MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c65c1eef6d3baaae27776338e327dd6a93bf40c40925a3a82587a2378b7446ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c65c1eef6d3baaae27776338e327dd6a93bf40c40925a3a82587a2378b7446ec
SHA3-384 hash: d4c696e6fcd79134d56ed68684e4a540886e3244ff86fc07b4d3613e3c9e790089b693984647b8768e34d486e448fcec
SHA1 hash: 73b01517a70c347ec1a840713e0e146b448daf36
MD5 hash: cf42475e480640b92732a1b04654bb45
humanhash: echo-leopard-mobile-illinois
File name:New Order332009 pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:525'312 bytes
First seen:2023-04-13 06:55:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:XTmYCUgK+/2YYmDUNTrX43/y/EJ1DrrmVk2tz:y2DE2SDB3/y/EJRo
Threatray 2'021 similar samples on MalwareBazaar
TLSH T18AB41213F324C937D46842F50A4A591947F3A926F870D3C84DC964EE3BE67420BA2FA7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000c4c4e4c47000 (17 x AgentTesla, 7 x SnakeKeylogger, 6 x Loki)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order332009 pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-13 06:56:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/494dc0d9-c427-4179-a9c4-a052eff24256

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381967/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/6437a78359a1287810bc03c1/reports/5899ab8f-d67b-444b-93ed-aa410b3e354f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/c65c1eef6d3baaae27776338e327dd6a93bf40c40925a3a82587a2378b7446ec
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4530d72b-118a-4cf2-a4d3-edef8e24a685
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213066
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c65c1eef6d3baaae27776338e327dd6a93bf40c40925a3a82587a2378b7446ec/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-13 01:02:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzob533nhovk4j3xmm4ogj65nkj36qgebes2hkbfq6rdpc3ui3wa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07191de70521a8e76624cfafc6eba3edd19d7784c4c4c683b55f3fd16e377b38
AgentTesla
5509e143021f95074f9cde2dac4d79960710adb794bb1cdf57582be08681c3bf
AgentTesla
66b54ac951afcaae39c61d837f9f38543e164f8fa93e1479fb458e8e445f7e59
AgentTesla
745334ebcf459ec748d00eaf3bcb94045cebdd6275aca548255c1c922f0f9d9d
AgentTesla
935a2843dc01d80582184dd6aa77fc2f4c99aaeb48b9dfef6a1e1df2e927feda
AgentTesla
a1e44dff73b4a8616ae1b39f3ecf82b457859f3aed8b208ae41e79d7d79c5ef2
AgentTesla
a8fe73642ab1caf476e2b0f547261adf305a85f6b25776393e543a7a6a15511d
AgentTesla
ee734d6d93d42624ffd7f363f3252ee46cfbc5b6adef174447232605bda7d607
AgentTesla
f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2
AgentTesla
f762c98b251097d1cbc8bb09b9deb573132689d83996d6884984d3f334fd2f18
AgentTesla
+ 2'011 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230413-hqcpcabc61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
61b35f4d4580337131f53af9521956126f6d924e66d198d96ac187ea958cf363
MD5 hash:
af805fb1f8ac35c515ddeeeabc564bec
SHA1 hash:
9ac0f67221593ce3a27e1cc0895468aa51f8f21b
Link:
https://www.unpac.me/results/d21e6983-8529-4e37-a5b7-818161c43f7a/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/d21e6983-8529-4e37-a5b7-818161c43f7a/
SH256 hash:
e51e43cc532602b486fcf66334ecbb91a767a74d3721c6e65674bbf39bc432f6
MD5 hash:
0cc5235289ebb912ecfc3064e4c45e58
SHA1 hash:
36c4f8855e80498e1b5034f40dda4c3a35b73e0b
Link:
https://www.unpac.me/results/d21e6983-8529-4e37-a5b7-818161c43f7a/
SH256 hash:
8dc0f5cc91561e3301a9fd9c7326163529de496edd1569b24717ed2020954217
MD5 hash:
07496690651b0a2a66c2200e9dfd70d8
SHA1 hash:
156897900cdf67fb9594563dfcc902990f026fe0
Link:
https://www.unpac.me/results/d21e6983-8529-4e37-a5b7-818161c43f7a/
SH256 hash:
260283eef92dbe2fd9914b53e658df5e3005bd4e0e8f1a507a8b03fbc637f52d
MD5 hash:
6fcd404fab93d0cf875ef8fdf9756e0f
SHA1 hash:
13ce03019622c95c5091f3bbdf2bcc70e714a626
Link:
https://www.unpac.me/results/d21e6983-8529-4e37-a5b7-818161c43f7a/
SH256 hash:
c65c1eef6d3baaae27776338e327dd6a93bf40c40925a3a82587a2378b7446ec
MD5 hash:
cf42475e480640b92732a1b04654bb45
SHA1 hash:
73b01517a70c347ec1a840713e0e146b448daf36
Link:
https://www.unpac.me/results/d21e6983-8529-4e37-a5b7-818161c43f7a/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c65c1eef6d3b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c65c1eef6d3baaae27776338e327dd6a93bf40c40925a3a82587a2378b7446ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c65c1eef6d3baaae27776338e327dd6a93bf40c40925a3a82587a2378b7446ec

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381967/

Comments