MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
SHA3-384 hash: 11343569f419e501949ec75e495e8fbfbffbfcb3187093c4f1db73f4fba4c99968f79561cdb3a880d1fe9ca73c68bc73
SHA1 hash: f55c9a5b6f4ad4483394bb3731537d2ca3e1f9b4
MD5 hash: e31682011bb9d9bd9b367e9d645dca3b
humanhash: nevada-lamp-violet-delta
File name:Is_Bankasi-Hazirlanmis_Dis_Ticaret_Islemleri-18.10.2023_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:866'816 bytes
First seen:2023-10-18 16:09:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:7Xmr+U0Ym5//De4sqXQxXe1JsJvxvEUyhrOmcvQXWFl6rOQ1FFxNkQMs6AWSVTJn:7WSAmleGGXJqDEvnYTbOQC3SVDB7f
Threatray 154 similar samples on MalwareBazaar
TLSH T1E205497D1DF98227B978D6A6CFA4C432F061D6EBF9625D2AD0E746818702803B4C71BD
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe geo isbank TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Is_Bankasi-Hazirlanmis_Dis_Ticaret_Islemleri-18.10.2023_PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-10-18 18:21:01 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/e794c135-6566-4001-94ce-10705389225d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.21199.27958.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6530035eafc17c7912f7fec8/reports/bca35c28-3dc2-4632-afd9-2f38140b804d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/27d45c5f-3b7b-4fe5-bbb7-0ccf2adfd0e6
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1328168
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1328168 Sample: Is_Bankasi-Hazirlanmis_Dis_... Startdate: 18/10/2023 Architecture: WINDOWS Score: 100 38 cp5ua.hyperhost.ua 2->38 42 Found malware configuration 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 8 other signatures 2->48 8 Is_Bankasi-Hazirlanmis_Dis_Ticaret_Islemleri-18.10.2023_PDF.exe 7 2->8         started        12 kLAeaGsGve.exe 5 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\kLAeaGsGve.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\tmpFA61.tmp, XML 8->36 dropped 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->50 52 Uses schtasks.exe or at.exe to add and modify task schedules 8->52 54 Adds a directory exclusion to Windows Defender 8->54 14 Is_Bankasi-Hazirlanmis_Dis_Ticaret_Islemleri-18.10.2023_PDF.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        56 Multi AV Scanner detection for dropped file 12->56 58 Machine Learning detection for dropped file 12->58 22 kLAeaGsGve.exe 2 12->22         started        24 schtasks.exe 1 12->24         started        26 kLAeaGsGve.exe 12->26         started        signatures6 process7 dnsIp8 40 cp5ua.hyperhost.ua 91.235.128.141, 49746, 49747, 587 ITLASUA Ukraine 14->40 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->60 62 Tries to steal Mail credentials (via file / registry access) 22->62 64 Tries to harvest and steal browser information (history, passwords, etc) 22->64 32 conhost.exe 24->32         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-10-18 14:11:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 35 (51.43%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zsuak35o4uomgb6usfkn4lonlykkps7in6imkrmcpcgopndkutmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
28df40eb3104e2feb9fe3b1e7915d245abbd70abc6523756a61617731b8d8ada
AgentTesla
32812b32bcd108fe5d4322071ae981c09366c7e424e788db406d7f850b4d91fc
AgentTesla
34c7377e5b187edf6d660e7df34b68b968940b6de1399c2f4a3e5675099139f4
AgentTesla
41ba24841b5058d02d56f6e4bd187bd7c9f6ece97f38c682a27bfc26748e4c5f
AgentTesla
7a3b69d2da752d5b7be89edc1c1b71393d204915e91fc45d623ed9f61399dd92
AgentTesla
897a97b958884456ec4bc6222c29db3057ab0df05c31de0ad02fa1b0ab6a4730
AgentTesla
c7917d3ebb2c276113548fdfc4dec0b4db97145b9e687d3177248f1b675800fc
AgentTesla
ec6ee7d5f97f7e5e14602ffba790f130f500cf94fe4f1806ad98d453c5ac9f31
AgentTesla
fec2fc59ff0deda9141200d10606ec0314a62f18a5b479e6438a13d8808d58ca
AgentTesla
fffc596389cada3bd1e1d1659029e607e14320cbdd126de7fdbe33b99f9c59d7
AgentTesla
+ 144 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231018-tmdb9aga4z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
887c1868b2035053475d59246536ddd62c27337ec9f013d6dfe6c995e8eddea0
MD5 hash:
5bb973a00cee0e6c57b856335112abc7
SHA1 hash:
fe1e343446b8eb10b55d2a73e9f5060b375275b7
Link:
https://www.unpac.me/results/a0a5d2b6-029e-4dfe-8c5f-f791790454c6/
SH256 hash:
ed278807068709bcc74ef7d01ce46682b64d8ec9c8466dc8aaeb92ed75495aaa
MD5 hash:
51e85d063788811778e570139e28ac5a
SHA1 hash:
b3a9f24d4d25c91058e6c1f91e07219423b428fa
Link:
https://www.unpac.me/results/a0a5d2b6-029e-4dfe-8c5f-f791790454c6/
SH256 hash:
d74a8e36a852d0d913e209f9a5f2e21b6595ed676f7872e0a2a56d654c4b961d
MD5 hash:
425ca699be0f272e926bfe2a6d5b2f8c
SHA1 hash:
8ed65a04ebdb90b215a0d86cad5e41e855a59419
Link:
https://www.unpac.me/results/a0a5d2b6-029e-4dfe-8c5f-f791790454c6/
SH256 hash:
d511c0658340ec9d35d8f08fd22ae55c6aeebcb52dac453040817a6f9ffd7e43
MD5 hash:
3ac67cb9041168e636198401f53d857b
SHA1 hash:
6207398f41db994130c80150a0c2598045e68b45
Link:
https://www.unpac.me/results/a0a5d2b6-029e-4dfe-8c5f-f791790454c6/
SH256 hash:
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
MD5 hash:
ec5e9334f65168cce67cd57bc6391d0a
SHA1 hash:
4f2ac65623e89a9457cdd5fc51dc5d747b4830e4
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/a0a5d2b6-029e-4dfe-8c5f-f791790454c6/
Parent samples :
be91f662c6129ebed98724e3bcc3b1756f34ae703ecd0c2d1b7b24680a911b02
7c8f766c92bb04f1a2ea22e8a3fa91909bbb2c918c67a957aa956cc901488e56
8fa741885aa3008210667909c5dc93bbd695bfa9f10b808f329e70a87dbbc262
3fc2adeb47b4f9fdf134587dc79fc696f13852e509b883e9ed7b308b77846016
73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac
bf4eb25b59a0472448b5efed8a8b5286867ffcc99751f2aee8c2b5e208800b7b
0de129849e28a7281cd7d6e6ca69f950a27efca7d1b121b1635e6c34b76ad167
ba2ca0c5ba29b90d2ce55292293642c9f6b3b931381db8221d529452d04a5189
c93dc9b3ec14e0e1d375ee919ac40ed95eb67eddc6cb9b7508b4f64743ad8804
0fa983b67dc6abd6cce03b0fcebd96d1bb78ffbbc65b8a0f5fe7ff6c79baa109
24952a927387b2cfbd99c117a3b7d74fa69dce826f70767765622a5aab3db707
6f417ed94d121bb0379a9ce8c0465c503b998bcd2c0df5021c0ee595901aebca
f79e68687f0f3089b125964c398199c04e5ba690540d213ee014eabf29e8eeca
fd272b82f6a8bba4cf146ca17e16030eee6bca8df4dc58330a3721dddd79a43e
87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e
3f53c498838571bd3333fc44bda24180a57a37a5a1268f4cdb1d204212c29858
4518d27e5b9109b044c8dabfa242bb224be62ed58111701c1f5e9fb7ed189f11
e75f34f2f6cbed8eb31dbef8ec7d031fce2feacd74f3a516e777923e6170b5f5
e8c89752942b8011820e9d04753700eb70f77a8701796ef7e826399cf889f9ec
d98ed54790efc6d718d719228e2bdbf4295cc23c94c22c6d77b55217337f860c
6d304e636be69bafcfae9423e629770fe3499d352e2a2259b9dc8f428b9e7cbc
6dac7514d424951b1e3091f61a94441b718c5e64e9dba95cfff15a51d8cde370
a4ad4601041ce6d58fb2468be1a3570c6d4e8c0914762972d3ea9a7e66fb85f6
ac32a3b616e9fb1f37a3f8e84db8475dfefb5e3ca56c6eb5580fc6f3887d8744
129467623307928e4bd892bf6320cd2f4c791e5d91d374036469ed09127dba45
a84d6a658ddfea2bf155df47943d616f4dce09d55bf7abc2eac1f1485be7bb48
830eb8430c1b8ce58ea1e6fef98794ef5dce3c485e244adc2e8ad310f2fe2bc6
48b23bea4cdfe0a7e79bc5ebde6eb2d9c69485e14694c48c13f0aab452b60d74
a5888a484f812f66cd39e16dbbcbb0891fd7f88e28a02660acfbe95635055696
96703bd16fbb6ebb4d19bbe99956cc74bc08ef7b8c05d258783c970e7c300ffd
810af925d95b0578d0051b1c49ed2a708c6b8057445794020382560315e611df
527bd1688c686cfb6d7fe4b85e2456a5a80c6995cb8ffc5aea8deae08877062d
cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
4b6bdd2b172adc692eb97dd87b5a6bc461e24ba6e714096771dbc3c45168b600
94459db0dd7ef2cab3fd0969b43bb53680c55bf2ea9d03e66bfdd6ba9af65fbf
62ddf21940294964b888e9370713e136b014b8e850ce276d94e9b410a498e739
8f49069af492e2a87edd3a35aafec61b4640c7759917252d317eced01bfbe25f
f42ecdadfc4ba973e68738550d4346e1ca67f0574c7a88a0f8fcf24fd9317cf5
f735fee6c67843c3661810ddde634e99d4eb301e4b298ec06e55d5f58b2a9351
b2436df85bd09d9aeac01c9f7e9b0ba093ad117b8444c99fed71db13ce86f95f
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
9e4960cd3423e643c807c5ac464331fe6844040bcddd39a1b373769ef2b13f6f
bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817
598fd9267e154c9fd5a5d36f5cf153a570c3265bd131cf63082b64cb4b4e7861
2b6f9aaa250051acb504eb782e963ef4bffca581d26d7c632b405f130ee5e09b
ef8e672ff4f30d2630ddebcf804c67d572e9979c949e4803654572479f486db0
061e29f834b607e0f56113f3318890231346ac04a7fe24673989e10261fe55e1
7d83a92926f6caf31b31a57f3fd55bff1105f3dac0d686847556149067897e55
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
3717f0928a99c81222dca1d74f568e2f92584b5bac7848697bd3913c01742baa
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
SH256 hash:
cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
MD5 hash:
e31682011bb9d9bd9b367e9d645dca3b
SHA1 hash:
f55c9a5b6f4ad4483394bb3731537d2ca3e1f9b4
Link:
https://www.unpac.me/results/a0a5d2b6-029e-4dfe-8c5f-f791790454c6/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cca8056faee5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments