MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef
SHA3-384 hash: 5214c85e916cbc9dc60ea5d5276fe80b5c39ff589113ef1899c1844391bb4e9fd7c2b8abd833def737eb34802077c10e
SHA1 hash: 4a9f324ebdef73ac81b7f0c3866c749d4486f18e
MD5 hash: cfbab596553f0380d0a9c5d5a866b2d8
humanhash: princess-hydrogen-paris-william
File name:JUNE ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:322'641 bytes
First seen:2023-06-16 12:54:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:wYa6SiXa8oNWzyvICypXRqI5TZ9z1TsJQpi7gH0cr0dSE2HZ7:wYgiXTxOLqXAiJgQpVHL0oEg7
Threatray 4'690 similar samples on MalwareBazaar
TLSH T12A6402587F404E4AC433567184299B592E97EE90E4541D8633F3BA1FEC33DE18ACA7B2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 7aca8abab4a4b8da (33 x AgentTesla, 32 x SnakeKeylogger, 4 x DarkCloud)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
367
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
JUNE ORDER.exe
Verdict:
Malicious activity
Analysis date:
2023-06-16 12:56:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/56f9fbb3-4593-41f3-9569-0722c4cd662e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399490/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67519419.5373.4040.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91049/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/648c5ba7ec3d0b10ee42854b/reports/16f32001-4540-4049-8fc0-fb355de553be/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1175da28-72bb-499c-b44c-aedf8b69b426
Result
Threat name:
AgentTesla, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1256042
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-06-14 10:25:36 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zo6f6vgjralzt4nm54v37y5ydxibeqx5s2kl23xj32vejwiddhxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12d37f94ebe64d74e7cc1a4290af6797832b512a223d03d410171f47cd979065
AgentTesla
16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e
AgentTesla
3c3e9ce2a4c9d2022601a66e6753d37cf92ae3940e87e62b46999eb4411264f8
AgentTesla
3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b
AgentTesla
47438e1a176f18053c6a9de8c2834a3d5ffeb78bb7efa09c6dea99aa7da44991
AgentTesla
9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463
AgentTesla
bdfe53ec3b0fe84ed197930c8adeb2a6e0a5fd5183d9189fdadb27c894e687e3
AgentTesla
d0e55dd7e642a2550640ddfc5640cae323fcf94d4b0e1fbd67c2c5ff22db447d
AgentTesla
fe304cb0925bffe7c7314fb8c4bc50c15b82e49c81fe176c8482ea1ed6f51bc8
AgentTesla
+ 4'680 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230616-p5rv5seg6w/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
98038b763950f8de3efffa83da020669fbd376492deb24c75b25bbd4a1c2ce07
MD5 hash:
aa445eee133a93b202ea105e5de4e232
SHA1 hash:
c0968cfa259d38fb80af27465c314ba889b08296
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/22203ac0-30fe-45a1-901f-3307d5d97bff/
Parent samples :
baaba65de7ee0a52274e439f9cfc6e1ad5e55f74dc43644c33c27863c99f9c4e
3c3e9ce2a4c9d2022601a66e6753d37cf92ae3940e87e62b46999eb4411264f8
3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b
91cdc121ddcc77ba9e01963b2ff1a92192cd4a7804915a67b598f69d457160b3
9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463
47438e1a176f18053c6a9de8c2834a3d5ffeb78bb7efa09c6dea99aa7da44991
a357b85560b1159abbca744e8226315663cfa2d3778046eaedfe82dc293446e5
16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e
fe304cb0925bffe7c7314fb8c4bc50c15b82e49c81fe176c8482ea1ed6f51bc8
b5b3f18d4a9208ec2a9b1b8e1d1e1e8dfa6f6b749223fcb021839038d015d92f
892887bf977985a7b3c64ac19d31facf3af7e783b25173665c8cc48d804cca45
9cd47c4593254f37eb5bef6b0d887f7132ce6d9678af33799da736d6073382fa
65cea55d24d19444f39704ab0836a07e7e89a99b244abfad347516b14f58af0b
12d37f94ebe64d74e7cc1a4290af6797832b512a223d03d410171f47cd979065
cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef
cc1214e080d2525cf0b00c622186d0f78a228d3f6dc933cad0f0114d505a73f7
e5dbce139ab26dc9f743ca4161894d49adddd7c9bd0f1ac4adf4177aec479b69
0501f9ee9fe9f858c159e067280b30badb60ce0e430abb1e60b3581edd8a971b
0725b0bb5b536502fd3a4593864bbf3b25dcacc3b3259162080909284c1348de
b79d3384f353bf024148b984f6d96e272c30b7547a00fb5d6f05524dbcc435a8
dc0e2395ee3f6a75876ca8cb0b8a876ac8494dc0d317a432ea5d1ba758296063
b1dd2f23a4e0925adcfe19c55bf701af33e6d3d66f3fd1537d30ea7ceddee9a4
cabf5777651e17c1d64384cefbf5f7ce2fc7abedff68901c96174dd16612caf1
f25d6018d3bab1f7651937b7b8e618979ea3c45b06e42e3d93e8b59cac9d46c3
be9496d0210e6343ea547889586015ab09bd8d25061f154a3f9f0922ea5a61de
37a72a158a2325b4967c6b2a9835fa722b6ca3789316c6120d3f263bfb6c15e7
26a294c50930c0cd9fbed08dd7fb63ea59bd2300eed46c452de0b4c5f7b95309
0828689925ecabda99bd3939a58b034387e6cd4c153c7652a0450d93010ccae3
0c250b21da631c5356630ff3d17f09a6da38a4c619f534b8f0be9d360707c9d4
83b11e62d88278fd953ef2496d6e6217d314defc55f7ba1fbb4d0a00ec6651b2
fb1c133bb4d681619adff92051b62f07da505ca6f15906b4fbb125bd65b1f190
9e2f5bad6acb0454f71026526cb9d5d78985ef6e566b433b04ba7aba5b277ddb
4316bebd7893238fab61d5cc2a4bdca1d65ad8f631347c949485b0c3a3b1353b
e2811e462b73fc7c62941b8472d9989a048509e8e6aed7012bc5f786d0f7bbe7
90d63293d26ff8d79d3cb130d63e4d69646527a8c61ea5308288980fcfd5189d
cbc632ae3dd2c72c24bd2b4ab8e53ff56aa2e742911ec9512432f0788b104e3c
93184419005707ae02f08ee38bf8381c4a87fc14a9715fb660ad48f6e1665f98
174e2237b3157582189f15393ba0a1771ac0fb62fb479690b46de1b61071b491
244ca73815a8c8303d9738bf0dd0fb859736fc69ea5103329ba2f6be2f9637eb
8c72d6594c46c605916cf3456b84810a1982c7f62f9c66d7eeb12bd0da0e82d0
e0a14b9acddbf73d270c2eabf671ce58e1c2aaa237ccf2de320efedc947b6ccc
69e82246e2a2444321ad9c8c84a445b8ec6b18702c2407565cae60e07b3823ef
4fb354ecdf9b230311b7b6bc60b1016f5f17653a1653e1c6fa1fbbbc92a08a30
e4319322a73a875512b80a2cc5bebf8c963f3e657258a6e7afd90919c8553fdf
40b4f0f7a724e1dc0abb235b73cbd1b50defaf387fb18b5535197607311056d2
a988d3605915b2f831729ebcde7d9ef7d169a549f3d3b7b1de604a9c07abee14
a81e919be20c26807dc7d775ccdc026d4a9daf0116661dff5e3fbdaf29effe19
8dd68257e8d07b2e0d25da886cdb7cb487085b99a469984369d486812596ea12
26794f7598febe976fb23ad9abe87ca823f65730957ce7821ce5bc9e6dbfab92
d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774
SH256 hash:
84df4ac52786c30b683678168bf221b2138d0c98869faea98780a0f579fb71bf
MD5 hash:
8840d098bf4533cbf8c8657e19db31a1
SHA1 hash:
0dd1ce439dc29977edbb367f90403889986b079b
Link:
https://www.unpac.me/results/22203ac0-30fe-45a1-901f-3307d5d97bff/
SH256 hash:
1b85430b3711fc807207b3afaacbab631e54e18252fd1c76da91aa2c60257534
MD5 hash:
1f81ae4c0b10233f822d97872c94c285
SHA1 hash:
09a60ea6cf811283370d0941aaac556db05e587c
Link:
https://www.unpac.me/results/22203ac0-30fe-45a1-901f-3307d5d97bff/
SH256 hash:
cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef
MD5 hash:
cfbab596553f0380d0a9c5d5a866b2d8
SHA1 hash:
4a9f324ebdef73ac81b7f0c3866c749d4486f18e
Link:
https://www.unpac.me/results/22203ac0-30fe-45a1-901f-3307d5d97bff/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cbbc5f54c988/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/399490/

Comments