MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0fa3d471fb605ce9ea0e18e66079fffdfc82ebebcfc7fc0318235412907237f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0fa3d471fb605ce9ea0e18e66079fffdfc82ebebcfc7fc0318235412907237f
SHA3-384 hash: 40f230f87a6fa7b4664c069d9fbd36e74b58f87e09402eafba1303444776a2e9b74adfc5a450103ac074370bbc00c659
SHA1 hash: 9c65bee37ad9c7292ae5fa041791d75ce2175b66
MD5 hash: 32a37ba7197b365d5d3e92dbe2186dda
humanhash: carpet-friend-leopard-quebec
File name:c0fa3d471fb605ce9ea0e18e66079fffdfc82ebebcfc7fc0318235412907237f
Download: download sample
Signature AgentTesla
Create hunting rule
File size:934'912 bytes
First seen:2020-11-15 22:57:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6cea15fcbfd6616496bbe80d9d9d0796 (26 x Loki, 25 x AgentTesla, 10 x ISRStealer)
ssdeep 12288:iUjMvON3/tX/koDKXr3ZhgxDr1NuYKUFrPrkj31NxC9PgwKBnLiLLgiHGXVIb1F:iUjJVX/koOXjyPKUFrPrkj0ewKN4/C+n
TLSH A9159E22ADA04837D523353DCC0F5A649F25BF313929A9862BFD3D0F5F79A4178192A3
Reporter seifreed
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Eyqd-9789766-0
Create hunting rule

Win.Dropper.LokiBot-9792233-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching the process to change network settings
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/537828
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Capture Wi-Fi password
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318012 Sample: MD6J6Opim9 Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Sigma detected: Capture Wi-Fi password 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 5 other signatures 2->57 9 MD6J6Opim9.exe 2->9         started        12 wscript.exe 1 2->12         started        process3 signatures4 59 Detected unpacking (changes PE section rights) 9->59 61 Detected unpacking (overwrites its own PE header) 9->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->63 65 6 other signatures 9->65 14 MD6J6Opim9.exe 4 9->14         started        18 notepad.exe 1 9->18         started        20 MD6J6Opim9.exe 9->20         started        22 MD6J6Opim9.exe 12->22         started        process5 dnsIp6 47 smtp.yandex.ru 77.88.21.158, 49729, 49735, 587 YANDEXRU Russian Federation 14->47 49 smtp.yandex.com 14->49 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->75 77 Tries to steal Mail credentials (via file access) 14->77 79 Tries to harvest and steal WLAN passwords 14->79 24 netsh.exe 14->24         started        81 Drops VBS files to the startup folder 18->81 83 Delayed program exit found 18->83 85 Maps a DLL or memory area into another process 22->85 26 MD6J6Opim9.exe 4 22->26         started        30 notepad.exe 1 22->30         started        33 MD6J6Opim9.exe 22->33         started        signatures7 process8 dnsIp9 35 conhost.exe 24->35         started        43 smtp.yandex.ru 26->43 45 smtp.yandex.com 26->45 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->67 69 Tries to steal Mail credentials (via file access) 26->69 71 Tries to harvest and steal ftp login credentials 26->71 73 2 other signatures 26->73 37 netsh.exe 26->37         started        41 C:\Users\user\AppData\Roaming\...\.....vbs, ASCII 30->41 dropped file10 signatures11 process12 process13 39 conhost.exe 37->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0fa3d471fb605ce9ea0e18e66079fffdfc82ebebcfc7fc0318235412907237f/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 22:58:44 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yd5d2ry7wyc45hva4ghgmb4777p4qlv6xt6h7qbrqi2uckihen7q._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201115-7vpehmydyn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c0fa3d471fb605ce9ea0e18e66079fffdfc82ebebcfc7fc0318235412907237f
MD5 hash:
32a37ba7197b365d5d3e92dbe2186dda
SHA1 hash:
9c65bee37ad9c7292ae5fa041791d75ce2175b66
Link:
https://www.unpac.me/results/32e48fee-133f-4d82-85b6-652f3b4725c4/
SH256 hash:
98a617d0adab1d5a57d383b1dfa871e301f431819cd2af1aed61bec6044ec36f
MD5 hash:
1b011b9628f949b8f76ee8a29ff4225d
SHA1 hash:
d02e16ecf0cb52bd1d54eecc3facdcc34c105581
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/32e48fee-133f-4d82-85b6-652f3b4725c4/
Parent samples :
b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4
b965e20213ebff1b60c20b0bb7159e74cbaa6d6fb70ff5fe1d2f85dc2eb251c5
4f7f5917d40bbc372c64653858938d7e9255f2a4800215c8c0c2ea839566cda9
c0fa3d471fb605ce9ea0e18e66079fffdfc82ebebcfc7fc0318235412907237f
6bdcd8e2956d4c754f9ecedeb22fa1121f3f3d6f41a9dba35cdc59ce6da6c0e9
ece55bf60d34d3e75131e7c4a2f5c082f2d5e57bd0f97a54c89dfaff156d081d
SH256 hash:
51ee68fa552fafd5bc2aa957997da156342e768dff755d8daddd7548304b6612
MD5 hash:
e530ca4f8ea0786dfec333e0c14100ca
SHA1 hash:
629d78808d0f32e1faf7dc913cf88a14e941955c
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/32e48fee-133f-4d82-85b6-652f3b4725c4/
Parent samples :
b965e20213ebff1b60c20b0bb7159e74cbaa6d6fb70ff5fe1d2f85dc2eb251c5
4f7f5917d40bbc372c64653858938d7e9255f2a4800215c8c0c2ea839566cda9
c0fa3d471fb605ce9ea0e18e66079fffdfc82ebebcfc7fc0318235412907237f
6bdcd8e2956d4c754f9ecedeb22fa1121f3f3d6f41a9dba35cdc59ce6da6c0e9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0fa3d471fb605ce9ea0e18e66079fffdfc82ebebcfc7fc0318235412907237f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:agent_tesla_2019
Create hunting rule
Author:jeFF0Falltrades
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments