MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd7af63608879c8dc86d731b57e232e3b8031ab18418fe7763c5c19dd3aaaa45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd7af63608879c8dc86d731b57e232e3b8031ab18418fe7763c5c19dd3aaaa45
SHA3-384 hash: 257fc5e48f2dc79144cea32ff96070f6136a0f8a14956e9a0c40a416f3dea93fef57b9544af13fc155160a9ac0921785
SHA1 hash: bf787f8d9c3a7117473b7d70ddde6e1ec5a73a95
MD5 hash: 4791ce8271225059f81d67752d7e4f98
humanhash: utah-oven-angel-juliet
File name:Payment confirmation (2).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:850'944 bytes
First seen:2022-02-10 08:04:30 UTC
Last seen:2022-02-10 11:32:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:q0ZOQkT7kohCAoITLcrrlCiUXTSFDxjoGB9YzEwlDp6AiRQ7+V0ssbyglTxNUUhl:xYMNlIfcrhCi5FiBKo6VMb9NDi
Threatray 14'929 similar samples on MalwareBazaar
TLSH T13305121567B88B76F47D93F86434403903B97C4E2265EF8E9EF1A5CF2932B911410BAB
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/240593/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.42163.22333.2523.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/6204c733a35489c8da007d41/reports/4fd2999b-ec7a-44a2-92ca-8383271a4495/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/166a3d9a-5447-4ed5-866a-c1f0ea89db35
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937429
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 569907 Sample: Payment confirmation  (2).exe Startdate: 10/02/2022 Architecture: WINDOWS Score: 100 30 smtp.yandex.ru 2->30 32 smtp.yandex.com 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Yara detected AgentTesla 2->38 40 12 other signatures 2->40 8 Payment confirmation  (2).exe 7 2->8         started        signatures3 process4 file5 22 C:\Users\user\AppData\...\CcVkzBYGBScghj.exe, PE32 8->22 dropped 24 C:\...\CcVkzBYGBScghj.exe:Zone.Identifier, ASCII 8->24 dropped 26 C:\Users\user\AppData\Local\...\tmp816B.tmp, XML 8->26 dropped 28 C:\...\Payment confirmation  (2).exe.log, ASCII 8->28 dropped 42 Adds a directory exclusion to Windows Defender 8->42 44 Injects a PE file into a foreign processes 8->44 12 powershell.exe 25 8->12         started        14 schtasks.exe 1 8->14         started        16 Payment confirmation  (2).exe 2 8->16         started        signatures6 process7 process8 18 conhost.exe 12->18         started        20 conhost.exe 14->20         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cd7af63608879c8dc86d731b57e232e3b8031ab18418fe7763c5c19dd3aaaa45/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-10 08:24:31 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zv5pmnqiq6oi3sdnomnvpyrs4o4aggvrqqmp453dyxaz3u5kvjcq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1a6622548b70077312df3ffee6ffe24bcf6536f8ecf8c04bc05e54b69ba5509c
AgentTesla
2a411486f86d7a28869c33afc7efec53f718b0613f91b6a28a6d3343aeba8e63
AgentTesla
2abef54041681b9251673959524c002821e9e90483c7cdc0e3668bf2cc2c91ce
AgentTesla
746c7b9ef2af8d9fd8aab245cdd5fe9af49144766040223a77e4f6d87a12658a
AgentTesla
81420f42ee455db2a99c1f85b03fb213083e03c2f329f1919b9dc3044de89555
AgentTesla
94669f2cdf2ba213efd219ccbb74fa458a38a2db8c58f992670c799da5662228
AgentTesla
961b0d1fdca9f4024ac4a3a8d90227433276a7f0e204d0aae55291fa98006284
AgentTesla
bf923e0310c99d2ed1e447de1abfcd12ff683a41e9c1621441ede06ec759f0af
AgentTesla
ced74986e807f1b4dd969d4811e20b516b11b39d0d8681ebadf9123a6de30b7c
AgentTesla
e839e0292780fb5adef7b827b4dcac7a5fa2063904a529126b3fa0ea85ee3735
AgentTesla
+ 14'919 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220210-jyxvxsgfbq/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
f365b92b11041eed57b6f7534e83e04167fce1cfacc570e79335292f3c0ea8aa
MD5 hash:
9147a2ef317fe384182d1281e5af8110
SHA1 hash:
bbe360e6eca29a32e1f787e1416ddad4d35dcf1a
Link:
https://www.unpac.me/results/5fd0e672-0d42-4caf-8523-5491058163ac/
SH256 hash:
0c9ec5ba8b23528b2aa40ab2d4469f4ff4dcbed0973839c771d4cf3d5b8c9fcf
MD5 hash:
8e2dc1645c85220ea4164fc1046a1771
SHA1 hash:
77d13d320c0e35b6484502df970c03e40219551f
Link:
https://www.unpac.me/results/5fd0e672-0d42-4caf-8523-5491058163ac/
SH256 hash:
cd7af63608879c8dc86d731b57e232e3b8031ab18418fe7763c5c19dd3aaaa45
MD5 hash:
4791ce8271225059f81d67752d7e4f98
SHA1 hash:
bf787f8d9c3a7117473b7d70ddde6e1ec5a73a95
Link:
https://www.unpac.me/results/5fd0e672-0d42-4caf-8523-5491058163ac/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cd7af6360887/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe cd7af63608879c8dc86d731b57e232e3b8031ab18418fe7763c5c19dd3aaaa45

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/240593/

Comments