MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf8abe8ee8e73685dbb96495d8c3428f70537febddc5ae97af55a203ec4772bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	cf8abe8ee8e73685dbb96495d8c3428f70537febddc5ae97af55a203ec4772bc
SHA3-384 hash:	d55680b4a02802fbe2b45701d32f4f557d4c5a62a355c5cdd4dee82bfdd9cf374fb3114ca1ebf0f4220f843ee8c17717
SHA1 hash:	c79f6afca8f7d390b73f5dadf4718a66ca1f7e32
MD5 hash:	88d1527458742f7e2c88b92bc6fd2453
humanhash:	sixteen-finch-music-emma
File name:	Copia de remesa_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	696'320 bytes
First seen:	2023-02-18 16:13:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:KxucqDSu5Dsv9t5WH4sustv6A/uEHf+65ueQ5+Rp01D+GQUwwFDsv9t:KucqDSu0O4sRz/18eQ5YqDPQU
Threatray	1'040 similar samples on MalwareBazaar
TLSH	T106E49CCC81F2EA3ECB498EB9370035081BE05643B924D9E6E3E5FAC22F36563599D535
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	AgentTesla exe Telegram

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Copia de remesa_pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-02-18 16:16:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b34cf0be-c0f4-45c9-9f46-7ba3f831992d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/368144/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

SecuriteInfo.com.Trojan.GenericKD.65538251.17475.30756.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed strictor

Link:

https://www.filescan.io/uploads/63f0f94bc0c2113f82dab0bd/reports/8e576b98-6d52-41bf-a845-68561adc15b1/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/cf8abe8ee8e73685dbb96495d8c3428f70537febddc5ae97af55a203ec4772bc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f6fd57e9-2891-481d-adfa-cf5477f55002

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1178695

Signature

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/cf8abe8ee8e73685dbb96495d8c3428f70537febddc5ae97af55a203ec4772bc/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-02-16 18:16:23 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 39 (48.72%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z6fl5dxi443ilw5zmsk5rq2cr5yfg77l3xc25f5pkwrah3chok6a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

13ed10331157947caf6eac920f6b467c3170eaa5022b704d4596c0f397f8654c

AgentTesla

30c0d3fd2e08ec5373038ad0b90f1f1cb1a475661bafcc8a110e965bcc9d8f21

AgentTesla

3e71398f2c545fe979dbc8c61ccaf8bd055a7d5855d978b0bf006fa6dd1222ed

AgentTesla

9a4dba9c3d3c74e021c2a07cb5d44aee1f36f697394d729f9735cb38792a86eb

AgentTesla

9e6673ec8013e61cf5d5f88cd7b5f937f00c586a1cd41029bb9f204be7f940ab

AgentTesla

c401c299ae6aaa43a559d44471448b3c177a9d74829832fed88edf3bd6e5e789

AgentTesla

e00c81eaf51d453c0a837df83d38b33cc4217bc40473a5a927c2434a1520a520

AgentTesla

f77bee7347c6139e6ee4f9410f5ff2305d6d5338f050926b678c22cfd90f19cd

AgentTesla

f8fa4a68488cfbb2c7130ee2637393f65e6a2585bf9171bcda0f0f7a7e4cffb6

AgentTesla

+ 1'030 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230218-tpmzgacf87/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5249845718:AAGAU-0wsEoqm32Ml21Y0Irz58kvd5j9Gss/

Unpacked files

SH256 hash:

881207aeb4739ff5897dfa07215f57e6dac8481bd05e3f42c81f43de3fc0ac45

MD5 hash:

d92a06bebaa2e64c56be17f00aaf61bd

SHA1 hash:

cebb63817143c4b218cc6cb26bbc68ce02e96fd2

Link:

https://www.unpac.me/results/1106dff4-02f6-460b-9cf6-ba9a0e5717ce/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/1106dff4-02f6-460b-9cf6-ba9a0e5717ce/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

c01c224ee8d706f3e41d0ed13835be85aaa10644151a9209f7aac2f95a2f02bc

MD5 hash:

60db1c2f2e04b60c2d5dd8268d543d26

SHA1 hash:

77b996efcfaf931ec0c784412cbe185700b26d95

Link:

https://www.unpac.me/results/1106dff4-02f6-460b-9cf6-ba9a0e5717ce/

SH256 hash:

c12d2628d984c0b8071e1daa76812d8eae5cd9a18dd99eac444ba00d38977501

MD5 hash:

ec47f2cc8cb2264f192660aa1c81f96d

SHA1 hash:

50b322aa2022e5570911ceb2ca39aeaeca91e540

Link:

https://www.unpac.me/results/1106dff4-02f6-460b-9cf6-ba9a0e5717ce/

SH256 hash:

8dc98bd92712ed475b0354c904d94607d924f00603187df3225f80d2a011985b

MD5 hash:

0a6fe06ba21f75636c14410ad380211d

SHA1 hash:

0a45dc5ab40828efa466928a4b37fbf0b17d0b2e

Link:

https://www.unpac.me/results/1106dff4-02f6-460b-9cf6-ba9a0e5717ce/

SH256 hash:

cf8abe8ee8e73685dbb96495d8c3428f70537febddc5ae97af55a203ec4772bc

MD5 hash:

88d1527458742f7e2c88b92bc6fd2453

SHA1 hash:

c79f6afca8f7d390b73f5dadf4718a66ca1f7e32

Link:

https://www.unpac.me/results/1106dff4-02f6-460b-9cf6-ba9a0e5717ce/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cf8abe8ee8e7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/cf8abe8ee8e73685dbb96495d8c3428f70537febddc5ae97af55a203ec4772bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/368144/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample