MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce9f61e287166e270644981cb784c61066bcde3e9069691435b9f1524e03fbb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	ce9f61e287166e270644981cb784c61066bcde3e9069691435b9f1524e03fbb1
SHA3-384 hash:	66ccfa07ce64c88688e947285d5b0862c258e0107dd70f5758e5467c4777ce0766a5984587af2ee6a41a9e0ef8302132
SHA1 hash:	45f69a7210a8eda4137763eae5950dea164c3622
MD5 hash:	e38ef1fd0046c60be8c80e0486094f46
humanhash:	artist-cat-sad-cola
File name:	Payment advice.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	625'664 bytes
First seen:	2023-04-19 16:10:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:XPGl+ZKGOn1YnKafrAxpLqJ80k3ayDcjZsBjdJ0QHVJIPJ:XRZOYKafkm60tyiZW0+VJS
Threatray	2'304 similar samples on MalwareBazaar
TLSH	T14DD4E028A271AFB2E19E077200142ADDDB7161E37477C23C4FD7B4D5EBAE7181988987
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment advice.exe

Verdict:

Malicious activity

Analysis date:

2023-04-19 16:48:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/03749304-f0b7-44ac-980d-0d2b75eff639

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/383476/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/644012678c1908d5b414cd88/reports/2bf5a510-ba94-412a-8d58-b619822867de/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ce9f61e287166e270644981cb784c61066bcde3e9069691435b9f1524e03fbb1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3f6bb97f-04d1-4ff1-976e-5e96c047bf5c

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1217250

Signature

.NET source code contains potential unpacker

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ce9f61e287166e270644981cb784c61066bcde3e9069691435b9f1524e03fbb1/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z2pwdyuhczxcobsetaolpbggcbtlzxr6sbuwsfbvxhyvetqd7oyq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3c2b24a6f577cca56542f53c9c1960e034c8f9b9888d6c02f4b95b6be7f9e580

AgentTesla

5a592b895a2d661b84fe545722cd01c7eec0998b5c92e43cbcd582723e5d0d7b

AgentTesla

702cee46d4f13081bcca06cfe54412f0e9115a48035d440911fae79ea0100ae6

AgentTesla

80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d

AgentTesla

8943593e7957a1ec506da8328e3b1fbe8447e6daf23992e007756ba79a13c095

AgentTesla

8c3a54283aca092b244c89ebb641bb372808b3e51b752936dfbea95dc32eeb95

AgentTesla

d298c16cc5f3bc92be81294b9d7b4b23d1be22742956b824dac7dc109dde7e35

AgentTesla

d54151c230934c4d85c69c1b0e9f8dacd60104fde0d2036a7752f49293d25c5b

AgentTesla

e140afebb983de95cb1dd97095f73929c26dd35d5773c170c95c94b7af5023bb

AgentTesla

+ 2'294 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230419-tmekbadf7z/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

c3b6b8da0a1aac959f36dca987e77f79e1d2a61f57dcae00bca4a2ee67deb83e

MD5 hash:

6ea6809f5d36cc73602c84b5d3f9eb02

SHA1 hash:

f051fed533d686d8cb3f37ee1f0bdd3a7d196210

Link:

https://www.unpac.me/results/f5c6bf38-9952-4a42-be98-ee8a66321080/

SH256 hash:

6d528a8e231b03c1fabbdd75f4a4137aef32577ccd9899b2abc5d8288faca1e3

MD5 hash:

21ee7f03b17561e296a9427a17967a81

SHA1 hash:

ddde2dbdd1589d38db7ad51aef18f922e51d5a7d

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/f5c6bf38-9952-4a42-be98-ee8a66321080/

Parent samples :

3c2b24a6f577cca56542f53c9c1960e034c8f9b9888d6c02f4b95b6be7f9e580
ce9f61e287166e270644981cb784c61066bcde3e9069691435b9f1524e03fbb1
b7e023a783bf7efa020786b9ba5c72c5bb507d0e98b53d57e8895e49fc91032e
bbdd3c67e8780f70bb81bbd019cc39c40b8efb9653dcef5e625409fc3ceedd10
5ad812cb5f8de1cf00232dad670e6d0711e198d8e97ade700fb7d8d1819e8570
66559a620120bae83346077c331fa493ec8f3c32f760aec990d972e72ff50578

SH256 hash:

e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688

MD5 hash:

920a2854e9c183ad2ef7d5543c296d38

SHA1 hash:

2c20da753bdf6f1a46261e2c132dd42f75c94229

Link:

https://www.unpac.me/results/f5c6bf38-9952-4a42-be98-ee8a66321080/

SH256 hash:

42f7590a851ebfd97d2373951095c57c2e5e66d092c1675b39d26e24fc3d70b0

MD5 hash:

2b6555a230c636d384a37287c2971d00

SHA1 hash:

1210e8042e60322640bd2c37de358c8e7057449c

Link:

https://www.unpac.me/results/f5c6bf38-9952-4a42-be98-ee8a66321080/

SH256 hash:

698efbaf29ad1c5a3d1db7008beedcc08561ac27467188e2fd8c212085326c66

MD5 hash:

d5fbbb438371b82c274fc7e82828db8b

SHA1 hash:

032b764ef5b3eaed11fadcd726d27fc05264fca2

Link:

https://www.unpac.me/results/f5c6bf38-9952-4a42-be98-ee8a66321080/

SH256 hash:

ce9f61e287166e270644981cb784c61066bcde3e9069691435b9f1524e03fbb1

MD5 hash:

e38ef1fd0046c60be8c80e0486094f46

SHA1 hash:

45f69a7210a8eda4137763eae5950dea164c3622

Link:

https://www.unpac.me/results/f5c6bf38-9952-4a42-be98-ee8a66321080/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ce9f61e28716/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/ce9f61e287166e270644981cb784c61066bcde3e9069691435b9f1524e03fbb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/383476/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample