MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ceb6f399a046b0e60f5c9f3eca3fb08dc49989350d2fc2cd1079aa3dc79b31b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	ceb6f399a046b0e60f5c9f3eca3fb08dc49989350d2fc2cd1079aa3dc79b31b9
SHA3-384 hash:	4115fd766dab24a66b1a30b9e0c9eb1b56bff08848c9189e965263f0644c529dac1c8498119a2b360ad72b7581765588
SHA1 hash:	741d7f966266f5b27b57934d5740f4e1ecfce8bb
MD5 hash:	ef4be80f8a4a97514e1800ea1c3ad2c3
humanhash:	ohio-edward-social-colorado
File name:	rPR-23-5049.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	961'536 bytes
First seen:	2023-12-20 00:30:50 UTC
Last seen:	2023-12-20 02:15:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:+8Rc7+GSWtnK1b8G3kICSObzPTkLUbfFjk5unOStpwavtSO:hY+GJnwXk+EPYYbfr3tp9v
TLSH	T18615063C9CBD222BA4B5EAA2DBD58427F110996B311D6D7598D3C395730AE4338C363E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	FXOLabs
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

305

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/468577/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/658235c9f4b6e5e163510077/reports/3f0e6157-901d-4d28-b61c-bd72ce419dbd/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ceb6f399a046b0e60f5c9f3eca3fb08dc49989350d2fc2cd1079aa3dc79b31b9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ffb30c78-be0a-41bb-b27e-83c04f32205c

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1364859

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ceb6f399a046b0e60f5c9f3eca3fb08dc49989350d2fc2cd1079aa3dc79b31b9

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/ceb6f399a046b0e60f5c9f3eca3fb08dc49989350d2fc2cd1079aa3dc79b31b9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-19 16:26:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 37 (51.35%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z23phgnai2yomd24t47mup5qrxcjtcjvbux4ftiqpgvd3r43gg4q._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231220-at25eafcg2/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/57c6f1ba-c20e-4384-af9f-b65c36a9c194/

SH256 hash:

c5328f7af843244b56d6a208c322a9315daea139d1b255cda993b243e4394ecf

MD5 hash:

160f4669c06c6496d79a92ea9d33e89b

SHA1 hash:

baae226fdb2a9739f118db781bdc74f2efc6a585

Link:

https://www.unpac.me/results/57c6f1ba-c20e-4384-af9f-b65c36a9c194/

SH256 hash:

20f1680a43917237e1b10ce52abc600f3e75b13225a119498bb74ddd77f5f6fd

MD5 hash:

7a2c3bc8fecf18e55709e564671cc7ad

SHA1 hash:

af3d0eccf1aa788ec70bf5c91a86f41557089e68

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/57c6f1ba-c20e-4384-af9f-b65c36a9c194/

Parent samples :

d02530a2bac21b47a1ecaafc185ddb11680c9a90d0fcb2c52b7b081b952f1cd2
ceb6f399a046b0e60f5c9f3eca3fb08dc49989350d2fc2cd1079aa3dc79b31b9
d8f76c967bb63224cb646cb16ec37c2897ea87a9104c5e6ee115019877d02a86
c177812f5ee5c7643659dba85dcdb7d86134d2a437a8c7934c9b63eb3a5b4530
fcaff63b58fa89a2682cf2f21485df3cd0e37a424aa947fd05106a00b1e8f95f

SH256 hash:

995f9a6227c0cb211189a75abd17c4d9013fd05eb82605b7f867eb0c255881a1

MD5 hash:

9f97753df0ad6001a676f670cbbf7e37

SHA1 hash:

a8b81d895b12f095171b7d734470ecae7a38b244

Link:

https://www.unpac.me/results/57c6f1ba-c20e-4384-af9f-b65c36a9c194/

SH256 hash:

ceb6f399a046b0e60f5c9f3eca3fb08dc49989350d2fc2cd1079aa3dc79b31b9

MD5 hash:

ef4be80f8a4a97514e1800ea1c3ad2c3

SHA1 hash:

741d7f966266f5b27b57934d5740f4e1ecfce8bb

Link:

https://www.unpac.me/results/57c6f1ba-c20e-4384-af9f-b65c36a9c194/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ceb6f399a046/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ceb6f399a046b0e60f5c9f3eca3fb08dc49989350d2fc2cd1079aa3dc79b31b9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe ceb6f399a046b0e60f5c9f3eca3fb08dc49989350d2fc2cd1079aa3dc79b31b9

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/468577/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample