MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdd93cdf75bd61ac9b31635647f23d4e7c58aa1d6c82568b3f8036b6f44aa222. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdd93cdf75bd61ac9b31635647f23d4e7c58aa1d6c82568b3f8036b6f44aa222
SHA3-384 hash: e775882d723e51667bd168fa6e5877a4ad2e5f6b8ecab86974e220a1fcd0112d78590d6c74121f1ff95dea61925b8c74
SHA1 hash: e08228e4d385f3b85e20b29a892fb5195209e68b
MD5 hash: c582847bfe94041791821319e7bdfe44
humanhash: west-happy-nuts-alabama
File name:rDB_DHL_AWB_001833023AD.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:661'504 bytes
First seen:2023-05-18 10:42:45 UTC
Last seen:2023-05-20 15:23:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:lP7gxHmJ0iElsjRmwZvLbEyk90fOy4W4rTR73VhD+Im8+mzQ:lD4GJ0iTbG0Gy4XpbVhBm8v
Threatray 3'815 similar samples on MalwareBazaar
TLSH T18AE4F13027D9C70BD06B4279D5E6C3F063369D84B976C7934EE9FC4FB28A6A61321246
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8eae6e6e6e6e46a (13 x AgentTesla, 10 x Loki, 7 x Formbook)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
309
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rDB_DHL_AWB_001833023AD.exe
Verdict:
Malicious activity
Analysis date:
2023-05-18 10:43:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/26616cdb-087b-4de7-b350-e674e623b54c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.29825.24679.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/646601393e79001b02ca10e6/reports/9ca1541f-92d6-4db6-934d-75b0556f3af0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/cdd93cdf75bd61ac9b31635647f23d4e7c58aa1d6c82568b3f8036b6f44aa222
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a64d1196-b700-4b32-bf4a-1137eaa2bb09
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1235855
Signature
.NET source code contains potential unpacker
Found malware configuration
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdd93cdf75bd61ac9b31635647f23d4e7c58aa1d6c82568b3f8036b6f44aa222/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-18 05:46:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxmtzx3vxvq2zgzrmnlep4r5jz6frkq5nsbfncz7qa3ln5ckuira._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
36cb70021e8a153c22312876626b4143dc1cca60862d667d2af0c95a1fb9e8ac
AgentTesla
3836e97722f2267266161a857140dfda9731e6bcec5147169c86410a39ac24e7
AgentTesla
7149bce0cf55829579b5e141f8c270f9d9c6f152e37a02695f64f5d6adfa4381
AgentTesla
a7880f86bd0bbb436dde37febb6168a0fbc51978378c0f5fd8f024d3c6487a7c
AgentTesla
ad06dd86354aa9e61e6de1aabf9efa7539fb13edb2e23e1eb63b86d59203e55f
AgentTesla
b3303273446384f72e2a0f90c455f69598f341164c2bcfded2cf95b30e3a9295
AgentTesla
c3d484451f9d0cf5aa68dfeceed67b5853cd2780512129668e9fdd98bc5490de
AgentTesla
d89787191bcbb0685fe37fb26409367f1b00a23e4f578081785f7dba7aa2a9ce
AgentTesla
e3e6d851f1598eb145492e46d7431f72436178f1a60ebc4d6742839e12d52200
AgentTesla
f0f7717c93fa1fc099bb73da00989d8e75f24047779c1c54e74db9c21db6b3d8
AgentTesla
+ 3'805 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230518-mr866aad75/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
2907ceb0aff33154a49177d6e04e822538f3fb439a55264cdf84b162564afea6
MD5 hash:
ae06e9b9c5d6df3bdb39fbbc75d9b9cd
SHA1 hash:
b03aff7dda4462819b1250e44d80c83aca37237f
Link:
https://www.unpac.me/results/272a5a57-407a-4ce5-a2d0-574a16db702e/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/272a5a57-407a-4ce5-a2d0-574a16db702e/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
3d3ac9db4048dfa91ff58a49e640206960d3b54d84fdd0f067a1096b4502c478
MD5 hash:
fa1a8cedf06059c8ab782053224f535a
SHA1 hash:
5ea815aabb2af528c1d5fd73a30a762f84aa0a2b
Link:
https://www.unpac.me/results/272a5a57-407a-4ce5-a2d0-574a16db702e/
SH256 hash:
40ddf11e4a0f8e8ed6ce55df9c95b21c8a67f1cd9dc0c832504656c57b504868
MD5 hash:
6129f906f1c7fa93833b76902e8d7848
SHA1 hash:
3000553e04b6bf327f3750daf214b0b0ff1dd995
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/272a5a57-407a-4ce5-a2d0-574a16db702e/
Parent samples :
cdd93cdf75bd61ac9b31635647f23d4e7c58aa1d6c82568b3f8036b6f44aa222
82bdf8d51de5a8c83057f679e17818ad9b1f644d69467acdca364603c421c700
73ce1d5ddffdbd047c15e2bbdace225e6defc74eff88958911641f5fde726081
eda98286056888838732e3394913161d04b8c3369c49f91edd6dde003b9b69fa
f2168fe0192cc2c215eb36164e3f646177934df2681703551ac90ab73875f37d
444ca22e0385d682a9f56465094ecddbba73cb8b5c6dc3d3dea63539c2e19a5c
SH256 hash:
1a9a14d02fc7384243212774e4a943de1bce5ae0eab3badbcaf8641332ee560c
MD5 hash:
8a22c20f2fe2d20cdfe5f125e61129de
SHA1 hash:
02f1344b9dd763f0c66536858df03b954e130be0
Link:
https://www.unpac.me/results/272a5a57-407a-4ce5-a2d0-574a16db702e/
SH256 hash:
cdd93cdf75bd61ac9b31635647f23d4e7c58aa1d6c82568b3f8036b6f44aa222
MD5 hash:
c582847bfe94041791821319e7bdfe44
SHA1 hash:
e08228e4d385f3b85e20b29a892fb5195209e68b
Link:
https://www.unpac.me/results/272a5a57-407a-4ce5-a2d0-574a16db702e/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cdd93cdf75bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdd93cdf75bd61ac9b31635647f23d4e7c58aa1d6c82568b3f8036b6f44aa222

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe cdd93cdf75bd61ac9b31635647f23d4e7c58aa1d6c82568b3f8036b6f44aa222

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments