MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c83d204e5fa7652829c6ef67ad72085c78b6478b2dfd03e27bb5d94707e14361. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c83d204e5fa7652829c6ef67ad72085c78b6478b2dfd03e27bb5d94707e14361
SHA3-384 hash: cc8c93d9f513c65ff5d77c0ba89a0a13c073b8676f5d136a369656fe1b52f1d31d6f0117185eda53ac923db8116253c6
SHA1 hash: 5475d5d4202f56a3a247809a8d682937de0eb481
MD5 hash: a45ae9e7a7b1da49a125c323678b3aa6
humanhash: cup-vermont-diet-mountain
File name:Purchase Order # CCI-12622-11.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:267'776 bytes
First seen:2022-10-12 08:18:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:kl6soos6Ue5yXcZKV4wC2nw6GHlWiqMEqaob5Kvtl0sC5ptsy:kcsoqPU75C2nFGHpAu5GX07
Threatray 47 similar samples on MalwareBazaar
TLSH T11B44D10855FC8641E6F59AB54BB052B5C278BB235721D8A928C93CC7F4AC31ADDECE43
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319269/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.92757.5391.27289.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
DNS request
Sending an HTTP GET request
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6346783b67135c9da2468151/reports/95b7c34c-a64b-4571-a2c0-f653dfb9e104/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f5413c01-f44d-4041-b0d3-606d1975022c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1088661
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c83d204e5fa7652829c6ef67ad72085c78b6478b2dfd03e27bb5d94707e14361/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-11 22:08:39 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
5
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=za6sats7u5ssqkog55t224qilr4lmr4lfx6qhyt3wxmuob7binqq._file
Verdict:
malicious
Similar samples:
5957f22f5a9db32e32e71ac070731648a1c3305dd4483375aaa8192a9ca20836
AgentTesla
5ff630bb32483baef5a0d497a5e37bff0484cdb5d3126ac959a931070ce61730
AgentTesla
7d7157dafa1904a0d5331931d078f7058a11316863715581fa3db547198029e3
AgentTesla
982c304e29519124bbad050a7a9b1cd53477f49d742f399fe3e22fe3b782e837
AgentTesla
a640728ce2e61788d7063b35cbf233630a08a16051507d446bc93e57e713d0fb
AgentTesla
c3b9b17acd966a36e27681a32021b35e022cc0df29ee937c61dc766e87f9ecd0
AgentTesla
ce6a420547785fbbec9f1b5d5e586737bba24219ecd8e689621b7c214691129d
AgentTesla
fb9bbef98b7ffc2a00f3bbb33e55f58eaf3db1f255c61376c9f6eb52e867f81c
AgentTesla
+ 37 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221012-j69vfsdacn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8328d87f-4d8e-40b7-9acb-3246295dfc09
Unpacked files
SH256 hash:
c83d204e5fa7652829c6ef67ad72085c78b6478b2dfd03e27bb5d94707e14361
MD5 hash:
a45ae9e7a7b1da49a125c323678b3aa6
SHA1 hash:
5475d5d4202f56a3a247809a8d682937de0eb481
Link:
https://www.unpac.me/results/280287b0-9da1-4556-bee7-6c890ec38e18/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c83d204e5fa7652829c6ef67ad72085c78b6478b2dfd03e27bb5d94707e14361

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c83d204e5fa7652829c6ef67ad72085c78b6478b2dfd03e27bb5d94707e14361

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/319269/

Comments