MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bf098aab2e2ec8613a4f819fb56f4cb8f55ba2f4e79274a9a799b59149d057b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bf098aab2e2ec8613a4f819fb56f4cb8f55ba2f4e79274a9a799b59149d057b
SHA3-384 hash: dee85b347963a430f6d755c5e0302fa9548c75236318c01a2f859ffcf1976b68cdf859897b14983cc961a359a96da9ad
SHA1 hash: bdee095784160c831c11b3a11857648ffeac1e37
MD5 hash: 121003e65b12eaa3d6248acc96ac74cf
humanhash: whiskey-shade-beryllium-summer
File name:FedEx_Aug 2020 at 1.31_8BZ290_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'925'936 bytes
First seen:2020-08-05 09:06:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:QSJV4OX5ELa9nLdWn2SJqRz0Y99bViZnqp/x/EKo/LHrN:sJGhWnAz9Ln/S/LH5
Threatray 10'657 similar samples on MalwareBazaar
TLSH 48959E643C40306FBADF41B056EB66E892E235151A312B399D6375BCCA1E1877CDF8B2
Reporter abuse_ch
Tags:AgentTesla exe FedEx


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: pleskl2ssd.axarnet.es
Sending IP: 149.62.169.212
From: FedEx Support Delivery <shipment@fedex.com>
Subject: RE: Shipment delivery problem #00000964421
Attachment: FedEx_Aug 2020 at 1.31_8BZ290_PDF.img (contains "FedEx_Aug 2020 at 1.31_8BZ290_PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/39289/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/410720
Signature
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0bf098aab2e2ec8613a4f819fb56f4cb8f55ba2f4e79274a9a799b59149d057b/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 06:10:31 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bpyjrkvs4lwime5e7am7wvxuzohvlorpjz4sosu2pgnvsfe5av5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0383409c31a6543ab60b30f5e95e83712c11c03768c3e6b29fd4dc5bd9fdcc12
AgentTesla
0f010d34558a3cdfb2bca2de008db88cf41c733117aca97aa60ad2172c4a401a
AgentTesla
2197e273f9fcf61c4105c9e50d44ca0e4782c209c6b6bdaeec839568ba2b2377
AgentTesla
47f12ec69f49c0ae05cd312f74076e822550a0e0ea8cf807262a6a11a16af1cc
AgentTesla
6a1315d55a66812deddffd96c7f113289b3f21b085f830d8332844b4c9d5e4bc
AgentTesla
7e2473db8e90a794eef6584e105e195e942d967f9172592230105b59e0af68d3
AgentTesla
cc3e20b33001f4f34185d4df7e809ce25c62be99e1abcae9c8e15a77d2b0667a
AgentTesla
d1876880e116fa9b64b8902b32cd76d4e69cdc0e94c091b50bea66e20e5f91db
AgentTesla
ef6cbe8e4762412374dd74dbb36bd2728f9a627212f14ad2890159945c0a5fb3
AgentTesla
f08ffb7a34ef9d8d3fa1065de100ddbbf4f2e9c74a6c4ade0135053a9daf5f98
AgentTesla
+ 10'647 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200805-crb3c9xpmn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0bf098aab2e2ec8613a4f819fb56f4cb8f55ba2f4e79274a9a799b59149d057b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 69ccefda3fb95b909eb229081576c0f45a5b59edade4ead95fcbe833b6200db4

AgentTesla

Executable exe 0bf098aab2e2ec8613a4f819fb56f4cb8f55ba2f4e79274a9a799b59149d057b

(this sample)

  
Dropped by
MD5 a6382ce8511b439254cdde3527656a6b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39289/
  
Dropped by
SHA256 69ccefda3fb95b909eb229081576c0f45a5b59edade4ead95fcbe833b6200db4

Comments