MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c01f1d833bebebb74b248ea0b0c23abc1a70269f62513b1a8a0d1d33a4922d56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c01f1d833bebebb74b248ea0b0c23abc1a70269f62513b1a8a0d1d33a4922d56
SHA3-384 hash: 3aeb80f780e63a26b7d3a9a3e4a26e6cae3edd90c1a7d0b40e5e263471791e44fc9f3cf05de8d8f847aebac42818b667
SHA1 hash: c3bfe27283a96743353aca0e517340b7a99d5679
MD5 hash: a914c1db2c3a2d0728f4728911a2e4a5
humanhash: sodium-quebec-september-two
File name:shipping documents.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:296'455 bytes
First seen:2023-02-21 08:58:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:/Ya6KmSOwsPOa8xiu9p8iqXa69jnmHzTqFI3FNCxo:/YknOwsPv6j8vsTTqOVNEo
Threatray 3'776 similar samples on MalwareBazaar
TLSH T1C25412B432D8C99FC9F303309AB246636BE5DF127625571E5B90436A3D73A40AA1E70B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe Shipping

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
shipping documents.exe
Verdict:
Malicious activity
Analysis date:
2023-02-21 08:59:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/76b4ff7c-3766-4465-b384-475ed88cee2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368572/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1312.23310.28726.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Reading critical registry keys
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71920/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63f487d901b99ad33e7ecf4f/reports/887cfb4e-6cef-4cbd-91b6-bf7eed904f3c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c01f1d833bebebb74b248ea0b0c23abc1a70269f62513b1a8a0d1d33a4922d56
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0fd6107c-3a57-4cd2-a471-08b3281e1fb0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179613
Signature
Detected unpacking (overwrites its own PE header)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c01f1d833bebebb74b248ea0b0c23abc1a70269f62513b1a8a0d1d33a4922d56/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-21 01:13:14 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yapr3az35pv3oszer2qlbqr2xqnhaju7mjitwgukbuothjesfvla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0271087f4a8d83387ba502d987722d40d40dc8109972a3e4e199ca122648e8a9
AgentTesla
3d3b0128f3bd2fd0c85b37496812b834ae8b2a9bc454eab9d04748182da5d25d
AgentTesla
3f1d383f87ddadde53543ae6155ce7ef17b543aaa8af6b4953e26a64ae796ce8
AgentTesla
8f81fd0cd66548518e82ab4238cf83a55989de7b1ab9099ef43892d0272b41e5
AgentTesla
b4edff8c4560f792c25771b018a69794f957964d4da9403062742c5f11e95052
AgentTesla
c5cb50f2a9e4e82bab699a454bfd0370d9b0990edfe795c7e2903cc2369935b0
AgentTesla
+ 3'766 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230221-kxqwnaeb98/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
13f3862ee9b9a445d36ae99d6622cf6fd8a84597912b4c0f5060ca551d0e3fef
MD5 hash:
e15b474e087940f3ea962a7c78bb05f5
SHA1 hash:
e65ad1bbb9f0c4eb2d8ce855177bca5a1521ff20
Link:
https://www.unpac.me/results/d5c25e03-76a7-4293-aeda-74a3226d826a/
SH256 hash:
ba882f51c6659e443d3a063512b0ce1f653c5bd8e009dfc96dcea14a3782f729
MD5 hash:
bcded5dc2a232a5bc9af6172ea7d5994
SHA1 hash:
856c270a34a80d6d248f5d840eacfa4410dedac1
Link:
https://www.unpac.me/results/d5c25e03-76a7-4293-aeda-74a3226d826a/
SH256 hash:
7a28526e7105b4f90065c480779e14ddeec9c55deaa854a25d26b9e9bcef3d85
MD5 hash:
fa850dac17799e4b5c82ba1adf2071e0
SHA1 hash:
95d4c7395219151057d1a454222a1be378c1c746
Link:
https://www.unpac.me/results/d5c25e03-76a7-4293-aeda-74a3226d826a/
SH256 hash:
c01f1d833bebebb74b248ea0b0c23abc1a70269f62513b1a8a0d1d33a4922d56
MD5 hash:
a914c1db2c3a2d0728f4728911a2e4a5
SHA1 hash:
c3bfe27283a96743353aca0e517340b7a99d5679
Link:
https://www.unpac.me/results/d5c25e03-76a7-4293-aeda-74a3226d826a/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c01f1d833beb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c01f1d833bebebb74b248ea0b0c23abc1a70269f62513b1a8a0d1d33a4922d56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 4bf77771dd244cda6ae4d11273ab10ca8757634e0f98c65d900b85db7ec3c4c5

AgentTesla

Executable exe c01f1d833bebebb74b248ea0b0c23abc1a70269f62513b1a8a0d1d33a4922d56

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4bf77771dd244cda6ae4d11273ab10ca8757634e0f98c65d900b85db7ec3c4c5
Cape
Cape
https://www.capesandbox.com/analysis/368572/
  
Dropped by
MD5 a095171ddc4c7ddbfae69ef010ddf759

Comments