2c7ceea4a7ec0b37c7b4821ae5cb285d22ba6cbd/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fxnfuwyb4sqccex34bgsy7houst6yczxy62iegxfzmuf2iv2ns6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
22cc0f0f7f87f0afd0fd17465e04682c8bc6d868103a09ae9922b39276113d63
AgentTesla
3adef7268e1bed2ac601b251a07c454d2c24997bfad1a45895b1b0676cd93294
AgentTesla
63ab4748c1ab681a7376fa180f0cd9aa86c3739ade5e86babee3896fe13094a6
AgentTesla
87d3bbd8edcab168832890e4d362542e2be35fe286ce9a2ebeeb8216d08cca0f
AgentTesla
8d146385e353299953a823506c9e9d0aea25715de4ffd94ea46f7e77d79d32e0
AgentTesla
a259e91f8ab724be3909f2d4c8dda9397d9bb51a853b09164f585bead32e44f9
AgentTesla
bd7e8f8ff2db3d253c799414c5c41ef046aecf5790b0b36a2f1eef4763aae16a
AgentTesla
bfbf10e0e60ae847c7f5a2da040b161d78a3c8ef9b357158cfa92a9cff6da360
AgentTesla
bffea4bf5d2cda8c23b02e73e1a5cc9a43da3816c7193f23db798e4982916c66
AgentTesla
c1fea3070e2c0836fee930ce393a597e18a4c383a4ba007700d638f6a956da2c
AgentTesla
+ 2'346 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230420-mbhn9shb93/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
8499077986d7348f42f7c7541d0727cdda5480cdda8b5ae429579ca24a2e5103
MD5 hash:
189894f0f44a0b8e4f7cf78c8bad87d0
SHA1 hash:
d3016465298f8dd0f703dd59b274e01cc669c236
Link:
https://www.unpac.me/results/be802eed-847e-4436-ad84-eb4221b68993/
SH256 hash:
bedcb629f5c744336db8dc00f68f97395fd21c0dd8933063367aa17dfc867515
MD5 hash:
f883f0ad5a538991dc8ad25cc98e21c0
SHA1 hash:
c8015c41705ea9374e7ca196ef84fad782299d98
Link:
https://www.unpac.me/results/be802eed-847e-4436-ad84-eb4221b68993/
SH256 hash:
c8a3c9cfb3b6c44625ec5b6ab9e7ab4b3aaedec3488417921cd1c2f21453610d
MD5 hash:
cde62870f865a549dd26f77aae859ba0
SHA1 hash:
7adc1e625baa182318cb070cfe15ec9d8b043810
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/be802eed-847e-4436-ad84-eb4221b68993/
Parent samples :
2dda5a5b01e4a02112fbe04d2c7ceea4a7ec0b37c7b4821ae5cb285d22ba6cbd
0cd219bcf6e303161859a84613942125211d25671ae158f5bd0cc63da22c5b55
c8a3c9cfb3b6c44625ec5b6ab9e7ab4b3aaedec3488417921cd1c2f21453610d
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/be802eed-847e-4436-ad84-eb4221b68993/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/be802eed-847e-4436-ad84-eb4221b68993/
SH256 hash:
2dda5a5b01e4a02112fbe04d2c7ceea4a7ec0b37c7b4821ae5cb285d22ba6cbd
MD5 hash:
6917e37cc49ab94d2a4dad578d11b7eb
SHA1 hash:
b1878ccfc95197b9118e29f8d75c0b021a8986cd
Link:
https://www.unpac.me/results/be802eed-847e-4436-ad84-eb4221b68993/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2dda5a5b01e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2dda5a5b01e4a02112fbe04d2c7ceea4a7ec0b37c7b4821ae5cb285d22ba6cbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2dda5a5b01e4a02112fbe04d2c7ceea4a7ec0b37c7b4821ae5cb285d22ba6cbd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383732/

Comments