MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cba91ca10ce9ec62e5785a3f2004655540054a281cb76a4fce46b56441b2a119. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cba91ca10ce9ec62e5785a3f2004655540054a281cb76a4fce46b56441b2a119
SHA3-384 hash: 685661f9c121c9ae5a9e128744eb7992066735748e075d9acfa53800d411c8fc60e6de88d9109e397c2c8c482d3ca6d3
SHA1 hash: 8ef1e1826b39c6526c51f7e9f5f993079e11b65e
MD5 hash: dd5035cd3488b6070e496665afb8065b
humanhash: purple-vermont-oven-batman
File name:10122023WONG.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:678'400 bytes
First seen:2023-10-12 06:59:43 UTC
Last seen:2023-10-12 07:37:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:6dJQm3CvoQgJ/t4vVtXdraqCKJgNUdV/o5ikP7f6A6a6LogUARik0m+2r:6dJQ2CvoQgJloVtXJbN36imSmst
Threatray 153 similar samples on MalwareBazaar
TLSH T142E412BB71E71E1BC3CA13B9807252430F35435A256BEB2961E431FEAD137C129E3996
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 04c0e0ecc8c4c408 (9 x AgentTesla, 2 x Loki, 2 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
307
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
10122023WONG.exe
Verdict:
Malicious activity
Analysis date:
2023-10-12 07:02:00 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/b88d40ad-2ddc-4283-ac12-aa1d4991c3f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/453690/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25624.10392.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65279975c51de9263e58d50d/reports/56f03fd9-5b15-48c3-ac6e-86081b9bc0d5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cba91ca10ce9ec62e5785a3f2004655540054a281cb76a4fce46b56441b2a119
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/045aaf82-f500-476e-afc9-95156a22b518
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1324449
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1324449 Sample: 10122023WONG.exe Startdate: 12/10/2023 Architecture: WINDOWS Score: 100 59 discordapp.com 2->59 61 api4.ipify.org 2->61 63 api.ipify.org 2->63 69 Found malware configuration 2->69 71 Sigma detected: Scheduled temp file as task from temp location 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 7 other signatures 2->75 8 10122023WONG.exe 7 2->8         started        12 zJxUuqnDuXs.exe 5 2->12         started        14 newapp.exe 2->14         started        16 newapp.exe 2->16         started        signatures3 process4 file5 55 C:\Users\user\AppData\...\zJxUuqnDuXs.exe, PE32 8->55 dropped 57 C:\Users\user\AppData\Local\...\tmp77E5.tmp, XML 8->57 dropped 87 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->87 89 Uses schtasks.exe or at.exe to add and modify task schedules 8->89 91 Adds a directory exclusion to Windows Defender 8->91 18 10122023WONG.exe 16 5 8->18         started        23 powershell.exe 23 8->23         started        35 2 other processes 8->35 93 Multi AV Scanner detection for dropped file 12->93 95 Machine Learning detection for dropped file 12->95 25 zJxUuqnDuXs.exe 12->25         started        27 schtasks.exe 12->27         started        29 newapp.exe 14->29         started        31 schtasks.exe 14->31         started        33 newapp.exe 16->33         started        37 3 other processes 16->37 signatures6 process7 dnsIp8 65 api4.ipify.org 64.185.227.156, 443, 49716, 49719 WEBNXUS United States 18->65 67 discordapp.com 162.159.134.233, 443, 49718, 49720 CLOUDFLARENETUS United States 18->67 51 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 18->51 dropped 53 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 18->53 dropped 77 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->77 79 Tries to steal Mail credentials (via file / registry access) 18->79 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->81 39 conhost.exe 23->39         started        83 Installs a global keyboard hook 25->83 41 conhost.exe 27->41         started        43 conhost.exe 31->43         started        85 Tries to harvest and steal browser information (history, passwords, etc) 33->85 45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        49 conhost.exe 37->49         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cba91ca10ce9ec62e5785a3f2004655540054a281cb76a4fce46b56441b2a119/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-10-12 02:02:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zourziim5hwgfzlyli7sabdfkvaaksrids3wut6oi22wiqnsuemq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4343245f1db76214093c4adefb0b167327c7bd49fa66608eccb2c4faadc3e32d
AgentTesla
5656c153b65de82b8104162a070e36cde0a5ae7fb38569390fda0e9f2492a9d4
AgentTesla
78091d62251b24e840b99cf80f6f9f68a1725a1b2cc3a11aee84847e59b38ff6
AgentTesla
87dcdd3f1671bc564055e160fe0a4cf12033f6b430d2a5520e5a92adaf85e4d2
AgentTesla
b93fab56242eb11d31992191aa2a57f93c8f9b77d1041b4c97e830f2b4ff5045
AgentTesla
d2355e84bd9dff1872c5bf04051c3984de36958b0af97c1ad874bce663501399
AgentTesla
e146c10d13f2ed30acbf8733bf5b3ae1e75572fd917d8b6749b69c54676e9923
AgentTesla
+ 143 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231012-hsnvdsch5s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discordapp.com/api/webhooks/1153700699834691685/M5gCinKbgwx1y0Un3wShojVYyovSobKStS9hh3xaGpbehVxd9J0PoL95zLfmRDpOlFyJ
Unpacked files
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/349a8a55-368a-49c8-8421-9ff7b44024cc/
SH256 hash:
ffabc13f7fad5bea21ab9b04b5c04700394db8ec812f01af098dfbd213b0cded
MD5 hash:
bb95d7e54d7271723c25cf89f5bc63fc
SHA1 hash:
c00a879d8c2bf1d1600387eee96b70f53fa53a39
Link:
https://www.unpac.me/results/349a8a55-368a-49c8-8421-9ff7b44024cc/
SH256 hash:
82ae67180c112ab7e09c678176b8dd915cd86f25a478da7a26b86a049a555f40
MD5 hash:
209919f9cd2812c9c8925b491854befc
SHA1 hash:
a45bb1ef3cd5ac272a98d296422a758ff1da77f6
Link:
https://www.unpac.me/results/349a8a55-368a-49c8-8421-9ff7b44024cc/
SH256 hash:
9cba9132e8cf51608dee0dfecbfcfb8568427dca79c1d0457e12cb554d859092
MD5 hash:
325978b66a3889c432c76b51b4fbaf98
SHA1 hash:
0fdf8862ecb3be129b8d6a5d4d951e8db9967de7
Link:
https://www.unpac.me/results/349a8a55-368a-49c8-8421-9ff7b44024cc/
SH256 hash:
cba91ca10ce9ec62e5785a3f2004655540054a281cb76a4fce46b56441b2a119
MD5 hash:
dd5035cd3488b6070e496665afb8065b
SHA1 hash:
8ef1e1826b39c6526c51f7e9f5f993079e11b65e
Link:
https://www.unpac.me/results/349a8a55-368a-49c8-8421-9ff7b44024cc/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cba91ca10ce9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe cba91ca10ce9ec62e5785a3f2004655540054a281cb76a4fce46b56441b2a119

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/453690/

Comments