MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 ceed05621c2de1d23ce22a9f2dfedf5891b5222abaf013c47acde6defdae5a50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 15
| SHA256 hash: | ceed05621c2de1d23ce22a9f2dfedf5891b5222abaf013c47acde6defdae5a50 |
|---|---|
| SHA3-384 hash: | 385440536c952e1d1c2036c846eefc0c8441cc1845d8de89d990eaa5115d1a7080508181abedf832e690f80653cd83c3 |
| SHA1 hash: | 8a34c6a3a98a433de7683cedd2e052ed32bec7b2 |
| MD5 hash: | 0f6ac15ff17ab49e64f770ae9ee81e85 |
| humanhash: | fish-enemy-pluto-summer |
| File name: | FeNdmWxJWfnThMV.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 683'520 bytes |
| First seen: | 2023-05-22 18:19:20 UTC |
| Last seen: | 2023-05-23 13:36:14 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 12288:mtPx0YPX/NqPslTaM38GjjY4Jn5Bd8LmmvWhc2fkfCyB91:mtqHPs/3e46vO2IyB91 |
| Threatray | 4'061 similar samples on MalwareBazaar |
| TLSH | T198E4F1C16A989D10E69A5FB55AB6F23403742C65EB27C30E24F42C5FBC66B827B017D3 |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| File icon (PE): |  |
| dhash icon | 224472b2a0c04280 (13 x AgentTesla, 10 x Formbook, 8 x Loki) |
| Reporter |  abuse_ch |
| Tags: | AgentTesla exe |
Intelligence
File Origin
# of uploads :
3
# of downloads :
266
Origin country :
NLVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FeNdmWxJWfnThMV.exe
Verdict:
Malicious activity
Analysis date:
2023-05-22 04:07:07 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Setting a keyboard event handler
Сreating synchronization primitives
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
packed
Verdict:
Malicious
Labled as:
Trojan.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Verdict:
Malicious
Result
Threat name:
AgentTesla, zgRAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
n/a
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2023-05-22 01:09:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
26 of 37 (70.27%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 4'051 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6099836385:AAEfA6VoBkRvWID2b0aSRYBqFwUQJ2ZBemE/
Unpacked files
SH256 hash:
4c7ce432433fc3a8b0a33d558e0041d3f1c222224c5e61f33104d990a534c7a4
MD5 hash:
e8d756b4e2de5a67446e0b1b80e1bb99
SHA1 hash:
b664448f87ac044a16706d35e5d76538ba79508a
SH256 hash:
f78c24efcd0fd600fe146c8160e0cce26875ea06e28f065f83786dc6db059795
MD5 hash:
5cd044332af602f421e66f68f22b644c
SHA1 hash:
af87ee063e8e335ddfd0d2eb6aed684e89d2afb4
Detections:
AgentTeslaXorStringsNet
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
SH256 hash:
78f32d95926e6e6a56e6327d83ff3401e3c0bc05d5fec3df0ed01c01ccb11a5a
MD5 hash:
5b913f5abbbe1bfb14a91753ee84c435
SHA1 hash:
8a4eee9c01d87fc0532a96d86b6d4fea34264b55
SH256 hash:
e5a437a5f695d38eae1411fae19dd191b8222e10decf1bfd72804099e95684ee
MD5 hash:
3afa4a5a91a2991106e5189a66e03ee5
SHA1 hash:
4d108690243995c75a5a6f9b38de0708a374f66f
SH256 hash:
ceed05621c2de1d23ce22a9f2dfedf5891b5222abaf013c47acde6defdae5a50
MD5 hash:
0f6ac15ff17ab49e64f770ae9ee81e85
SHA1 hash:
8a34c6a3a98a433de7683cedd2e052ed32bec7b2
Malware family:
AgentTesla
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.