MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf8fab966145ea0701db997fd11c2969c984d6793d668f84e113f358274150a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	cf8fab966145ea0701db997fd11c2969c984d6793d668f84e113f358274150a6
SHA3-384 hash:	e35a15aa800f523a75c31ba0719ebee03b37066dd142a833a0019cde3e106c04ffd2a11fa32dc2fee42abdee108cd2ef
SHA1 hash:	50c0d25bcfd31b9b5f564a176a1b5c9da17a89ff
MD5 hash:	b85d249c3c8ec251569e3661c49cbc3d
humanhash:	purple-pluto-potato-sixteen
File name:	recibo_de_seguimiento_de_dhl.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	803'840 bytes
First seen:	2020-08-08 08:12:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:1vJ9LQimHQ4P9oloSZRcnK/2dJOgNNLn:5J2LFolRDTkJlPLn
Threatray	10'669 similar samples on MalwareBazaar
TLSH	5D055B3D3E42A81AC53E163150A89ED037B1A94B3F41CB5F76CA538C7F1269BBB0615E
Reporter	abuse_ch
Tags:	AgentTesla DHL ESP exe geo

abuse_ch

Malspam distributing AgentTesla:

HELO: dhl.com.mx
Sending IP: 88.135.38.169
From: DHL EXPRESS <dhl_shipment@dhl.com.mx>
Reply-To: shipment_update.dhl@dr.com
Subject: SU ENVÍO DHL LLEGÓ / REF904848881
Attachment: recibo_de_seguimiento_de_dhl.img (contains "recibo_de_seguimiento_de_dhl.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/42078/

Detection(s):

Win.Malware.Banload-6981577-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %temp% directory

Creating a file

Launching a process

Creating a process from a recently created file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/415733

Signature

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/cf8fab966145ea0701db997fd11c2969c984d6793d668f84e113f358274150a6/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-08 08:14:13 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z6h2xftbixvaoao3tf75chbjnheyjvtzhvti7bhbcpzvqj2bkcta._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

85f3f4ff256d8226555c9e7c1c346e32bd12255851d59eaa5ad645e12423519b

AgentTesla

9827d07eba83763e229dfa24ce8c14e3751b216bba993a299f333a429b08232f

AgentTesla

9a6ccb15221b536964b80126a69fe4d0af0ec7eef147b7d6c8385b5913dbca5c

AgentTesla

a4df3907640f596ab2f05793362a19de2cd01b05b20fd142f46cc47dd61c901c

AgentTesla

a73985784fd11ed9276d875521a98618001f232d756f3290b694466c16123a46

AgentTesla

b46bd25fca309781558509bdb4f408b085d83c74e71adc5de4eeb349bc8c4c7a

AgentTesla

dd22ddd3720b67b66c945d706c20a70b839499521bf4beb84626c500623975cc

AgentTesla

f2209224cc5688ee6f73d6d5977b9bdba3996af5d4eb28b523910e4ffb84d313

AgentTesla

faf60987a9c29bc94976b64c9afb3fce5ddc39f049e0ee82a9024d7a19ddad8f

AgentTesla

+ 10'659 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer family:agenttesla

Link:

https://tria.ge/reports/200808-eb15aylnba/

Behaviour

AgentTesla Payload

Agenttesla family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.83

Link:

https://yomi.yoroi.company/submissions/cf8fab966145ea0701db997fd11c2969c984d6793d668f84e113f358274150a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar