MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd8da793c54fba96c377309dc02825e2f449d7d98c45abbf55a2ab7e334c537c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd8da793c54fba96c377309dc02825e2f449d7d98c45abbf55a2ab7e334c537c
SHA3-384 hash: 40803044264727c2ee314d9a23ba3f4c47d91da54265f00b9b9f0e1714df0ff830497eb77c16aeb68d8886093f91c8d4
SHA1 hash: b6815b23a41dff6e4bbe74fa640597f708fd446c
MD5 hash: efcc21424ce685a5198b79878b74045b
humanhash: seven-early-jupiter-king
File name:PO_NBI_180123(MECH)_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:24'064 bytes
First seen:2023-01-18 08:09:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'467 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 192:UzujxuZnoHZzXirltrek+H2BcIbiiiiiiiiiiiiiiiiiiiiiGPP:UKj0ZnoHtibz+WbP
Threatray 20'435 similar samples on MalwareBazaar
TLSH T1D5B2CDE3FB2D06D0F8296C36763B969357E34C2EBC566A2E457BF1E60CB22410709C25
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 171f272325252727 (4 x RemcosRAT, 2 x DarkCloud, 1 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_NBI_180123(MECH)_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-01-18 08:12:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/417d1101-71cb-48ac-8e12-ddd1b6f8748d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354061/
Detection(s):
SecuriteInfo.com.Variant.Lazy.286428.5846.29949.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c7a95bc4dab251690eabb8/reports/18c4f8f1-a5e1-46b2-9279-2662510b2da1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5a84e3d9-f591-47b0-8e8f-70b065727ff0
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1153692
Signature
.NET source code contains potential unpacker
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786423 Sample: PO_NBI_180123(MECH)_pdf.exe Startdate: 18/01/2023 Architecture: WINDOWS Score: 100 65 Malicious sample detected (through community Yara rule) 2->65 67 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 6 other signatures 2->71 7 PO_NBI_180123(MECH)_pdf.exe 16 7 2->7         started        12 Shymw.exe 14 3 2->12         started        14 Skype.exe 14 3 2->14         started        16 2 other processes 2->16 process3 dnsIp4 51 onedrive.live.com 7->51 57 2 other IPs or domains 7->57 39 C:\Users\user\AppData\Roaming\...\Shymw.exe, PE32 7->39 dropped 41 C:\Users\user\...\Shymw.exe:Zone.Identifier, ASCII 7->41 dropped 43 C:\Users\...\PO_NBI_180123(MECH)_pdf.exe.log, ASCII 7->43 dropped 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->81 83 May check the online IP address of the machine 7->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->85 93 2 other signatures 7->93 18 PO_NBI_180123(MECH)_pdf.exe 2 5 7->18         started        23 powershell.exe 16 7->23         started        53 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49703 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->53 59 3 other IPs or domains 12->59 87 Multi AV Scanner detection for dropped file 12->87 89 Machine Learning detection for dropped file 12->89 91 Encrypted powershell cmdline option found 12->91 25 powershell.exe 12->25         started        61 3 other IPs or domains 14->61 27 powershell.exe 14->27         started        55 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49706 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->55 63 6 other IPs or domains 16->63 file5 signatures6 process7 dnsIp8 45 api4.ipify.org 64.185.227.155, 443, 49700 WEBNXUS United States 18->45 47 discord.com 162.159.135.232, 443, 49701 CLOUDFLARENETUS United States 18->47 49 2 other IPs or domains 18->49 35 C:\Users\user\AppData\Roaming\...\Skype.exe, PE32 18->35 dropped 37 C:\Users\user\...\Skype.exe:Zone.Identifier, ASCII 18->37 dropped 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->73 75 Tries to steal Mail credentials (via file / registry access) 18->75 77 Creates multiple autostart registry keys 18->77 79 2 other signatures 18->79 29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        33 conhost.exe 27->33         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd8da793c54fba96c377309dc02825e2f449d7d98c45abbf55a2ab7e334c537c/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-18 01:11:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3wg2pe6fj65jnq3xgco4akbf4l2etv6zrrc2xp2vukvx4m2mkn6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
011c5a93fcf5f1fda343e254b6be02737381be4df4bdec1aa07c8ad23b540599
AgentTesla
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
AgentTesla
175b18fc4d1ce73099a94c25d5fee0af5704e47b37803137368bdf416fc8a364
AgentTesla
26fd5960f4df473e74ae181061882322a19eab1b37f4ebc846d8634f538d43e9
AgentTesla
2b924314517e86bfece5ecc1e2a6386ac415c9db078a48e7e974a08a8c6255ed
AgentTesla
2cc6b260d75009a42a07d74973fd648b25d120b7f93d6203f7cf6e8a9daae4cc
AgentTesla
52ab9f2e3878dd9fa61c7bbbdfff113485fb4c12f8af0fa28b938696d68e54bb
AgentTesla
6b985b8239b575b46b57f36daaa55e30efabf08e39f2a421e12f0e6b82cb5cc4
AgentTesla
fce48b4993cc9580290c751a7cb151c06c861cf2033a9d59b00135c955cef072
AgentTesla
ffb64f4d42dd2de275cbf4ae7b334ffdd8920ff8fec95aca9900493472603d16
AgentTesla
+ 20'425 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230118-j2pnqacg95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
dd8da793c54fba96c377309dc02825e2f449d7d98c45abbf55a2ab7e334c537c
MD5 hash:
efcc21424ce685a5198b79878b74045b
SHA1 hash:
b6815b23a41dff6e4bbe74fa640597f708fd446c
Link:
https://www.unpac.me/results/3b9e8b24-24a9-444c-b97c-61128bf79a98/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dd8da793c54f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/dd8da793c54fba96c377309dc02825e2f449d7d98c45abbf55a2ab7e334c537c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe dd8da793c54fba96c377309dc02825e2f449d7d98c45abbf55a2ab7e334c537c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/354061/

Comments