MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddd6cb2af8803e3d83ff9600e2706c205910b9d1a733fb11764b8d1f633ab161. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	ddd6cb2af8803e3d83ff9600e2706c205910b9d1a733fb11764b8d1f633ab161
SHA3-384 hash:	eed55bd84ea3aadede88c3bdef12fd2aa356f7c4b4aa6a682d1f7f57c3b18b882e340dd949121459795303ee581ef01d
SHA1 hash:	1a1f5a9c573897b8e15206a93670251809c80584
MD5 hash:	65cec01786af4fed472eb44f48d1aa73
humanhash:	monkey-don-hotel-chicken
File name:	P.O 2200074558.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	669'696 bytes
First seen:	2023-02-16 08:12:50 UTC
Last seen:	2023-02-16 14:14:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:RbUbsgeEg3ZHssFINDnpNOlAe/2wHLD+htmYbYyfrByiSvfJJ2sAo+w:TzssFINDnpNOlAe/2wHnarTByiSHJJzt
Threatray	20'890 similar samples on MalwareBazaar
TLSH	T1BDE4F43D28B753E2D179FA3D86E58420FAAC91823307C919DDE61ED04F426827DCE69D
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

P.O 2200074558.exe

Verdict:

Malicious activity

Analysis date:

2023-02-16 08:16:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/760da62d-d039-4c42-b709-d52339b52881

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/367084/

Detection(s):

Sanesecurity.Rogue.0hr.20230216-0434.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63ede5906bc4d77186fdc859/reports/f1a1cd07-80c3-4ec0-8cf0-04cb31279397/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ddd6cb2af8803e3d83ff9600e2706c205910b9d1a733fb11764b8d1f633ab161

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fa57a8ba-e30f-4105-be2a-c5a27a903d64

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1176708

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large strings

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/ddd6cb2af8803e3d83ff9600e2706c205910b9d1a733fb11764b8d1f633ab161/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-02-16 04:00:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 25 (92.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3xlmwkxyqa7d3a77syaoe4dmebmrbooru4z7welwjogr6yz2wfqq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

23b23bbc8497e567eba43518485bb19fe70d295e54e5af14f90d233b33d862f9

AgentTesla

361034f14b8e3519b58ed13287495211c533f2d393accd4e198640aa6c98fc48

AgentTesla

4033d9c9ef268cf2bdf04bb0e1c549e5461ba27026797edf70121468abbd1203

AgentTesla

d91d2ae4ef54fa855e4b7a36c37717014e0195e815abb272045a25ce46dc66a6

AgentTesla

e60df4c4e0c5fd9cb3bc3863d6ca5e668f44120187dd66fa0239c0741653e5e7

AgentTesla

f144fef878393aa69f18f5cf812ee9a62b0224ccb21936321c8f98d65c98d2f6

AgentTesla

+ 20'880 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230216-j4eljagf42/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

452677f7538cdad7eae21f72f500cc0fa48d6fef66e22176612ea26ef4813cdd

MD5 hash:

8bcebae63e79b193a35982314d8c3dbb

SHA1 hash:

7a45432f9b4329dd82dd31389631eb9b907c8e31

Link:

https://www.unpac.me/results/010f0f60-4d8c-437a-9698-03dcfde6c6b8/

SH256 hash:

94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129

MD5 hash:

874dcc6be499121b1425bfdff1f8ad46

SHA1 hash:

66f83bedc73876b77e152c604b8214bde86d965e

Link:

https://www.unpac.me/results/010f0f60-4d8c-437a-9698-03dcfde6c6b8/

SH256 hash:

b3120985825ed8328a65dfdcd2f5ca5c4447d3a3bf75f5335f2d6284261d9e56

MD5 hash:

79f4d78b92018f0b6326dad7a600cab5

SHA1 hash:

13ba1cb6f5a64b438e6308f87431966f7a8da8d4

Link:

https://www.unpac.me/results/010f0f60-4d8c-437a-9698-03dcfde6c6b8/

SH256 hash:

ddd6cb2af8803e3d83ff9600e2706c205910b9d1a733fb11764b8d1f633ab161

MD5 hash:

65cec01786af4fed472eb44f48d1aa73

SHA1 hash:

1a1f5a9c573897b8e15206a93670251809c80584

Link:

https://www.unpac.me/results/010f0f60-4d8c-437a-9698-03dcfde6c6b8/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ddd6cb2af880/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/ddd6cb2af8803e3d83ff9600e2706c205910b9d1a733fb11764b8d1f633ab161

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.