MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddde47cccacd1004e6fea80b5f6914f9b6e4601c7d0a09bd0334a4533a04c847. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddde47cccacd1004e6fea80b5f6914f9b6e4601c7d0a09bd0334a4533a04c847
SHA3-384 hash: 655b153d7f2ca5ab34ebadb4a56ba6f8692ed6ac5e44375cdc6e3a42843b26588987802222bfc6e8ee0fa21a1d775383
SHA1 hash: bbc3d256229f849eebd63a9b81133ca03a051421
MD5 hash: ef6f08a0cb8dfc3bd4a7846ddd55ccef
humanhash: nine-hydrogen-victor-kilo
File name:RFQ#00987.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:768'512 bytes
First seen:2023-06-19 14:55:19 UTC
Last seen:2023-06-19 14:57:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:8cJhzGwmnphaJ7UO/QjZxVTK8g3O2xWaUC5r+E139ftYq7J3At5iHOq+ZQn:8Kz2O7bYx5K8g3O2oaj5r+039lYqtm8D
Threatray 5'419 similar samples on MalwareBazaar
TLSH T143F4121C4AE8921FE56B5BB8DB55F7B91B2EDA847633D32B1DA0B0CB6D11B104B01336
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
290
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
RFQ#00987.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-06-19 14:56:42 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/d90ca528-abb8-4ffb-a011-d10258ad12cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400588/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.26246.6282.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64906c8219fee80fdf4158f6/reports/1d42bb07-436b-4a2b-8610-7f22740e70ee/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ddde47cccacd1004e6fea80b5f6914f9b6e4601c7d0a09bd0334a4533a04c847
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d80222c0-293a-4354-b9c1-639532b13ee9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257511
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ddde47cccacd1004e6fea80b5f6914f9b6e4601c7d0a09bd0334a4533a04c847/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 13:21:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3xpeptgkzuiajzx6vafv62iu7g3oiya4pufatpidgssfgoqezbdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
217deeacbfd0b0a0b448fd35c2dc00797077e43f7fc2383b6e1fb86029eccc52
AgentTesla
25fcbdb67d14b109af5408df8c9b78305c41afeb8ad3707147c7c350a0535330
AgentTesla
3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f
AgentTesla
3d9b67b5dc857a2663548b9335d48dde0a880f6b61490f0cced767399a166f2b
AgentTesla
64d66ac60714c0fde68722e28c101fbc7f3b7237b04f2f2942f4b5f28e72c008
AgentTesla
6e41de3cfe2a499488f1eae60dc1ba0f35f0e86c2428271e78bc8ddb51e26d0c
AgentTesla
6e55ebd8042f6fdfd619a858843ec888a56a7be49c720c50410bdb719099256c
AgentTesla
82e5621ef317c7895d35697136aba7ac7f91d39ad89570da1946c06df5308c59
AgentTesla
868c32e8f0d323bf24fbb9c6d073198cdb50a072905ba1f43f3725dceac6863d
AgentTesla
c3706faf1e9a38c879ec449a50da90aafcae01787b0e56962519d3edac1d6b42
AgentTesla
+ 5'409 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230619-saz5tafg4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/f4418713-eea3-4ba6-b4f9-d062dc9f15b5/
SH256 hash:
24b077fd9b344cd944a736f24ada8b80c7285f7343ff9dc56b58769bde27e4f6
MD5 hash:
64fcc151459a284a183dbbc044aa2142
SHA1 hash:
a33fa55f857e654bb5688c116680217e673bb600
Link:
https://www.unpac.me/results/f4418713-eea3-4ba6-b4f9-d062dc9f15b5/
SH256 hash:
93fd4f023e0e622e8f838c41ae0837a9541dda8245814bfb6a56f37e02dbb7dd
MD5 hash:
abe3c78040edd119d7705f27db8b4aed
SHA1 hash:
7bc13e59d79d8661658f96d0400f69b92fd6340d
Link:
https://www.unpac.me/results/f4418713-eea3-4ba6-b4f9-d062dc9f15b5/
SH256 hash:
a2ae3b92f5f11890c55fc62e2245c157eb4926c2f00a2b18b7437a32540ad3f5
MD5 hash:
f0dacf77d6667be77cdc70a922739df5
SHA1 hash:
3dd1199a334a95cff6f929adc0dc9fa2379725f6
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/f4418713-eea3-4ba6-b4f9-d062dc9f15b5/
Parent samples :
ddde47cccacd1004e6fea80b5f6914f9b6e4601c7d0a09bd0334a4533a04c847
216e8743347dc86b61953a60917a48669dd6d039fdcbff99ea2893959f311a23
b4808e6181c33178c778467beec7f8ce933b0ba767c4a78821e95776a0655e6c
SH256 hash:
6f509e585c37e28b740fdbb7471001c2de9b3364a5ffe8d3dba4f503d37faabc
MD5 hash:
077ae99dc92686aa46acf8a12ccbcaba
SHA1 hash:
19e9b97d726d34eaba818446a3d34bd6f5e7eceb
Link:
https://www.unpac.me/results/f4418713-eea3-4ba6-b4f9-d062dc9f15b5/
SH256 hash:
ddde47cccacd1004e6fea80b5f6914f9b6e4601c7d0a09bd0334a4533a04c847
MD5 hash:
ef6f08a0cb8dfc3bd4a7846ddd55ccef
SHA1 hash:
bbc3d256229f849eebd63a9b81133ca03a051421
Link:
https://www.unpac.me/results/f4418713-eea3-4ba6-b4f9-d062dc9f15b5/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ddde47cccacd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ddde47cccacd1004e6fea80b5f6914f9b6e4601c7d0a09bd0334a4533a04c847

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ddde47cccacd1004e6fea80b5f6914f9b6e4601c7d0a09bd0334a4533a04c847

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/400588/

Comments