MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbf60d6fa0473f1a0290e278479a1786daea784d7dc2a63198292f7a9ec1a2a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbf60d6fa0473f1a0290e278479a1786daea784d7dc2a63198292f7a9ec1a2a1
SHA3-384 hash: c0af88e7b0943b00a8c91e2e720598e89f5e8c706813d6c90fbdc0a769d687e4b70e9127e2317ad01860512105d9281d
SHA1 hash: b5d5945d2c67824ba084bc0f546511f71677a25e
MD5 hash: 01c709203eddc996c2f3432661ba5316
humanhash: nitrogen-fillet-crazy-red
File name:cbf60d6fa0473f1a0290e278479a1786daea784d7dc2a63198292f7a9ec1a2a1
Download: download sample
Signature AgentTesla
Create hunting rule
File size:330'887 bytes
First seen:2021-08-11 21:22:01 UTC
Last seen:2021-08-11 21:41:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:wXVlSsCrDRKqimtDMCfh55SEYpv0WMIyOzG/fK/rcZMIMhuz:SVavMCfiv0WMIyUGxz
Threatray 50 similar samples on MalwareBazaar
TLSH T1CA645B5B95528B8BFE858C7DCD80B2C2C1C37D395E76D2F3E9E5C5A1181CCA488AA353
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
installVideo.jpg.dll
Verdict:
No threats detected
Analysis date:
2021-08-10 13:44:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c2a4f48e-a736-49fe-953a-a504f7c9e2c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178396/
Detection(s):
SecuriteInfo.com.Trojan.Bazar.16.4624.31570.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
Connection attempt
Launching a process
Sending a UDP request
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3664188-0d40-4892-ac77-ca62d22212d2
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831268
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 463699 Sample: oI5cZirXM4 Startdate: 11/08/2021 Architecture: WINDOWS Score: 100 30 udwyvi.bazar 2->30 32 onjavom.bazar 2->32 34 23 other IPs or domains 2->34 52 Multi AV Scanner detection for submitted file 2->52 54 Sigma detected: CobaltStrike Load by Rundll32 2->54 56 Sigma detected: Suspicious Svchost Process 2->56 58 Sigma detected: Regsvr32 Command Line Without DLL 2->58 8 loaddll64.exe 1 2->8         started        10 rundll32.exe 2->10         started        signatures3 60 Detected Bazar Loader 32->60 62 Tries to resolve many domain names, but no domain seems valid 32->62 process4 process5 12 regsvr32.exe 14 8->12         started        16 iexplore.exe 2 83 8->16         started        18 cmd.exe 1 8->18         started        20 9 other processes 8->20 dnsIp6 48 128.199.54.51, 443, 49745, 49774 DIGITALOCEAN-ASNUS United Kingdom 12->48 50 192.168.2.1 unknown unknown 12->50 70 System process connects to network (likely due to code injection or exploit) 12->70 72 Contains functionality to inject code into remote processes 12->72 74 Writes to foreign memory regions 12->74 76 4 other signatures 12->76 22 svchost.exe 12->22         started        26 iexplore.exe 5 150 16->26         started        28 rundll32.exe 18->28         started        signatures7 process8 dnsIp9 36 yzjavre.bazar 22->36 38 ygwyom.bazar 22->38 44 144 other IPs or domains 22->44 64 System process connects to network (likely due to code injection or exploit) 22->64 66 Detected Bazar Loader 22->66 40 geolocation.onetrust.com 104.20.184.68, 443, 49726, 49727 CLOUDFLARENETUS United States 26->40 42 img.img-taboola.com 26->42 46 9 other IPs or domains 26->46 signatures10 68 Tries to resolve many domain names, but no domain seems valid 38->68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbf60d6fa0473f1a0290e278479a1786daea784d7dc2a63198292f7a9ec1a2a1/
Threat name:
Win64.Trojan.KryptLoad
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 00:56:26 UTC
File Type:
PE+ (Dll)
AV detection:
12 of 27 (44.44%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9
AgentTesla
5afed1ccccb12db0f6da9f25c43d10b4e63995881b65526004cd6f6a390c792d
AgentTesla
8c281412e64050c64d1e734d844ecc6a94e7187378365d5d9ade89e67871d20e
AgentTesla
986d22f03f04424181bc773a42db6283722baffe40b031d97c9562ab0ed8a6ae
AgentTesla
a701108be3d3802eba7c79c5c68afc0fee833595cdada8df5ac02ef9b97d2ad1
AgentTesla
bc8407aa092b9b316e72b6082699dd1432521f739eacfb57109bb1d759d89802
AgentTesla
e04c5bfeda44a81b6c820bf89515ab98bce767728c34919bed27a2767926a514
AgentTesla
fd001fb71e9faa68c6e53162ed0554fd6f16a0e381aa280cea397b3d74bb62eb
AgentTesla
+ 40 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210811-t69ew52hpe/
Unpacked files
SH256 hash:
cbf60d6fa0473f1a0290e278479a1786daea784d7dc2a63198292f7a9ec1a2a1
MD5 hash:
01c709203eddc996c2f3432661ba5316
SHA1 hash:
b5d5945d2c67824ba084bc0f546511f71677a25e
Link:
https://www.unpac.me/results/0c724ef8-0c44-4eec-8a4f-a7362d6057c1/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cbf60d6fa047/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/cbf60d6fa0473f1a0290e278479a1786daea784d7dc2a63198292f7a9ec1a2a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178396/

Comments