MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf5a9106d284d163a0a2ffabcaaf6dabce8e767523f55849808e65ca536878b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	cf5a9106d284d163a0a2ffabcaaf6dabce8e767523f55849808e65ca536878b5
SHA3-384 hash:	4bdead2a2f896d273ae4461edaad976a031392fc5104860c2a4c30145ff36d1456430cea266f74ffb59b7a173fe5b9d1
SHA1 hash:	59c30e247689d4ecba080af498b4a4408dca5c62
MD5 hash:	258bf1a469ffded4ecce4ec3f63db765
humanhash:	undress-william-mars-grey
File name:	decode_866e0187a1c221ddc3b4cafbe2578f7e1e4145ec4ad6913e2c198ab7948ee1f6
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	170'496 bytes
First seen:	2023-01-23 15:41:10 UTC
Last seen:	2023-01-24 10:28:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	3072:ZAv9zle4yFhIuCoAqGo7iKCQ4tCP82LYMu/pznM3nzn3C8:ZAFiFhIqHiu4tCP8q0ps3C
Threatray	20'148 similar samples on MalwareBazaar
TLSH	T13CF33B6892894F51E72D447DC5A003540AB2A1478B17E77D0EB1A8FA3F467CB361FCAE
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	jstrosch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

decode_866e0187a1c221ddc3b4cafbe2578f7e1e4145ec4ad6913e2c198ab7948ee1f6

Verdict:

Malicious activity

Analysis date:

2023-01-23 15:43:26 UTC

Tags:

trojan rat agenttesla

Link:

https://app.any.run/tasks/09bd6e7f-a743-4ce6-b320-9d4a21a4affb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/355938/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Setting a keyboard event handler

DNS request

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

67%

Tags:

hacktool packed

Link:

https://www.filescan.io/uploads/63ceaace447edb203a006904/reports/e6c88277-5fa7-45ac-b223-8ee6c43c8c92/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/95468a4a-9f6c-4c60-92bc-3f9e47d5b13d

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1157183

Signature

Antivirus / Scanner detection for submitted sample

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf5a9106d284d163a0a2ffabcaaf6dabce8e767523f55849808e65ca536878b5/

Threat name:

Win32.Trojan.Lazy

Status:

Malicious

First seen:

2023-01-23 15:44:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 39 (35.90%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z5njcbwsqtiwhifc76v4vl3nvphi45tvep2vqsmarzs4uu3ipc2q._file

Verdict:

malicious

AgentTesla

106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871

AgentTesla

1326d9172aa0687e037a43b532cf2fb0e2ba90bff2e35efdebac87c3b06560f2

AgentTesla

2539c6afb8cadcca6bff6d5c73e3d345577681b31de03809b7431c1f15ae85b8

AgentTesla

5a64665bdc77f9386891c1a251064decfdce7e9782bb4b47d95e2c14238d46f2

AgentTesla

aa724992c2ca0d11c006a4b8d8f4a26a20b8b08d82f3afba1ad85ebeb5129344

AgentTesla

bf5fcf3bef3263d12338e52f704bda62ff8e2518e99e019571e10ceca167f18c

AgentTesla

ed1dd3f734ad29aaa1da6ada3823d8537704310f257e44524ea08d4c5f81ff3e

AgentTesla

f7ff5363ab3abab34b14cd4a9962d092a506a00c0ceca50f8666aa3bd93da5d0

AgentTesla

+ 20'138 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/230123-s5b2gaea29/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

cf5a9106d284d163a0a2ffabcaaf6dabce8e767523f55849808e65ca536878b5

MD5 hash:

258bf1a469ffded4ecce4ec3f63db765

SHA1 hash:

59c30e247689d4ecba080af498b4a4408dca5c62

Link:

https://www.unpac.me/results/69e63ca9-584c-430d-a213-c86e356581c5/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cf5a9106d284/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cf5a9106d284d163a0a2ffabcaaf6dabce8e767523f55849808e65ca536878b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/355938/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample