MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd49b022411c34b834f765d874611467fe327f58a0d3c83cf33d78fb3989e687. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd49b022411c34b834f765d874611467fe327f58a0d3c83cf33d78fb3989e687
SHA3-384 hash: dfaf58a144e4c73ba19b4c317629ce1c3152c36ea3d9a211bdc2b4e9e2c925b22bb19e1fd647d3d30335a8db23ade269
SHA1 hash: 79f2fe21dbd9f4618a60d9421b623b6cfdb6d924
MD5 hash: 9dadfc8f01d8b789ce9267cc188591bb
humanhash: sink-blue-juliet-nineteen
File name:9dadfc8f01d8b789ce9267cc188591bb.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:622'080 bytes
First seen:2023-09-20 08:14:47 UTC
Last seen:2023-09-20 13:03:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:zpUTErRtZC/CY5fdwZ0uYlR8gdV0Vj28EERjnd/gm5TD:NUiZC/CY5f6SHlR8gaj28Dv/gm5
Threatray 5'659 similar samples on MalwareBazaar
TLSH T116D4C01531FF6E46C022FBB50BE8EDBA96DAF1F6121EF73A3F8506424318940DA42975
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Docs & Bl.xls
Verdict:
Malicious activity
Analysis date:
2023-09-20 07:28:54 UTC
Tags:
exploit cve-2017-11882 loader stealer agenttesla
Link:
https://app.any.run/tasks/fe7f6317-1fbd-4acc-8748-57b81cb662be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449970/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.17484.13382.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/650aaa0a83a0c6425dfa3302/reports/add241e0-4196-430d-9ba1-14c803395f6b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cd49b022411c34b834f765d874611467fe327f58a0d3c83cf33d78fb3989e687
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0eecdb3c-0fad-4370-a4e6-c31ca561878f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1311402
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cd49b022411c34b834f765d874611467fe327f58a0d3c83cf33d78fb3989e687/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-20 05:28:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zve3aisbdq2lqnhxmxmhiyium77de72yudj4qphthv4pwomj42dq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2627e96c1ea96adf04b4709b5cdb2fe6b9cd9b82ff959cdde4e61a4acb9cbf4d
AgentTesla
7a3f9e8c7610b1b6bc6433234fcc92a41834657cbe2f0bf74442d772df664568
AgentTesla
9c715b1f528e3ac5d2a6c36d162880ac8ccc240e25022b363dc3726f2d7e2fff
AgentTesla
a3838f118bbfcd8759b3a449924c84893908e1333ae5a321fe6fec55c28af707
AgentTesla
b63ed1999685c3144cb61f9091b54f33fbcf657f3ea910b11e57e5cf8f1bf2c7
AgentTesla
b9c74c6cf3df328ddeee396c2602a7d93a6fa4f8fc3f1e67e41d91e290592e4e
AgentTesla
bbb9a417f02e708434b3737c20a59fa322c15b170be8befed9167c2f5573f2f0
AgentTesla
cd0e9bc33a68486a4e77ba0009de26524a62c27cc3b92cc1af054bb0a4af2d5d
AgentTesla
+ 5'649 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230920-j5ktyahb32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
cd0e9bc33a68486a4e77ba0009de26524a62c27cc3b92cc1af054bb0a4af2d5d
MD5 hash:
328d3b87a59d92df583d10ea07f10d18
SHA1 hash:
a3945c0302451c93e64ced9a12c5157d42ab2f77
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/34094c83-8c8d-48ba-beea-130be11e2069/
Parent samples :
cd0e9bc33a68486a4e77ba0009de26524a62c27cc3b92cc1af054bb0a4af2d5d
bbb9a417f02e708434b3737c20a59fa322c15b170be8befed9167c2f5573f2f0
cd49b022411c34b834f765d874611467fe327f58a0d3c83cf33d78fb3989e687
91c4358eb1c2c4d38b2c3e930eff281ab6cf22ae0200e4dfa49725fd4657e9f7
be53b6f5ff15575799a0a929be641c79c173fa0b6de9c95f0ac524c10c1b9c5d
e44909d74d74294240a22cf582583e73e11ed097d32a32470ad5a354ba1b2dc6
SH256 hash:
0b4c93addb0071e4cc368bc5e46a535e2eafd360b5db8b6c87620d7225eade2d
MD5 hash:
e17d9bb18c1bf12de8c75fa570f4cf72
SHA1 hash:
97751a31524557387d136e0e42e204186d00b5dd
Link:
https://www.unpac.me/results/34094c83-8c8d-48ba-beea-130be11e2069/
SH256 hash:
77460d48cb68764200a9f84a5c4759ec6686369b94762f83d55e9bfbb69037cf
MD5 hash:
39dce5d15e1993b8131b3720cbdddccc
SHA1 hash:
6585d2f474df93175b91e361e629363f6c129249
Link:
https://www.unpac.me/results/34094c83-8c8d-48ba-beea-130be11e2069/
SH256 hash:
cd49b022411c34b834f765d874611467fe327f58a0d3c83cf33d78fb3989e687
MD5 hash:
9dadfc8f01d8b789ce9267cc188591bb
SHA1 hash:
79f2fe21dbd9f4618a60d9421b623b6cfdb6d924
Link:
https://www.unpac.me/results/34094c83-8c8d-48ba-beea-130be11e2069/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd49b022411c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/cd49b022411c34b834f765d874611467fe327f58a0d3c83cf33d78fb3989e687

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe cd49b022411c34b834f765d874611467fe327f58a0d3c83cf33d78fb3989e687

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/449970/
  
URLhaus
https://urlhaus.abuse.ch/url/2712635/
  
Delivery method
Distributed via web download

Comments