MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd041c843c4f3873fa61bd5fcc04afb335ac4ffd27d32d213966f610dc228330. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd041c843c4f3873fa61bd5fcc04afb335ac4ffd27d32d213966f610dc228330
SHA3-384 hash: 5e34617bb3be3860303a7288e034ce5057b5d1815f16d92e34c378188b302ff48ff19f5916b55952e05208869f5d1f8d
SHA1 hash: 8f6e55e93c4726976d5a83aff813206e84e7c804
MD5 hash: 8c1a8cf71bd8355d5bcd1ed5eb27f514
humanhash: lima-pasta-stairway-white
File name:8c1a8cf71bd8355d5bcd1ed5eb27f514
Download: download sample
Signature AgentTesla
Create hunting rule
File size:291'378 bytes
First seen:2023-06-13 10:38:50 UTC
Last seen:2023-06-13 11:58:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea06f0ebd05782e9caa4e3157d406e08 (3 x AgentTesla)
ssdeep 6144:x6E3i2rmViPtsl1HJ5DCgXW33wcmBSNMDYuYawVHFGOJw:x6iPSlJ+vgcQ6MDY5V4OJw
Threatray 3'604 similar samples on MalwareBazaar
TLSH T1A954DF2C7D785D56E0D5CBF189E5B567B021EC2E22CF4C0F698B6B580AB354324E326B
TrID 82.3% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
5.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.5% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
299
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8c1a8cf71bd8355d5bcd1ed5eb27f514
Verdict:
Malicious activity
Analysis date:
2023-06-13 10:41:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3f84d273-9e31-49fd-ac3f-d1a63077d2ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398243/
Detection(s):
SecuriteInfo.com.Variant.Lazy.350119.24230.11622.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Variant.Lazy.350119.12905.1054.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6488474d08b287b7595b6b0c/reports/164d7ea6-c413-4ff9-a7fb-82f16b2c51a1/overview
Verdict:
Malicious
Labled as:
Ransom_.6E223C25
Link:
https://www.hybrid-analysis.com/sample/dd041c843c4f3873fa61bd5fcc04afb335ac4ffd27d32d213966f610dc228330
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f699b045-fb0d-4e0c-b6ed-6cbc024d0d9b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253531
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd041c843c4f3873fa61bd5fcc04afb335ac4ffd27d32d213966f610dc228330/
Threat name:
Win32.Ransomware.Cerber
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 10:39:09 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ucbzbb4j44hh6tbxvp4ybfpwm22yt75e7js2ijzm33bbxbcqmya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
109ef5c322e2f5b9624f14914d4e4db3cd2ee7883f9c718c913616eb69277091
AgentTesla
271d3e8dfec86cdeb02be2c1d29e4717dae69d8edfb088bdf67b3da85fbacf30
AgentTesla
3d19690074df0c98a4088e0ca1f69969af9a65b7b260b7b71ac77a9bb89df6e6
AgentTesla
803df40184cf585fc3e2e8172972b3e548971a193ed4af7b7d53e6bce2ea43e1
AgentTesla
80eabb4ed2bf442079ed36b1a74aa1afd5627eeea83bc48cf4c9d2a4b719c0a9
AgentTesla
afd448d428fab23dae316bed55ddf9605d3193e9eedbda898cf9304272830c9d
AgentTesla
fd987d623939a8b69f25a2b8350fb6e76a51e77545add40658fc60f00950d625
AgentTesla
+ 3'594 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230613-mpyyeafg82/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5954474519:AAEGnfW1mRvGRxq-zIAvwJfpKEbhLLiqVaM/
Unpacked files
SH256 hash:
2d490262eecc0ec622418e1e72b7a640eccfb5f7884da7ca9e296c2a1a4765fd
MD5 hash:
bc2ff0ea085cd53497db50174db6adc1
SHA1 hash:
2705bda05df55b0b9bfa9093a0dd73820e3748ba
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/cc3a26f7-3022-48ab-bb66-ae218d188295/
Parent samples :
dd041c843c4f3873fa61bd5fcc04afb335ac4ffd27d32d213966f610dc228330
cdbb23d2903063282fe152ac63e2838af4c099c2fa18e91d44448ede4cef0a30
SH256 hash:
dd041c843c4f3873fa61bd5fcc04afb335ac4ffd27d32d213966f610dc228330
MD5 hash:
8c1a8cf71bd8355d5bcd1ed5eb27f514
SHA1 hash:
8f6e55e93c4726976d5a83aff813206e84e7c804
Link:
https://www.unpac.me/results/cc3a26f7-3022-48ab-bb66-ae218d188295/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dd041c843c4f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd041c843c4f3873fa61bd5fcc04afb335ac4ffd27d32d213966f610dc228330

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe dd041c843c4f3873fa61bd5fcc04afb335ac4ffd27d32d213966f610dc228330

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2659031/
Cape
Cape
https://www.capesandbox.com/analysis/398243/

Comments


Avatar
zbet commented on 2023-06-13 10:38:51 UTC

url : hxxp://51.79.49.73/crc/C5.exe