MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb02efcc2f6504dc44c9ea4ceb02879374d3e1995c4960a6f85914b03690d39a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb02efcc2f6504dc44c9ea4ceb02879374d3e1995c4960a6f85914b03690d39a
SHA3-384 hash: 991bd858d8b8a53d6caa632a85aac2516361608e34a04d8d3ae2c4fa17fa40b180efad9fc7b9491ff57e4dd227458871
SHA1 hash: 156254e93f3d8038a59ac150568a1453b550b3a6
MD5 hash: 8f79646049c9920efd752e3607fdf78d
humanhash: leopard-summer-aspen-vegan
File name:Certificates Profile Details Of Our Company.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:557'056 bytes
First seen:2020-11-19 06:56:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 28f23f3d8e8caef0d96e308e79b83dbf (1 x Matiex, 1 x AgentTesla, 1 x MassLogger)
ssdeep 6144:rucgp6uipI0Xyo7/Zza5k0O2cocD0WHIS4CoL0z/Z2x47x:rCpFV03e60PcocDBHISC6/Z2x47x
Threatray 2 similar samples on MalwareBazaar
TLSH 64C4492073708770C0B21F30D4654E4EDE2A7E282E7D65BEB75CF648D67B6820669ED2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail0.boardtrip.xyz
Sending IP: 178.128.129.229
From: Amacon Makgoka<amacon.makgoka@hotmail.com>
Subject: RE: RFQ Request For New Order With Reference: AMABINIF0865
Attachment: Certificates Profile Details Of Our Company.7z (contains "Certificates Profile Details Of Our Company.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Bang5mai-6804572-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Unauthorized injection to a recently created process
Launching a process
Sending a UDP request
Reading critical registry keys
DNS request
Sending a custom TCP request
Enabling autorun by creating a file
Result
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/542322
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320255 Sample: Certificates Profile Detail... Startdate: 19/11/2020 Architecture: WINDOWS Score: 60 48 Machine Learning detection for sample 2->48 50 Machine Learning detection for dropped file 2->50 8 Certificates Profile Details Of Our Company.exe 2 2->8         started        process3 file4 40 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 8->40 dropped 52 Maps a DLL or memory area into another process 8->52 12 Certificates Profile Details Of Our Company.exe 3 8->12         started        signatures5 process6 dnsIp7 44 mail.privateemail.com 198.54.122.60, 49725, 587 NAMECHEAP-NETUS United States 12->44 42 Certificates Profi...Our Company.exe.log, ASCII 12->42 dropped 54 Tries to steal Mail credentials (via file access) 12->54 56 Tries to harvest and steal browser information (history, passwords, etc) 12->56 17 cmd.exe 2 12->17         started        20 cmd.exe 2 12->20         started        22 cmd.exe 2 12->22         started        24 9 other processes 12->24 file8 signatures9 process10 signatures11 46 Tries to harvest and steal browser information (history, passwords, etc) 17->46 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 24->34         started        36 conhost.exe 24->36         started        38 6 other processes 24->38 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb02efcc2f6504dc44c9ea4ceb02879374d3e1995c4960a6f85914b03690d39a/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 06:57:06 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmbo7tbpmucnyrgj5jgowauhsn2nhymzlrewbjxyleklanuq2ona._file
Verdict:
suspicious
Similar samples:
37ed19395290ac8dae343431d3dae32351b39f873ad6295721b472dd82ed50e3
AgentTesla
8c27edb9a77712a4e13e8133f233ba34d7182e7823d0408fd12da11c91f94178
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201119-eyvt2v281a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
cb02efcc2f6504dc44c9ea4ceb02879374d3e1995c4960a6f85914b03690d39a
MD5 hash:
8f79646049c9920efd752e3607fdf78d
SHA1 hash:
156254e93f3d8038a59ac150568a1453b550b3a6
Link:
https://www.unpac.me/results/7fb0a98a-0d8d-4755-91fb-acdecf5d76ac/
SH256 hash:
5936208ee2143f1dd9db049e073293c00a9b3b3c56a13c0c700f048150e097df
MD5 hash:
679fecba362c2d542ff4bc2c7da4b4c7
SHA1 hash:
68e1ec92fa5e81e690cb694267c03fd3b5f4d93a
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/7fb0a98a-0d8d-4755-91fb-acdecf5d76ac/
SH256 hash:
1c8a713c2f4081f2dc320a4d6d366dd25b583d9840279e119cca6936230fb076
MD5 hash:
28d15e1bdd0f3a2ff2fff996e87eab27
SHA1 hash:
bc049d7a31f4a0e6a42030894873409ff0e01956
Detections:
win_masslogger_w0
Create hunting rule
Link:
https://www.unpac.me/results/7fb0a98a-0d8d-4755-91fb-acdecf5d76ac/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 3e835e577b903dd86e6cb24c8fb1549269e1ba2ac56b73df00e19c9a8e8de9ad

AgentTesla

Executable exe cb02efcc2f6504dc44c9ea4ceb02879374d3e1995c4960a6f85914b03690d39a

(this sample)

  
Dropped by
MD5 be03ace7a6ca85d65017e4ba9503d1bb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3e835e577b903dd86e6cb24c8fb1549269e1ba2ac56b73df00e19c9a8e8de9ad

Comments