MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cabd1da8ac2cac787fe6c192a987e58eb1c130aaa854c597a0c2a1535e6b2a03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cabd1da8ac2cac787fe6c192a987e58eb1c130aaa854c597a0c2a1535e6b2a03
SHA3-384 hash: 53aa8b1134da253002306747c6f6d4b234ea11e1feed764206de39a56734304d61200b19058ae3888b081ed84f691de4
SHA1 hash: f63b13d15d41d84d9b4b004e2656e80c8c8ad2be
MD5 hash: 9c2bc4f9ab1d2fb746991db92330a28c
humanhash: music-mobile-fillet-mirror
File name:(PO 973)____________pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:726'016 bytes
First seen:2023-06-01 12:58:13 UTC
Last seen:2023-06-01 20:24:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:7aHkmFx2iqNhujGjU7fvelykdswXqhA6fEOG0OjPkM9qBIa9FRWKE7v1:+EmFxUokKJfEOG0wPY9UB
Threatray 4'593 similar samples on MalwareBazaar
TLSH T1E8F4121836AACB67D86F07FE50602E7043F96B8E7226F7560E8370C96F66B414B51D07
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
240
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
(PO 973)____________pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-06-01 13:00:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/80b1dc3a-cdbe-4ff9-9611-89bd8b90d1f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/394381/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67287493.24022.21572.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6478961cb9bd75d40def905a/reports/2be3b5ca-53a9-4acd-98ad-364bff7cdb35/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cabd1da8ac2cac787fe6c192a987e58eb1c130aaa854c597a0c2a1535e6b2a03
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/393f285b-acc5-4b43-aace-7283b4705d43
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1246820
Signature
.NET source code contains potential unpacker
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 879842 Sample: (PO_973)____________pdf.exe Startdate: 01/06/2023 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 6 other signatures 2->61 6 (PO_973)____________pdf.exe 3 2->6         started        10 newapp.exe 3 2->10         started        12 newapp.exe 2 2->12         started        process3 file4 29 C:\Users\...\(PO_973)____________pdf.exe.log, ASCII 6->29 dropped 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->63 65 May check the online IP address of the machine 6->65 14 (PO_973)____________pdf.exe 17 10 6->14         started        67 Multi AV Scanner detection for dropped file 10->67 69 Machine Learning detection for dropped file 10->69 19 newapp.exe 14 7 10->19         started        21 newapp.exe 12->21         started        23 newapp.exe 12->23         started        25 newapp.exe 12->25         started        27 newapp.exe 12->27         started        signatures5 process6 dnsIp7 35 mail.nereus.cl 162.241.60.79, 26, 49702, 49705 UNIFIEDLAYER-AS-1US United States 14->35 37 api4.ipify.org 64.185.227.155, 443, 49701, 49706 WEBNXUS United States 14->37 39 api.ipify.org 14->39 31 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 14->31 dropped 33 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 14->33 dropped 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->45 47 Tries to steal Mail credentials (via file / registry access) 14->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->49 41 api.ipify.org 19->41 43 api.ipify.org 21->43 51 Tries to harvest and steal browser information (history, passwords, etc) 21->51 53 Installs a global keyboard hook 21->53 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cabd1da8ac2cac787fe6c192a987e58eb1c130aaa854c597a0c2a1535e6b2a03/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-29 02:46:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
24 of 37 (64.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zk6r3kfmfswhq77gygjktb7fr2y4cmfkvbkmlf5aykqvgxtlfibq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06fbce2c06c6be78142bf529523adc5fa803282dde64baf75861ddfd325dc666
AgentTesla
1dd3caa0895d9aa12c35344464fc9a229b1d55e8d134e83362fe75753f36ae74
AgentTesla
3dcb0606b40e8a5d64da878ee28ae32fcb1c6072aa9a238057548f34c8cdc59b
AgentTesla
734da354d0b8c982d436b43e4f8e105382af3d08def6114dfa685d1230bf64dc
AgentTesla
84ccefabf526a27d7d711f91219ba6531857883cc103dcfe1823f7d8240eb760
AgentTesla
86c51d21c17d07f820d88f41dea0e51f619a66573b72eee4442b50b799e1a73c
AgentTesla
8cb05af5d5848832ac7006071a842f3566196a891cd232ff3602b550803e73c5
AgentTesla
9f05a25d30b22c3d4a8da65f3ef034fc24ed35b97ed418f79d3af4def9f7ccdf
AgentTesla
a7880f86bd0bbb436dde37febb6168a0fbc51978378c0f5fd8f024d3c6487a7c
AgentTesla
ea3f69b9d5aebb683c12ff1014d62996dad0a81682e15386e838ac7d4120b430
AgentTesla
+ 4'583 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230601-p724wsec88/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c3cec97f0079d58cd6e89507827f13b7038aae7ab6ec931ab4970a1b0f3b2052
MD5 hash:
a8109465ebd66103a7d251404b843a8c
SHA1 hash:
ee6bac4861b8b0444427244ded4fff058c4e1eb0
Link:
https://www.unpac.me/results/66e00e39-f7ae-4d28-862e-edad074b6a97/
SH256 hash:
db87978272ee11e784e6f1ab1b981496f579a3cc1de52ef0538a569a1c49d6ec
MD5 hash:
60e069632d9137b84eb24c342169af50
SHA1 hash:
9d72ae43b71255a7c6572cbbfb83e99630a77cac
Link:
https://www.unpac.me/results/66e00e39-f7ae-4d28-862e-edad074b6a97/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/66e00e39-f7ae-4d28-862e-edad074b6a97/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
1095f12d9d7a5cee59e12eb7d686e9977c8d3d1e7ef9817020f56594f5812b87
MD5 hash:
53bbe05c1c470cc6496941f1b2aa25fa
SHA1 hash:
84cdd3d8c1604c84fa351b30b96d14cfea669aaf
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/66e00e39-f7ae-4d28-862e-edad074b6a97/
SH256 hash:
0b861d0e19d173621dba77fc3954b6325b3e89e0856817eb9ac1b0e4b4b6f9a0
MD5 hash:
34e9924238cc9c184aed0f7e0dd905ab
SHA1 hash:
42e0e3852a327ae2d232858ba41fca9cadd628db
Link:
https://www.unpac.me/results/66e00e39-f7ae-4d28-862e-edad074b6a97/
SH256 hash:
cabd1da8ac2cac787fe6c192a987e58eb1c130aaa854c597a0c2a1535e6b2a03
MD5 hash:
9c2bc4f9ab1d2fb746991db92330a28c
SHA1 hash:
f63b13d15d41d84d9b4b004e2656e80c8c8ad2be
Link:
https://www.unpac.me/results/66e00e39-f7ae-4d28-862e-edad074b6a97/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cabd1da8ac2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/cabd1da8ac2cac787fe6c192a987e58eb1c130aaa854c597a0c2a1535e6b2a03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe cabd1da8ac2cac787fe6c192a987e58eb1c130aaa854c597a0c2a1535e6b2a03

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/394381/

Comments