MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbf383498c35c4850dec570d9bf576b8bf9b0228201d9f087b103bfa7f67f732. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbf383498c35c4850dec570d9bf576b8bf9b0228201d9f087b103bfa7f67f732
SHA3-384 hash: e67db36d3844a83d02b2cece109bffef2d58623b5d03ae33934a02cd9f95ad66445f388bbe3a67ee8467125056d53c24
SHA1 hash: 258b880f56730d8b19679d8d12a5a3ba32996990
MD5 hash: b39ed98d2639aea722507ef94ff71da3
humanhash: artist-bulldog-one-lemon
File name:Cabot Oil & Gas Corporation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'080'320 bytes
First seen:2020-12-20 07:56:29 UTC
Last seen:2020-12-20 09:34:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:BknyP5L59ipEGX4Qf6OSNJacz0Ocg9KTD9KT79KTv1QNg1zR3XaQ:BL5kzTCT34/nqazV
Threatray 1'986 similar samples on MalwareBazaar
TLSH 8A35013DB644BF90C0BC0737C8D2E51063FAED859642D52E6DE434FDAAA1BF94826643
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.dsfabricsllc.com
Sending IP: 198.255.55.42
From: Dan O. Dinges <george.stark@cabotog.com>
Reply-To: k1@ecg-ingenieria.mx
Subject: Cabot Oil & Gas Corporation / Request For Tender
Attachment: Cabot Oil Gas Corporation.zip (contains "Cabot Oil & Gas Corporation.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Cabot Oil & Gas Corporation.exe
Verdict:
Malicious activity
Analysis date:
2020-12-20 07:59:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/554125d7-6a95-49dd-997b-a72d28a46405

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108588/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.480.11411.30634.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566938
Signature
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332552 Sample: Cabot Oil & Gas Corporation.exe Startdate: 20/12/2020 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected AgentTesla 2->32 34 Yara detected AntiVM_3 2->34 36 5 other signatures 2->36 6 Cabot Oil & Gas Corporation.exe 3 2->6         started        10 scvhost.exe 3 2->10         started        12 scvhost.exe 2 2->12         started        process3 file4 24 C:\...\Cabot Oil & Gas Corporation.exe.log, ASCII 6->24 dropped 38 Injects a PE file into a foreign processes 6->38 14 Cabot Oil & Gas Corporation.exe 2 5 6->14         started        18 Cabot Oil & Gas Corporation.exe 6->18         started        40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->40 42 Machine Learning detection for dropped file 10->42 44 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->44 20 scvhost.exe 2 10->20         started        22 scvhost.exe 2 12->22         started        signatures5 process6 file7 26 C:\Users\user\AppData\Roaming\...\scvhost.exe, PE32 14->26 dropped 28 C:\Users\user\...\scvhost.exe:Zone.Identifier, ASCII 14->28 dropped 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->46 48 Tries to steal Mail credentials (via file access) 14->48 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->50 52 Tries to harvest and steal ftp login credentials 22->52 54 Tries to harvest and steal browser information (history, passwords, etc) 22->54 56 Installs a global keyboard hook 22->56 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbf383498c35c4850dec570d9bf576b8bf9b0228201d9f087b103bfa7f67f732/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-19 01:45:02 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpzygsmmgxcikdpmk4gzx5lwxc7zwarieaoz6cd3ca57u73h64za._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a41900b78aa8ad61d42ee6cf76f4045093ea691d6a0e0ab6d535f6bb6ddb907
AgentTesla
19006e1934a36332207bb746cdfad53e5264682ed947d4f6c99debecefe12f99
AgentTesla
2ff93944081c104e8175f5209255c50e92d65f8a3e35fbf01c5f6f46237575af
AgentTesla
52a8719e0795679e8336c841ddc5f6b0a74b5e423c4b71fe0db3ddbfbc3f7e7a
AgentTesla
69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425
AgentTesla
8a21b943ea85a94fb89a4222be1b22222b71447cc16fe9b1ef58957029210a8f
AgentTesla
97c73eb27f164d01020de5531c96adb305bfdd8e6ec727bfaf65a2fa7b02638a
AgentTesla
c7c371104c985df2506b6f9b0e4133e61c96e45d9f96a9961369d52e9f9f972b
AgentTesla
d5a2e34a8816a75fe9d6cd9b9035040ea5777429dc7eeebc0ebb7f8a4d897495
AgentTesla
fdb7a6062629817446b0ca39ab05f73ecda6a5b145f416b3b485856e5052e7c1
AgentTesla
+ 1'976 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201220-qbhjwmcaa6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
cfad222f8752f64553fbd1563e082616823405666cd586ee4d6090a58657dedd
MD5 hash:
e844d3840673ac10c5887607591e4208
SHA1 hash:
3163249535e227160cd262a5e9e6eb8e27974542
Link:
https://www.unpac.me/results/9dac4e53-2b8f-4b7b-95be-444d6dac3c7f/
SH256 hash:
ef961b25a126e7917d48c59874af891d83713b16f405529b21446db3365ad0be
MD5 hash:
e1e737853577da5b012cb19b7662dd4c
SHA1 hash:
a061565661aa4b9531f43fb8125243c9fb9f3b7b
Link:
https://www.unpac.me/results/9dac4e53-2b8f-4b7b-95be-444d6dac3c7f/
SH256 hash:
489f959338dbbb07dfb956d84cd8f468c47db61e84cac3aa2a9ab8234ec4bb06
MD5 hash:
d28e4c45d25b5962271fcd2df15a98c1
SHA1 hash:
f3166c799e05db8e2ece3bdf57dce4851a4c972a
Link:
https://www.unpac.me/results/9dac4e53-2b8f-4b7b-95be-444d6dac3c7f/
SH256 hash:
55e7e992098a7557d58cb3d1b5e4ab0841dba898a6ceb645f9af728a7a5910f7
MD5 hash:
2f8d3da140e2ba9f507dc7d094d513e4
SHA1 hash:
fcc2fd09d27469ce38306d3ad7ede23fa2967b05
Link:
https://www.unpac.me/results/9dac4e53-2b8f-4b7b-95be-444d6dac3c7f/
SH256 hash:
cbf383498c35c4850dec570d9bf576b8bf9b0228201d9f087b103bfa7f67f732
MD5 hash:
b39ed98d2639aea722507ef94ff71da3
SHA1 hash:
258b880f56730d8b19679d8d12a5a3ba32996990
Link:
https://www.unpac.me/results/9dac4e53-2b8f-4b7b-95be-444d6dac3c7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbf383498c35c4850dec570d9bf576b8bf9b0228201d9f087b103bfa7f67f732

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip d7fc055ec3ee88d19617d8558c822d7b6a60e80b85666f06b9a97fbb325dfc30

AgentTesla

Executable exe cbf383498c35c4850dec570d9bf576b8bf9b0228201d9f087b103bfa7f67f732

(this sample)

  
Dropped by
MD5 089252386c4f45d30b51afb0be7a25b4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/108588/
  
Dropped by
SHA256 d7fc055ec3ee88d19617d8558c822d7b6a60e80b85666f06b9a97fbb325dfc30

Comments