MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce0dafe328f758e308ede4abcc1ab07c6dacaad8597c688a51acfc4110b0c74b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce0dafe328f758e308ede4abcc1ab07c6dacaad8597c688a51acfc4110b0c74b
SHA3-384 hash: 69d8e827923f3ad861c2c0d2e1e9e6b6c0eb91bd9c5232b8c6a3b8324c5af1626b0a0063f7323d41617f0a03e0fd472f
SHA1 hash: a8b8262b8fa9d8c1dc31edb4659804ceabd8ed30
MD5 hash: a2d2b21dc77042fd256fb0ddbdbff5a6
humanhash: venus-pizza-lactose-juliet
File name:a2d2b21dc77042fd256fb0ddbdbff5a6.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:582'656 bytes
First seen:2023-04-12 13:06:45 UTC
Last seen:2023-04-12 14:23:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:o2iNVjuhxUq+FbMQtoYiACpIZM+C+jcvaGL:o1eUq+FvyZ8M+C9aGL
Threatray 2'002 similar samples on MalwareBazaar
TLSH T122C4F1F853D0970DC8405BBE5A084C8827F688F5C4E9DE8DD9A7A4CB1EBC7A58144FAD
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a2d2b21dc77042fd256fb0ddbdbff5a6.exe
Verdict:
Malicious activity
Analysis date:
2023-04-12 13:15:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0d96c10b-28ee-41f8-af7a-522ef6e445c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381818/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/6436acf919d967533f896bcc/reports/0045f99c-775e-46d7-9833-47746ef679a5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/ce0dafe328f758e308ede4abcc1ab07c6dacaad8597c688a51acfc4110b0c74b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f57bd895-497d-41f1-ae31-9b3a8433307c
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212614
Signature
.NET source code contains potential unpacker
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce0dafe328f758e308ede4abcc1ab07c6dacaad8597c688a51acfc4110b0c74b/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-04-12 13:07:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zyg27yzi65mogchn4sv4ygvqprw2zkwylf6grcsrvt6ecefqy5fq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04a42e9d0b1c019989d91249331e0920703296490ab8a565bed15e1a0e1742fc
AgentTesla
07191de70521a8e76624cfafc6eba3edd19d7784c4c4c683b55f3fd16e377b38
AgentTesla
08ff7089f812e334c3b5c2d0fc7e033810a5a49b9042131297ca14d72bf25ca6
AgentTesla
3af5c0843b016faa6129e40b696565d4117b48fd6750164ac4a0f307ef3d6a36
AgentTesla
62413ad16a42665b9396e1cce548b6e212c5cf21d3d2d8ae8c02ba83bd69fa0e
AgentTesla
702731122c8b3822ceb48373d0927109dceaad9de6bddb3ea451c3d406be5518
AgentTesla
a1e44dff73b4a8616ae1b39f3ecf82b457859f3aed8b208ae41e79d7d79c5ef2
AgentTesla
ce3c9c47d811745d5534bf268331382438b274a112d2327396cdc8623e82f98b
AgentTesla
f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2
AgentTesla
f762c98b251097d1cbc8bb09b9deb573132689d83996d6884984d3f334fd2f18
AgentTesla
+ 1'992 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230412-qcmldscd99/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/9b3c7949-1809-4634-9bfe-23d61226c38d/
SH256 hash:
9e6edd5dd8002601de5fa22e712e42ed84492d9015472be272c776027b943f3d
MD5 hash:
d0a80af4c37b1f0d7e598537d6cd7e22
SHA1 hash:
94accf4d53ceb8cac37ce8b9f52415949adf6624
Link:
https://www.unpac.me/results/9b3c7949-1809-4634-9bfe-23d61226c38d/
SH256 hash:
2d1be00b6acec03f42812f4b3118d190e232e1a636ff3f9e761a436c4ac6e885
MD5 hash:
ef28db091e1dd87c0b461a8d49fad007
SHA1 hash:
82b576de8e920c5a0e230f18c8a6df7b10465ae3
Link:
https://www.unpac.me/results/9b3c7949-1809-4634-9bfe-23d61226c38d/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/9b3c7949-1809-4634-9bfe-23d61226c38d/
SH256 hash:
8d0d73bca286a4b6d0130bbe65e63935f26d9acbf58a4724b41263d95b13bc88
MD5 hash:
7e65182e80ec0e491a5bb33e8db80ae3
SHA1 hash:
0d921adb99090e2f825615102758e8acc9fd50e4
Link:
https://www.unpac.me/results/9b3c7949-1809-4634-9bfe-23d61226c38d/
Parent samples :
cce03ee9cac9ccbacb587c0fb5426aa0435a9e1278d0d5472ab0ae06139687ed
1884b7ff2246263409d8e8d53d03371c80affdc9bc588455d0b86e2a77c5cbf1
ac4f95e274427abe5af52a9af50ffc74db27a0c87969d1097dc35d75d36d77d7
9652929fc702b8e9aa0d69b6902bb69b845d3445b174d2b1ec25923de63cad76
98d735989cc1423bdd21526c42deaa86db9982f5c7e6c09d37adb881afa9c8f8
d21806c0151bf7c8df900c319a6eb1ce315ee00298860fdbe1aef252fb3ba160
SH256 hash:
ce0dafe328f758e308ede4abcc1ab07c6dacaad8597c688a51acfc4110b0c74b
MD5 hash:
a2d2b21dc77042fd256fb0ddbdbff5a6
SHA1 hash:
a8b8262b8fa9d8c1dc31edb4659804ceabd8ed30
Link:
https://www.unpac.me/results/9b3c7949-1809-4634-9bfe-23d61226c38d/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce0dafe328f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ce0dafe328f758e308ede4abcc1ab07c6dacaad8597c688a51acfc4110b0c74b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe ce0dafe328f758e308ede4abcc1ab07c6dacaad8597c688a51acfc4110b0c74b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2299038/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/381818/

Comments