MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfbeebd8641fc2fdffcc1056365ccfe165db87c12ca0c6d5c3ae3f3e8db58048. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfbeebd8641fc2fdffcc1056365ccfe165db87c12ca0c6d5c3ae3f3e8db58048
SHA3-384 hash: 3a3996298d8066f41840c9a6da3dfaa87c5362911136920afb6687f040f901d5b0b9283e4615d1642687cd0c5cb30222
SHA1 hash: 72759ad39425e85a9c8a766db75b7e6ec8c80b10
MD5 hash: f653eb1fb00fe3d29d270f7ac7d5bf1d
humanhash: apart-delaware-island-nineteen
File name:95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:267'264 bytes
First seen:2024-07-24 06:58:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (434 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 6144:YDKW1Lgbdl0TBBvjc/q6D6d/rtiaAxMGG+ui:+h1Lk70Tnvjci6DUorui
TLSH T17744D02075D1C2B3C4B6013045E6CBB69A7A7072077A92DBB7DD17BA6E213D0A3362CD
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter ukycircle
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
JP JP
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a0a645a97e13ad9de79f4e
Tags:
Infostealer Network Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed redline
Link:
https://www.filescan.io/uploads/66a0a6404c5c17942a7c8d83/reports/c78c3553-cdc5-46c0-8858-b3950ab37ee0/overview
Verdict:
Malicious
Labled as:
Dump:Generic.Dacic.382
Link:
https://www.hybrid-analysis.com/sample/cfbeebd8641fc2fdffcc1056365ccfe165db87c12ca0c6d5c3ae3f3e8db58048
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb3cf085-a95e-49f0-9502-8760618f7c5c
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1479851
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cfbeebd8641fc2fdffcc1056365ccfe165db87c12ca0c6d5c3ae3f3e8db58048
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfbeebd8641fc2fdffcc1056365ccfe165db87c12ca0c6d5c3ae3f3e8db58048/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 06:59:10 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z67oxwded7bp376mcbldmxgp4fs5xb6bfsqmnvodvy7t5dnvqbea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla credential_access discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240724-hr4jfstcqq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/99874948-4bbb-4ed7-9442-7a81e2d6e0dc
Unpacked files
SH256 hash:
44b65d08842f3c75d4bdb2b26972bc3ff95b70113f88a9ded5b50e3e25f240a3
MD5 hash:
b3ee6521ff9e87928c19e0e903d5ccee
SHA1 hash:
566b7e8e81c5631d016e16c267f4e1478d8a006a
Detections:
Agenttesla_type2
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
Link:
https://www.unpac.me/results/a5b4a6f9-a814-4741-8aee-97904115c7cf/
Parent samples :
95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7
cfbeebd8641fc2fdffcc1056365ccfe165db87c12ca0c6d5c3ae3f3e8db58048
SH256 hash:
d9fcf153b9a9904676a9a544237bb55deaa15154a3677955d8f6ec15871790a4
MD5 hash:
c15435dd51621aaf7ae1140a420d6844
SHA1 hash:
0305ef770f51fa5e6b2cda12d57a3bcddec90c12
Detections:
Agenttesla_type2
Create hunting rule
Link:
https://www.unpac.me/results/a5b4a6f9-a814-4741-8aee-97904115c7cf/
Parent samples :
95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7
cfbeebd8641fc2fdffcc1056365ccfe165db87c12ca0c6d5c3ae3f3e8db58048
SH256 hash:
cfbeebd8641fc2fdffcc1056365ccfe165db87c12ca0c6d5c3ae3f3e8db58048
MD5 hash:
f653eb1fb00fe3d29d270f7ac7d5bf1d
SHA1 hash:
72759ad39425e85a9c8a766db75b7e6ec8c80b10
Detections:
win_samsam_auto
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
Link:
https://www.unpac.me/results/a5b4a6f9-a814-4741-8aee-97904115c7cf/
Parent samples :
95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7
cfbeebd8641fc2fdffcc1056365ccfe165db87c12ca0c6d5c3ae3f3e8db58048
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cfbeebd8641f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA

Comments