MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfe8883503f6c675d58b8d30c1d0a9064da329fc82bf4f5cd4230783d53a5c6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfe8883503f6c675d58b8d30c1d0a9064da329fc82bf4f5cd4230783d53a5c6c
SHA3-384 hash: c86fa3391d40461e6ba63507de80ce49f02d170c341424152de40e26aa6be108e3347727cbe74702e8014bf977c37a9d
SHA1 hash: bc1f31388d6154a6f0958869bedc3884824e560c
MD5 hash: 49dd991a1bc83bc0d0eb9720211b9ed8
humanhash: tennis-high-beryllium-paris
File name:Copia-34083760001-19-07-2022.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:759'296 bytes
First seen:2022-07-19 12:11:08 UTC
Last seen:2022-07-19 12:50:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:WNKRcqErVrItyZIG7nOu2I8n6gz1QjHDOYIe7qgZb4NWb2gb3IU3ScaFlSNS:WzBrVrIsZIyEB681QTaYlaO9VaQS
Threatray 18'186 similar samples on MalwareBazaar
TLSH T1D2F423623A35CB1CC97D0BB674619481B3B356423271FBFDAE9192CE5632B014B52F63
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/291864/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.11124.7377.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d6a04b61945a46c8d4e386/reports/9cbdedbe-75fb-4a72-ac68-b75cb5fad2ca/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8b0c9d9-97e7-4152-8f75-133aaf832637
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036488
Signature
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cfe8883503f6c675d58b8d30c1d0a9064da329fc82bf4f5cd4230783d53a5c6c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 10:12:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
56
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z7uiqnid63dhlvmlruymdufjazg2gkp4qk7u6xguemdyhvj2lrwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
123de48e610d4e6dacfb9722ccf5073154cd419537a7b60aa510d81e06e51404
AgentTesla
1902a8d9b1dda384a2d4b6ae3193f83bf893779d0bfe7936b0017e0f53cf24f1
AgentTesla
1e4efcd576c34d1af12971bf6274286b865a5a3bfeaf9adc1fc35ecca449d23e
AgentTesla
287560a61ca6e1a2793213f2633f6d10c0870926b0b0bf4478f66a9d407ef613
AgentTesla
45baf148c3f8de1279080760cc1656c79a64764e76fbf153944247d9dd208fa7
AgentTesla
4952674eee9adeccc538811c244e3f90bb71b2bc249a1c4f0b36f93ca77f364a
AgentTesla
8813b14184cfd6ac569b0b4d16772a12370350fa45fe1d93474e168408104e29
AgentTesla
b431ce5dc4ecd3ca9efbce074bbe8c85602765dc2a8cf98cc3765f6298f71569
AgentTesla
+ 18'176 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
82a08ed8f63d2850f3f96c389465cbe31f02e3174303188e341d03fb7ca15fe6
MD5 hash:
98d256414074b8945a1934eae24ceec8
SHA1 hash:
e79fd26a50b48da56065f8655d5c20ac1791dd2d
Link:
https://www.unpac.me/results/41dac30f-a1d2-4b0f-85f5-9902c8c85738/
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/41dac30f-a1d2-4b0f-85f5-9902c8c85738/
SH256 hash:
811a6f536a3b503f2b7ce935ced4c1f749fd8beb002c5421f11a117d99c04dfb
MD5 hash:
18c1cd2244b1b16f7bd0ec9bfb01069a
SHA1 hash:
9257c4443ba2889d780e0e7f21ff35d56c903886
Link:
https://www.unpac.me/results/41dac30f-a1d2-4b0f-85f5-9902c8c85738/
SH256 hash:
f6d1cda2efe2622064025631b2a1ee8e5bdc057798de203ed5841916e662b4a1
MD5 hash:
fb7cc194309b03e66b160fe20f371762
SHA1 hash:
7b6fe95b9b6af1328d43ef9fff27919d807b9c47
Link:
https://www.unpac.me/results/41dac30f-a1d2-4b0f-85f5-9902c8c85738/
SH256 hash:
823d4c45a72644597742cf6eefccef6fc77151382459da1d3c003efc7a66a003
MD5 hash:
a6f8abc1217cda43d9ea7935ef53fb84
SHA1 hash:
3773940548d0c950d6bf8d943120db9ff154965b
Link:
https://www.unpac.me/results/41dac30f-a1d2-4b0f-85f5-9902c8c85738/
SH256 hash:
cfe8883503f6c675d58b8d30c1d0a9064da329fc82bf4f5cd4230783d53a5c6c
MD5 hash:
49dd991a1bc83bc0d0eb9720211b9ed8
SHA1 hash:
bc1f31388d6154a6f0958869bedc3884824e560c
Link:
https://www.unpac.me/results/41dac30f-a1d2-4b0f-85f5-9902c8c85738/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cfe8883503f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfe8883503f6c675d58b8d30c1d0a9064da329fc82bf4f5cd4230783d53a5c6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe cfe8883503f6c675d58b8d30c1d0a9064da329fc82bf4f5cd4230783d53a5c6c

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/291864/

Comments