MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cee5c1595778387823ff211d939a83f628834d37a64c557c68cc0df2b047cae3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cee5c1595778387823ff211d939a83f628834d37a64c557c68cc0df2b047cae3
SHA3-384 hash: 32a06b2653310ea9ab3463b723a091c91a793d7e4af62546d9f8bdc409b29a58526eea935b08f6ae901bad580853ea01
SHA1 hash: 324990dc558a360687a65cb9ac3033897b85d331
MD5 hash: 0094f8cd516cdb4e4f77589b747a6126
humanhash: tennis-nineteen-batman-maryland
File name:SWIFT COPY.pdf__________________________________________________________________________.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:936'448 bytes
First seen:2023-10-24 13:06:36 UTC
Last seen:2023-10-24 13:07:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:2BrlqrwSVlvKV90/tV87P+uls5MLIrSZ1gyH2/+f8xriK9:al/HQla7c55rSZ1BW/BOK
Threatray 134 similar samples on MalwareBazaar
TLSH T1EF154D3D29BD223BC165C6B9CFE5C827F004D86F3461AD6698D357A64347A8639C323E
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0f0c0a6bad4e0f1 (2 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe SWIFT

Intelligence

File Origin
# of uploads :
2
# of downloads :
349
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
Formbook
Create hunting rule
ID:
1
File name:
Statement Outstanding.pdf______________________________________________________________.exe
Verdict:
Malicious activity
Analysis date:
2023-10-18 15:06:04 UTC
Tags:
Formbook agenttesla stealer
Link:
https://app.any.run/tasks/c43ca043-f5be-46b6-8dcc-aaad16e222b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455991/
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.710.28699.24584.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6537c1774678fc28dfc880a1/reports/be7d2bb1-48f6-420a-a83e-e3c966f1f6bb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cee5c1595778387823ff211d939a83f628834d37a64c557c68cc0df2b047cae3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0882977b-df9f-47ce-baea-b27be3b87ead
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331273
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331273 Sample: SWIFT_COPY.pdf_____________... Startdate: 24/10/2023 Architecture: WINDOWS Score: 100 40 mail.expertsconsultgh.co 2->40 42 api4.ipify.org 2->42 44 api.ipify.org 2->44 50 Snort IDS alert for network traffic 2->50 52 Found malware configuration 2->52 54 Antivirus detection for URL or domain 2->54 56 10 other signatures 2->56 8 SWIFT_COPY.pdf__________________________________________________________________________.exe 7 2->8         started        12 mVngXRp.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\Roaming\mVngXRp.exe, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp71D2.tmp, XML 8->38 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Writes to foreign memory regions 8->60 62 Adds a directory exclusion to Windows Defender 8->62 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 68 Injects a PE file into a foreign processes 12->68 24 RegSvcs.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 46 mail.expertsconsultgh.co 173.254.28.237, 49719, 49721, 587 UNIFIEDLAYER-AS-1US United States 14->46 48 api4.ipify.org 64.185.227.156, 443, 49716, 49720 WEBNXUS United States 14->48 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->72 74 Tries to steal Mail credentials (via file / registry access) 14->74 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 22->32         started        76 Tries to harvest and steal browser information (history, passwords, etc) 24->76 34 conhost.exe 26->34         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cee5c1595778387823ff211d939a83f628834d37a64c557c68cc0df2b047cae3
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cee5c1595778387823ff211d939a83f628834d37a64c557c68cc0df2b047cae3/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-10-18 06:41:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
27 of 38 (71.05%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z3s4cwkxpa4hqi77eeozhgud6yuigtjxuzgfk7dizqg7fmchzlrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
197340e586131099b95d8d2fb46791806f018fd643172e841cde25bd436b90d8
AgentTesla
527bd1688c686cfb6d7fe4b85e2456a5a80c6995cb8ffc5aea8deae08877062d
AgentTesla
7df6c33cbd852c467ef5a454451436e31a48d360a4959224e11a79ab4ad10f91
AgentTesla
9d3b52ca879885a78c6877c9ef71c18fd7584ab7f1aa94e6154edf5fb1d553f9
AgentTesla
b8b3c1fc69a66c4b0f1da90ca2968b465880241ddd81dd641217fc706d72194d
AgentTesla
cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
AgentTesla
d49cff946605d03af069b896354b114d8a4b87313c1aa7fcac9fbf71bb39f8c1
AgentTesla
+ 124 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231024-qcmldsda81/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
887c1868b2035053475d59246536ddd62c27337ec9f013d6dfe6c995e8eddea0
MD5 hash:
5bb973a00cee0e6c57b856335112abc7
SHA1 hash:
fe1e343446b8eb10b55d2a73e9f5060b375275b7
Link:
https://www.unpac.me/results/3c4b293d-9f59-4ff6-96e0-651f4528e052/
SH256 hash:
6dd4bc20d7b54cc3f445ece3c95f8e25b20865ddd884e079d75fcd8abc61025e
MD5 hash:
77f989b99643336491b025d9fbe65f11
SHA1 hash:
d9747386b61e9c92f92e1746325b753233c502f6
Link:
https://www.unpac.me/results/3c4b293d-9f59-4ff6-96e0-651f4528e052/
SH256 hash:
ed278807068709bcc74ef7d01ce46682b64d8ec9c8466dc8aaeb92ed75495aaa
MD5 hash:
51e85d063788811778e570139e28ac5a
SHA1 hash:
b3a9f24d4d25c91058e6c1f91e07219423b428fa
Link:
https://www.unpac.me/results/3c4b293d-9f59-4ff6-96e0-651f4528e052/
SH256 hash:
d511c0658340ec9d35d8f08fd22ae55c6aeebcb52dac453040817a6f9ffd7e43
MD5 hash:
3ac67cb9041168e636198401f53d857b
SHA1 hash:
6207398f41db994130c80150a0c2598045e68b45
Link:
https://www.unpac.me/results/3c4b293d-9f59-4ff6-96e0-651f4528e052/
SH256 hash:
c8e68f203b9337e1c2fcad8e7e07ef501ed983f5ea597172d7263631d65aad89
MD5 hash:
8560712e92050b126209625784bac522
SHA1 hash:
31ace913c80581487089a4ce88a03616cda905ed
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/3c4b293d-9f59-4ff6-96e0-651f4528e052/
Parent samples :
d9c02f3e9cc894fd55747ee2c449c1c40c2906d9fe1134994593eb0e81589a30
28657acf0a25a10979f1f7df41780b42fbeef920272067f9345f7a6a4788f889
3b0760dbe7dc9ac6a2cf5971ddde67c51e57bc973995cf641de226409b537817
930ac5c7da662a0118aba6fa78aeadf706ed8b5ab98e03b94dbd04991dfd2b7d
c8e68f203b9337e1c2fcad8e7e07ef501ed983f5ea597172d7263631d65aad89
f8105fdfa774017614ec9aa30084a2a6645456c05704896fc972dd5d0c99ec76
ec57c2de3349840ec8ac00000c964ba5c68cda5b954f6ea4ca3ced7098257286
ddf7770047bab26cd3cc7752df568dda1b03789739ed404e3c5143bf0abba51f
9edefc168186e3a7ea6785affc672f91cbe4f592d4b84c75435866f16eddc82b
4f14ea5723dc55b7fc4a76f7bc7f5a834a16f531d8d47342b9a64a79678d417b
bb5557412213a1e283b548c6cd1da5c5848610756cd98352e6a77bb7ae952839
208319e004a6786ea50aacc67797171f4f4356f232bbf2e99c91cdbbe48c7624
5ab2ba45e2190d5a88041adb9a7be32bebe71a846832bba6efde116531d087c2
f4f24561c696372a62370c947fdecb96cfa6162711718f79a2c2e07836b69c80
4c2cbc5a9ebf7ef6269d1b0533da551b9e1bd419d0e8626db602ea0f77ae8f08
600d4ce1088af7290d2e4096db034af9eca3431a7942073dc485788a538a0747
b5169b6fa30cff601e0f3473f0a95006767553560753831f4e7f365758011433
ad2a1e6ea8fb128c76cafb20b9eae42b641ba5bf8932ac1867a8e3c51889192a
00ec18a18e5816731a60f69bcbe7c9296ae4084e5e390e8b545d475e1a37c7d9
a9bfb74e882c289a3fcbdc104411229292d0127efacffda9beb22206f58630aa
d65ba38b65d9ef5515d49a13be05cbdc0094c25a6ae4823935bc6f838de759a7
fcd2ed1088d64779e16e5134652d8360212e613b75c6cd5929216cabe27cfeeb
e840cb2a1c0451789b6c1b1565a75976bdafed728d435252b324d6800df5ff59
0b675485123aef301b8f33a5ebca2b1dfb12c7bffcdc7331dc16615c9d6b0495
e108137aa0469b5a1affc9d86a92e9e844a9540d9082ca5511b67de114310f88
ac04f04d01ae5428a8017be37d7d1352ad3212852c259d1a0e2f775969ecc36c
768ad01a4a10350c639160a41fcb2e08e108cfeddb993cb2535bc1804fdd1a3c
ac4ba0aff57a411df5eabcec6b1ab5cff2ff47dcf578fdce74be6cd3405b626c
a92454653447052d1a4d2342adeae2ae74a0499868a6fbd7834773b47b368cb7
c7834a1e61260b87156453c5281e2dc6f922d6ffdced1cec6ad2c5507680fa17
66d429595734624fc9610dff9b019f6b1687865f7197094a6102ced753453f9d
b6ae3f27029900241bf6ecd397a0686061db57ce48df21098bc27d365fc3139f
b0f78bdc2bfc668fc39e8735344d5c6ca8f78290132b70734c76dbf436c41c44
52c04c41fc17f8f05d233e2b9403fcebc3ccb8fb1b4e7d776a9b7db78d4fa980
c94c3741876b0ec763fa759b91c10d941c12626e84ef0d43c6c64cec7959f4f8
38468ab187452cb5bb9572bfe5b111449b8daa66678cd67396f8d5ccaaa382a4
e774f64c2078e0b89fa7a65590044e70212823f02b0300636deff0ccb5a36971
d49cff946605d03af069b896354b114d8a4b87313c1aa7fcac9fbf71bb39f8c1
cb7de7bc680acafc54395cc399b1a38c440424738270c4bbd005b4a13229fc39
cee5c1595778387823ff211d939a83f628834d37a64c557c68cc0df2b047cae3
ecf78018a9b656858115827b54ffcc201ade5b5eac4012d1675bac037066d9ee
64f84dcf2d8ad3535479de54fd7d15eca200089b01f5d4abe8ae8809e58623c2
SH256 hash:
cee5c1595778387823ff211d939a83f628834d37a64c557c68cc0df2b047cae3
MD5 hash:
0094f8cd516cdb4e4f77589b747a6126
SHA1 hash:
324990dc558a360687a65cb9ac3033897b85d331
Link:
https://www.unpac.me/results/3c4b293d-9f59-4ff6-96e0-651f4528e052/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cee5c1595778/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cee5c1595778387823ff211d939a83f628834d37a64c557c68cc0df2b047cae3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar f90473281e8db0f484e0083a8aee85c48fc8ed06dfcd652c083e831682640f51

AgentTesla

Executable exe cee5c1595778387823ff211d939a83f628834d37a64c557c68cc0df2b047cae3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 f90473281e8db0f484e0083a8aee85c48fc8ed06dfcd652c083e831682640f51
Cape
Cape
https://www.capesandbox.com/analysis/455991/
  
Dropped by
MD5 c742d94a6390e9105bec9f2c57d61dc0

Comments