MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdbb23d2903063282fe152ac63e2838af4c099c2fa18e91d44448ede4cef0a30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	cdbb23d2903063282fe152ac63e2838af4c099c2fa18e91d44448ede4cef0a30
SHA3-384 hash:	c81ec14d32b1ab836bf9385702fa3375e0ec84bc6ead3450d053d03b076659cc7ec3290e038fa4e99994b7435cdb1801
SHA1 hash:	3f2fc209753494fb5f7115b2059b550c3da096ce
MD5 hash:	53b33f55cb362ea03a85def0a7eda81e
humanhash:	juliet-red-lima-sixteen
File name:	file
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	291'378 bytes
First seen:	2023-06-13 14:21:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ea06f0ebd05782e9caa4e3157d406e08 (3 x AgentTesla)
ssdeep	6144:5XE3i2rmViGtul1HJ5DCgXW33wcmBSNMDYuYawVHFGOJw:5XiGIlJ+vgcQ6MDY5V4OJw
Threatray	6 similar samples on MalwareBazaar
TLSH	T12E54DF2C7D785D56E0D5CBF189E5B567B021EC2E22CF4C0F698B6B580AB354324E326B
TrID	82.3% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 5.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.5% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter	jstrosch
Tags:	AgentTesla exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

290

Origin country :

US

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-06-13 14:24:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cc85d322-4e74-473c-8f32-d91d38209550

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox XorStringsNET

Detection:

XorStringsNET

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/398447/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Variant.Lazy.350119.25966.29417.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/64887b8e9f45f940f553d157/reports/f661c747-46a0-416e-8dc6-9599167454fb/overview

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Agent Tesla

Malware family:

Agent Tesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ab0523e9-9962-45da-b779-125b7ce0c0ca

Joe Sandbox AgentTesla

Result

Threat name:

AgentTesla

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1253720

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cdbb23d2903063282fe152ac63e2838af4c099c2fa18e91d44448ede4cef0a30/

ReversingLabs TitaniumCloud Win32.Ransomware.Cerber

Threat name:

Win32.Ransomware.Cerber

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-06-13 14:22:08 UTC

File Type:

PE (Exe)

Extracted files:

6

AV detection:

20 of 24 (83.33%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zw5shuuqgbrsql7bkkwghyudrl2mbgoc7imoshkeishn4thpbiya._file

Threatray agenttesla

Verdict:

malicious

Label(s):

agenttesla

Alert

Create hunting rule

Similar samples:

803df40184cf585fc3e2e8172972b3e548971a193ed4af7b7d53e6bce2ea43e1

AgentTesla

80eabb4ed2bf442079ed36b1a74aa1afd5627eeea83bc48cf4c9d2a4b719c0a9

AgentTesla

afd448d428fab23dae316bed55ddf9605d3193e9eedbda898cf9304272830c9d

AgentTesla

dd041c843c4f3873fa61bd5fcc04afb335ac4ffd27d32d213966f610dc228330

AgentTesla

fd987d623939a8b69f25a2b8350fb6e76a51e77545add40658fc60f00950d625

AgentTesla

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230613-rplqashb2t/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5954474519:AAEGnfW1mRvGRxq-zIAvwJfpKEbhLLiqVaM/

UnpacMe AgentTeslaXorStringsNet

Unpacked files

SH256 hash:

2d490262eecc0ec622418e1e72b7a640eccfb5f7884da7ca9e296c2a1a4765fd

MD5 hash:

bc2ff0ea085cd53497db50174db6adc1

SHA1 hash:

2705bda05df55b0b9bfa9093a0dd73820e3748ba

Detections:

AgentTeslaXorStringsNet

Alert

Create hunting rule

Link:

https://www.unpac.me/results/49c99df7-309e-425b-8afd-8fb021111a1c/

Parent samples :

dd041c843c4f3873fa61bd5fcc04afb335ac4ffd27d32d213966f610dc228330
cdbb23d2903063282fe152ac63e2838af4c099c2fa18e91d44448ede4cef0a30

SH256 hash:

cdbb23d2903063282fe152ac63e2838af4c099c2fa18e91d44448ede4cef0a30

MD5 hash:

53b33f55cb362ea03a85def0a7eda81e

SHA1 hash:

3f2fc209753494fb5f7115b2059b550c3da096ce

Link:

https://www.unpac.me/results/49c99df7-309e-425b-8afd-8fb021111a1c/

VMRay AgentTesla

Malware family:

AgentTesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cdbb23d29030/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cdbb23d2903063282fe152ac63e2838af4c099c2fa18e91d44448ede4cef0a30

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe cdbb23d2903063282fe152ac63e2838af4c099c2fa18e91d44448ede4cef0a30

(this sample)

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/398447/