MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccd330005237339918c1ec5dc3bc253a2881a6b14ee8502e6a0f70b4e5847e47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccd330005237339918c1ec5dc3bc253a2881a6b14ee8502e6a0f70b4e5847e47
SHA3-384 hash: e208aaa749a9ff30afb0739a0dfeb535ea502c66c6d2cf11e5d769dc6243b6b09ca3374fa40f338309abfbd3976ff34d
SHA1 hash: 384e6092590c167ca0ecf0e920f8e0b1a5523a6c
MD5 hash: 7e0757c53dd402f04e56fa2fe29a6692
humanhash: timing-arizona-iowa-wolfram
File name:08MAY2023_DDPE 02973-pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:825'344 bytes
First seen:2023-05-09 06:37:45 UTC
Last seen:2023-05-13 22:40:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:quSxI4YGKH3mG1gneHMeAFZJN9hDKeXF2bf:tCI4FKXmHneHPaLN9keXF2L
Threatray 2'601 similar samples on MalwareBazaar
TLSH T10405813D28FC3612C1B5EAF2DB94E561FBC0859276358DDE1AD6808616EF90236CBC1D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
258
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
08MAY2023_DDPE 02973-pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-09 06:42:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/04da9df7-525c-45b3-80b4-140fc64dec05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387681/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2014.10401.9875.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6459ea4b2855dd84c8082ea4/reports/5f346a3d-ebeb-4315-856f-5b5c1248989a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/ccd330005237339918c1ec5dc3bc253a2881a6b14ee8502e6a0f70b4e5847e47
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/df379146-c044-4480-8291-e1054973c608
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228890
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccd330005237339918c1ec5dc3bc253a2881a6b14ee8502e6a0f70b4e5847e47/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-09 06:06:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztjtaacsg4zzsggb5ro4hpbfhiuidjvrj3ufaltkb5yljzmepzdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
355187cd71c38b58210b22e41e9d3df14dbfca37503289038b1c0a71c08491c2
AgentTesla
35b2e419aac0f4b99c12bc54c7e80f095184accbbc528833e881cf5e834c58e4
AgentTesla
36b0fbab2618611a165f399650cd3581a3a0723687164cd8482be37957ac4f35
AgentTesla
86427b8288b61c876a94f3d5226fb04f843ee245ad937dcdb4b974e81ec8b404
AgentTesla
a1ad0c868b1516099bd98539e2461b5d5f875ac42fab278297dab51687ac2037
AgentTesla
b5d3c7a0a47dcfc26d108e8ab87d79a33955bf53c66ceff7f60f309df2ce3353
AgentTesla
d67557fd37174016e188f4e3932341f74c0a79ade0a34fbffc190e91b9e5a0e4
AgentTesla
+ 2'591 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230509-hd4masee94/
Behaviour
outlook_office_path
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
bb73d9ea9d644285c0d37f7986e6ee0dd82b71ac750b22e98474b07533bc1da0
MD5 hash:
929d7e60de4a77a18ba861013bd63761
SHA1 hash:
cf5929441378605ed72d4b6b7e8fe30a3f3dc9c6
Link:
https://www.unpac.me/results/2dcc4e41-4f2a-4fbc-b6bd-1c5bb4be6cf2/
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/2dcc4e41-4f2a-4fbc-b6bd-1c5bb4be6cf2/
SH256 hash:
90618f0283ea1bd9489ac121e83e4558927a5de19ea752c65721707aed6f02ae
MD5 hash:
0a6a66d536d763d9eb8ff72a9da4d379
SHA1 hash:
2be820e0c08d2859f30c94fbd0b81f4eb8a6143c
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/2dcc4e41-4f2a-4fbc-b6bd-1c5bb4be6cf2/
Parent samples :
ccd330005237339918c1ec5dc3bc253a2881a6b14ee8502e6a0f70b4e5847e47
584b466de40e9a985d022ba115ee7301b46261f1526516eaae36760a435be241
c6dcc5ea2ef3af8a214da77f1b3d14af29cc066fbcc952b291494ae321279edd
8b8249728361d92d8d0891d75711b07ee241db22a8ca1bcf2efe2cf14204d9dc
e52bf3df9ac10f10f9a9e7e8287950565ba725dce1c6b9315c77b4b361d7edb0
683532549c9b7349442f5dc3466cacc398bb663564eb63f77a2964dd216dce16
90af14f7e125ba4bb6b30152719708b262b08d77b30b02d02ee136d2acf8bfb5
SH256 hash:
ccd330005237339918c1ec5dc3bc253a2881a6b14ee8502e6a0f70b4e5847e47
MD5 hash:
7e0757c53dd402f04e56fa2fe29a6692
SHA1 hash:
384e6092590c167ca0ecf0e920f8e0b1a5523a6c
Link:
https://www.unpac.me/results/2dcc4e41-4f2a-4fbc-b6bd-1c5bb4be6cf2/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ccd330005237/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ccd330005237339918c1ec5dc3bc253a2881a6b14ee8502e6a0f70b4e5847e47

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387681/

Comments