MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cecd0cf9c4fc70ac66d79284d5a4b44da73ba58f23de44a2a00d028ce46facc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cecd0cf9c4fc70ac66d79284d5a4b44da73ba58f23de44a2a00d028ce46facc9
SHA3-384 hash: 222d9de514842de9214ab4ed7cdb71a75a2a4cd5b69c230ef0cfcfde9e49466e133a43cde691456e99e0783e130b9276
SHA1 hash: 1232767b8ff9f2cf75d2f332625d644e55088c28
MD5 hash: 488c6ae6e4a3ad9aa99442fe0000cb75
humanhash: batman-dakota-pasta-sodium
File name:P.O #CSCL REF 1198.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:632'832 bytes
First seen:2023-06-15 01:00:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:X+n9snBbMUjEtsiD2+/SFPaNc68l35O5K5hAsBzpn77ngUiN4J+Ts:7BAUIOiHSFADBRsLn7MP4J+
Threatray 2'749 similar samples on MalwareBazaar
TLSH T1F4D4F16B1A5B8832C83606F85562F6FE91317FE42527832A9DE7BC73F1793439C06096
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 68ec9acaabd0dcf0 (12 x Loki, 8 x AgentTesla, 4 x Formbook)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
P.O #CSCL REF 1198.exe
Verdict:
Malicious activity
Analysis date:
2023-06-15 01:01:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e059bb43-be21-4de0-b68c-48838f6ed274

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398985/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67181214.4036.7977.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/648a62cf9069800b43bc1241/reports/f7bfc7ef-2b9f-4c7a-88c6-2bc22e0cd360/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/cecd0cf9c4fc70ac66d79284d5a4b44da73ba58f23de44a2a00d028ce46facc9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5f3a04d3-a32b-47c5-9231-9e3199776a4d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1254969
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 887989 Sample: P.O_#CSCL_REF_1198.exe Startdate: 15/06/2023 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Antivirus / Scanner detection for submitted sample 2->76 78 Sigma detected: Scheduled temp file as task from temp location 2->78 80 4 other signatures 2->80 7 P.O_#CSCL_REF_1198.exe 7 2->7         started        11 BtUDlhECClBgLH.exe 5 2->11         started        13 sOFvE.exe 2->13         started        15 sOFvE.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\...\BtUDlhECClBgLH.exe, PE32 7->52 dropped 54 C:\...\BtUDlhECClBgLH.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmpD192.tmp, XML 7->56 dropped 58 C:\Users\user\...\P.O_#CSCL_REF_1198.exe.log, ASCII 7->58 dropped 90 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->90 92 May check the online IP address of the machine 7->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 7->94 96 Adds a directory exclusion to Windows Defender 7->96 17 P.O_#CSCL_REF_1198.exe 17 5 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        98 Antivirus detection for dropped file 11->98 100 Multi AV Scanner detection for dropped file 11->100 102 Machine Learning detection for dropped file 11->102 26 BtUDlhECClBgLH.exe 11->26         started        28 schtasks.exe 1 11->28         started        104 Injects a PE file into a foreign processes 13->104 30 sOFvE.exe 13->30         started        32 schtasks.exe 13->32         started        34 sOFvE.exe 15->34         started        36 schtasks.exe 15->36         started        signatures5 process6 dnsIp7 60 api4.ipify.org 104.237.62.211, 443, 49694, 49703 WEBNXUS United States 17->60 62 us2.smtp.mailhostbox.com 208.91.198.143, 49695, 49698, 49702 PUBLIC-DOMAIN-REGISTRYUS United States 17->62 64 api.ipify.org 17->64 48 C:\Users\user\AppData\Roaming\...\sOFvE.exe, PE32 17->48 dropped 50 C:\Users\user\...\sOFvE.exe:Zone.Identifier, ASCII 17->50 dropped 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->82 84 Tries to steal Mail credentials (via file / registry access) 17->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->86 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        66 64.185.227.155, 443, 49696, 49697 WEBNXUS United States 26->66 72 2 other IPs or domains 26->72 42 conhost.exe 28->42         started        68 api.ipify.org 30->68 44 conhost.exe 32->44         started        70 api.ipify.org 34->70 88 Tries to harvest and steal browser information (history, passwords, etc) 34->88 46 conhost.exe 36->46         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cecd0cf9c4fc70ac66d79284d5a4b44da73ba58f23de44a2a00d028ce46facc9/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-23 05:57:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z3gqz6oe7rykyzwxskcnljfujwttxjmpeppejivabubizzdpvteq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2a2a0d105987a84307292e9aea9d6e5b4ffd614994aefe408dc97a4356c7b59f
AgentTesla
431106d0fae621b288cec117c34a315178103cb6444b3a0c41d841c376a6dcf0
AgentTesla
677094197476508f5e6d59632ace2106fc0a07435850f1541ff69be9e939c7bf
AgentTesla
8086b51ee5ff64002102bf80e36b81650ba576903fc00965e1a947ae013aa9c0
AgentTesla
8b88f918a3b7c133e7bb6cf209ede9d0524cea021694ea55764ff1a292749d09
AgentTesla
c2c321ed68a43b98cb9d54d4c039efd152b571f8251236db52a389a4d18132e5
AgentTesla
c9a2e27125a45f8b667438d540f0a02e811331e008c9a3c145c36804f98144f7
AgentTesla
d28d90f64872cb3f350dc5a443faeb6c5856f0b4cee8cfaebb4041bdb64d525d
AgentTesla
d5f557e16db625fb63ce5b68ab5f68a77f68adbb7a93713c0bae67cb5762288b
AgentTesla
e806e1ccf15d72165553c872da8845af333febafaa541c75ad362d8d7bd30a73
AgentTesla
+ 2'739 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230615-bc75rsec31/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c0ae705d6a0ae5a8a52113db39c23219d89dc2c8df6a2658be037cade8ed24dd
MD5 hash:
b81f8943bfb2e404c0c1899c86fc148f
SHA1 hash:
f2240d6cd7302f3c798e409ed0dadb047a77c2b2
Link:
https://www.unpac.me/results/77c193e5-de93-419b-9e44-fb7fe5221c6e/
SH256 hash:
cb5ee4cfd7179a57298c02ce4ccc9c2ca6b0b310758a7320340cf0a40ab62f88
MD5 hash:
0dd66dbaf510e93ec00b9eadf5ec34b6
SHA1 hash:
b7e1b7bbf2d58cc03beeb7095ae98e03426f39a7
Link:
https://www.unpac.me/results/77c193e5-de93-419b-9e44-fb7fe5221c6e/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/77c193e5-de93-419b-9e44-fb7fe5221c6e/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
b6a075704580bb8867416d19d04be2ce85153440e1d4dcac55e9180fae4d32d2
MD5 hash:
64f836ea7f6eab785d5c192d2e954c7d
SHA1 hash:
72fbf87ec7282d1fd57ee7ddb5860fabd0bfa70e
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/77c193e5-de93-419b-9e44-fb7fe5221c6e/
Parent samples :
1d49c75958af33b4be6f0ac91a7d3731d4bffb61ed041851b5de0dcb977f4100
6f38fc7509204ef8b9714ab09f16697665bac64f6b1a3f239660fc6acc0eba3c
cecd0cf9c4fc70ac66d79284d5a4b44da73ba58f23de44a2a00d028ce46facc9
1445df50c20bc522a9a3a27e89e5b14004b1cb208cc72073e3f8d7ada1e7f415
c7581cd1e3deee8976cdd1a90b9a76c130716f7f4c8c97838d3414f91efb4c80
7c611258c4817d2bb7307a1d837b68e1f2805f65ed1f1918f759786ec4809eb7
SH256 hash:
4a517339ea093427641fd32fc44e8a3c85b082948ed525c3a3fb4e11e099cf8b
MD5 hash:
67a7844c82259f01db8e37b213b14e93
SHA1 hash:
4aa02ccc858c424ab629dbc581c6bcbfa0c3469c
Link:
https://www.unpac.me/results/77c193e5-de93-419b-9e44-fb7fe5221c6e/
SH256 hash:
cecd0cf9c4fc70ac66d79284d5a4b44da73ba58f23de44a2a00d028ce46facc9
MD5 hash:
488c6ae6e4a3ad9aa99442fe0000cb75
SHA1 hash:
1232767b8ff9f2cf75d2f332625d644e55088c28
Link:
https://www.unpac.me/results/77c193e5-de93-419b-9e44-fb7fe5221c6e/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cecd0cf9c4fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cecd0cf9c4fc70ac66d79284d5a4b44da73ba58f23de44a2a00d028ce46facc9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe cecd0cf9c4fc70ac66d79284d5a4b44da73ba58f23de44a2a00d028ce46facc9

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/398985/

Comments