MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca399dc8b5bd33a6536454774e350400d0693b4ceef2738d06b8cb73a9e262e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca399dc8b5bd33a6536454774e350400d0693b4ceef2738d06b8cb73a9e262e6
SHA3-384 hash: f209ab08387b9ae057ec7d891048360a3fa7be58fea3964bbc41f0d420dc7e157deffcc268b296153b6bc093d4721ed3
SHA1 hash: 3a0a113525e2e3be85b27651fb3da36fdfb6f75c
MD5 hash: dcf7a8ef1a8e5936b98d15ce94464647
humanhash: eight-johnny-connecticut-sixteen
File name:remittance NO. A01TT2023 PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:888'320 bytes
First seen:2023-08-03 12:27:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:LEKaJ6HA8xuiw7jA4c3AiKJNhGc1JcV8dNUm+QGjB2Yrl6cPY6Ij2:DlA7M4c3sNhGc7TcmVG92Ioj
Threatray 5'567 similar samples on MalwareBazaar
TLSH T1D415F73804780A12C135D2AD9AD4F613B3904F96761DCD5686C24FCA0AD6E2F2DDBDEE
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
remittance NO. A01TT2023 PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-08-03 12:30:34 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/8c7e6f6f-23f8-4bec-828c-f4f975b07d52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/440062/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.26398.27839.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64cb9d538b880a9fc6437629/reports/1e9d42fd-b23d-4506-8a2e-cc78c34acf0c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ca399dc8b5bd33a6536454774e350400d0693b4ceef2738d06b8cb73a9e262e6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a82ed4db-eee9-44ae-aa45-91fcb545c221
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1285063
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1285063 Sample: remittance_NO._A01TT2023_PDF.exe Startdate: 03/08/2023 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AgentTesla 2->45 47 4 other signatures 2->47 6 remittance_NO._A01TT2023_PDF.exe 3 2->6         started        10 MmRKwR.exe 3 2->10         started        12 MmRKwR.exe 2 2->12         started        process3 file4 23 C:\...\remittance_NO._A01TT2023_PDF.exe.log, ASCII 6->23 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->49 51 Injects a PE file into a foreign processes 6->51 14 remittance_NO._A01TT2023_PDF.exe 2 5 6->14         started        53 Multi AV Scanner detection for dropped file 10->53 19 MmRKwR.exe 2 10->19         started        21 MmRKwR.exe 10->21         started        signatures5 process6 dnsIp7 29 us2.smtp.mailhostbox.com 208.91.199.223, 49704, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->29 25 C:\Users\user\AppData\Roaming\...\MmRKwR.exe, PE32 14->25 dropped 27 C:\Users\user\...\MmRKwR.exe:Zone.Identifier, ASCII 14->27 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file / registry access) 14->35 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->37 31 208.91.198.143, 49705, 587 PUBLIC-DOMAIN-REGISTRYUS United States 19->31 39 Tries to harvest and steal browser information (history, passwords, etc) 19->39 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ca399dc8b5bd33a6536454774e350400d0693b4ceef2738d06b8cb73a9e262e6/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-08-03 00:53:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zi4z3sfvxuz2mu3ekr3u4nieadigso2m53zhhdigxdfxhkpcmlta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
449947dedfa89870f0f4d5dc86edc66c4656a6f94504167bbe4f803cd5c16076
AgentTesla
5c6ec17d071914d391a3566bb945ff2307bc36092d3666dc0aef1ef85210df43
AgentTesla
6a3bc2efcecdd25c5257e19e630b5785dc9e8ebb259773d40d2fc4c19e377285
AgentTesla
8ef9185b4a4b8144846219c5ba29562c83184fdde73333bac466c79e7297a070
AgentTesla
8faf480c1ae966b6f4f2656368ec83dca9ab004811cf330083afc56043735a5b
AgentTesla
cb2cbedac34829b45dcc25735d79fb332bed3098741a7ca8a7954de5ceb894ec
AgentTesla
e6071ba2f488f316ab9de2f90837f31053dbbe5aee016f6c7372df78ccfd749e
AgentTesla
fee59f311b2bd04aed3c5f40d7453366ceda8931de8e9dee2a64ef03823455ac
AgentTesla
+ 5'557 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230803-pnbsladb85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
faf2ec0de386049932a61220d70d89bd666b0a8956c78633ba6f543a2d7738d7
MD5 hash:
e1ac60a4a444dc11108460505bcf30af
SHA1 hash:
f6833851b8cb07daebf3b0bdaa5709f671c19b87
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/128dde24-4108-4312-a00c-7a7279da83c3/
Parent samples :
4145d8714ef652593f921ff335aa51b47462389a331e42896b45851007ca00d0
ca399dc8b5bd33a6536454774e350400d0693b4ceef2738d06b8cb73a9e262e6
e579952e0a6c558c001274aa13e6ac8297a3991497f0163917e6db3a37430f83
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/128dde24-4108-4312-a00c-7a7279da83c3/
SH256 hash:
2edd9354f8d8c190d808b9b3e74ba0fbaabc5b774d3abf7450571f4ca215d001
MD5 hash:
0e49082d2adeb2bcc2195611e249efa0
SHA1 hash:
7c54a5bf7196a978f0e87d66d54090dab4897238
Link:
https://www.unpac.me/results/128dde24-4108-4312-a00c-7a7279da83c3/
SH256 hash:
40821038dd9a8a0c85f1c5898dcdd8fac1499e0b569ddfbadffe1c6ceb0aa03b
MD5 hash:
71ff3a9613b8d58debedc2742c43def3
SHA1 hash:
17cc80f177b9baa3f97024e6c7606961aaf36e37
Link:
https://www.unpac.me/results/128dde24-4108-4312-a00c-7a7279da83c3/
SH256 hash:
ca399dc8b5bd33a6536454774e350400d0693b4ceef2738d06b8cb73a9e262e6
MD5 hash:
dcf7a8ef1a8e5936b98d15ce94464647
SHA1 hash:
3a0a113525e2e3be85b27651fb3da36fdfb6f75c
Link:
https://www.unpac.me/results/128dde24-4108-4312-a00c-7a7279da83c3/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ca399dc8b5bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca399dc8b5bd33a6536454774e350400d0693b4ceef2738d06b8cb73a9e262e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/440062/

Comments