MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf7ecaebf8b1d31a0d5ebaa74b29ec6455d2ccdcd0d1d1587729eee498f41a4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf7ecaebf8b1d31a0d5ebaa74b29ec6455d2ccdcd0d1d1587729eee498f41a4f
SHA3-384 hash: 03884dd1d8c1e98f3b0ea717354fb52f21e90c544934e167e8069f4c4e09c7f71452ecbefded80509c2c03c6896f2946
SHA1 hash: ba7b1880bcc1ce3cf66a314486980d3803a1de6a
MD5 hash: ba07e569eeef7705a1b4ef0b19f0f381
humanhash: bacon-one-carbon-july
File name:cf7ecaebf8b1d31a0d5ebaa74b29ec6455d2ccdcd0d1d1587729eee498f41a4f
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'763'847 bytes
First seen:2023-05-09 13:11:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:5TbBv5rUCkJzjBUf6EAunyTozjvKOidwt2M4KXGCpmTuqaS5kldNKK:zBrk1dUnAdTojvMwtzKCA7aPVJ
Threatray 532 similar samples on MalwareBazaar
TLSH T16C85230279D39471D0621E3746366B2AE93C7A701FB18ACF1390676EDE30681DB35BA6
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a2a9d8f88a88c9c0 (11 x SnakeKeylogger, 4 x RedLineStealer, 4 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cf7ecaebf8b1d31a0d5ebaa74b29ec6455d2ccdcd0d1d1587729eee498f41a4f
Verdict:
Malicious activity
Analysis date:
2023-05-09 13:10:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4730bdff-d0be-4e95-af75-14de7978fed7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387841/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Reading critical registry keys
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/83201/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
anti-vm autoit greyware hacktool keylogger overlay packed packed setupapi.dll shdocvw.dll shell32.dll wscript
Link:
https://www.filescan.io/uploads/645a46a2b664422b69d5ff87/reports/146d5101-c845-49f5-8906-7578900b0cab/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cf7ecaebf8b1d31a0d5ebaa74b29ec6455d2ccdcd0d1d1587729eee498f41a4f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c0e821a-5f68-42d2-aa7d-7152ee212c86
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229200
Signature
Antivirus detection for dropped file
Drops PE files with a suspicious file extension
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Starts an encoded Visual Basic Script (VBE)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 862184 Sample: gg6D6rDgY5.exe Startdate: 09/05/2023 Architecture: WINDOWS Score: 100 78 oiliskim.com 2->78 88 Found malware configuration 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 Yara detected AgentTesla 2->92 94 4 other signatures 2->94 15 gg6D6rDgY5.exe 34 2->15         started        19 lpwllvbk.pif 2->19         started        21 lpwllvbk.pif 2->21         started        23 lpwllvbk.pif 2->23         started        signatures3 process4 file5 74 C:\olcm\lpwllvbk.pif, PE32 15->74 dropped 76 C:\olcm\bili.exe, PE32 15->76 dropped 84 Drops PE files with a suspicious file extension 15->84 86 Starts an encoded Visual Basic Script (VBE) 15->86 25 bili.exe 2 15->25         started        29 wscript.exe 1 15->29         started        31 wscript.exe 19->31         started        33 wscript.exe 21->33         started        35 wscript.exe 23->35         started        signatures6 process7 dnsIp8 80 oiliskim.com 141.95.172.69, 49699, 587 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 25->80 82 192.168.2.1 unknown unknown 25->82 98 Antivirus detection for dropped file 25->98 100 Multi AV Scanner detection for dropped file 25->100 102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->102 104 4 other signatures 25->104 37 lpwllvbk.pif 4 4 29->37         started        40 lpwllvbk.pif 31->40         started        42 lpwllvbk.pif 33->42         started        44 lpwllvbk.pif 35->44         started        signatures9 process10 signatures11 96 Multi AV Scanner detection for dropped file 37->96 46 wscript.exe 1 37->46         started        48 wscript.exe 40->48         started        50 wscript.exe 42->50         started        52 wscript.exe 44->52         started        process12 process13 54 lpwllvbk.pif 1 46->54         started        56 lpwllvbk.pif 48->56         started        58 lpwllvbk.pif 50->58         started        process14 60 wscript.exe 54->60         started        62 wscript.exe 56->62         started        process15 64 lpwllvbk.pif 60->64         started        66 lpwllvbk.pif 62->66         started        process16 68 wscript.exe 64->68         started        process17 70 lpwllvbk.pif 68->70         started        process18 72 wscript.exe 70->72         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf7ecaebf8b1d31a0d5ebaa74b29ec6455d2ccdcd0d1d1587729eee498f41a4f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 06:57:44 UTC
File Type:
PE (Exe)
Extracted files:
507
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z57mv27ywhjrudk6xktuwkpmmrk5ftg42di5cwdxfhxojghudjhq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
37203c38c11b529b8d10382dfb610e739ceb38daae8bc1c19f28506edf3dfdd1
AgentTesla
51ba2b6912305fd63c041dccff36db067314cab3f93227aaf21990801efa0b25
AgentTesla
592217d2590ae9ca688346688b2d7d13a78190f9562889597ebb79060136034c
AgentTesla
64359ddf637e15b2f3f8e0360d23caf8d2d5d51680b8709bde3eaa392978043a
AgentTesla
726bc1cc141d4ad30a0a1622d3aa8ac21af76273180b0efd160d2cc12d4a7fcb
AgentTesla
8e16304b756988b8fedf67c9c0eee38873fa743a2e9beae9bfc7bc44206e6a5d
AgentTesla
ced55c9b4b3dba810dc674575818bb4d9dc828d3df6efee4a15d85ac24abd69b
AgentTesla
d12374b77206c950e02f93c953e663d3f09a9708f9313ae0a74c636cae4851b8
AgentTesla
e6d98d839dd2372b008ed4ec970c951963b863f89959d2d917cbe32fe7ce7f21
AgentTesla
fe8269a96b39d622796d4ded1ba8c9bed83e8abb17d0c159f8a3eac96594c965
AgentTesla
+ 522 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230509-qfgvbahh6x/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
448bd3a51117128565cadd25316f65113e83f07e25a71c61c8fa0d9a31a8caee
MD5 hash:
14d776832cca77281595996852719871
SHA1 hash:
019794fd4737c614058bc81f1e5fa8e43bba582b
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/f0ece2ca-d2a7-4414-a2c2-f51b1f701823/
Parent samples :
cf7ecaebf8b1d31a0d5ebaa74b29ec6455d2ccdcd0d1d1587729eee498f41a4f
d3729ee774783f9a15211e79e021238418c97d4625631368f7c2e187678ba72a
SH256 hash:
323cbff132e4564b4cd86dcacafa3660c91b0ac787257e03ef34d5e4b2d5539e
MD5 hash:
eaf5b1f5f41ed29674bba9575a2376e3
SHA1 hash:
caf9d2458c7db105f8f9c3b1418894a52fcdbeb4
Link:
https://www.unpac.me/results/f0ece2ca-d2a7-4414-a2c2-f51b1f701823/
SH256 hash:
cf7ecaebf8b1d31a0d5ebaa74b29ec6455d2ccdcd0d1d1587729eee498f41a4f
MD5 hash:
ba07e569eeef7705a1b4ef0b19f0f381
SHA1 hash:
ba7b1880bcc1ce3cf66a314486980d3803a1de6a
Link:
https://www.unpac.me/results/f0ece2ca-d2a7-4414-a2c2-f51b1f701823/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf7ecaebf8b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf7ecaebf8b1d31a0d5ebaa74b29ec6455d2ccdcd0d1d1587729eee498f41a4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/387841/

Comments