MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbf86dd376f5333537f8aa84a0942a077b137153595467095c9efefe760455a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	cbf86dd376f5333537f8aa84a0942a077b137153595467095c9efefe760455a3
SHA3-384 hash:	d28af112e9f8d67eb5b8a8d1e583c812c31a27ac6a9e28c5bd76c09fec280da30e50a285e6627d2b0ae530864acd77ed
SHA1 hash:	7c071b06729bb85313b426ae6c413aa612bc029a
MD5 hash:	f9fec0800e972de6728cd47c067097a5
humanhash:	arizona-wisconsin-cold-fish
File name:	CIZ_KAZ_RFQ020102020.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	330'752 bytes
First seen:	2020-10-02 09:25:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:tvQYFGykEeF6I0hPWYCc858ugFD22uANEIJ3+0lQfz53Z5ESODG:tvQYF9LekI0dWYE8PNPJu0lQfySODG
Threatray	266 similar samples on MalwareBazaar
TLSH	646423097FC5C652C758037CAC6835400BBBB989958AE94F3D504A9E5D79FE28E832CF
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: newportbedding.com
Sending IP: 209.58.149.66
From: Dinesh Kumar <steven.d@newportbedding.com>
Subject: Urgent Request For Quotation
Attachment: CIZ_KAZ_RFQ020102020.cab (contains "CIZ_KAZ_RFQ020102020.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/67699/

Detection(s):

SecuriteInfo.com.ArtemisF9FEC0800E97.14063.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/480115

Signature

.NET source code contains potential unpacker

Allocates many large memory junks

Creates an undocumented autostart registry key

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cbf86dd376f5333537f8aa84a0942a077b137153595467095c9efefe760455a3/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-10-02 07:16:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zp4g3u3w6uztkn7yvkckbfbka55rg4ktlfkgock4t37p45qekwrq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

6e070df16a98956dd19b7313c542a8462704f95b8aeca246625d3a2cda152ba6

AgentTesla

b90e648ea2d913c493765798db8d443a355bcba18f973c5957e5f959ad794a60

AgentTesla

be2763ce4e6c5c6a228efc795006966af947a33bb7992121d9f139f161f7ab15

AgentTesla

c6a9e6b49e72daeffbffe9c46f56b5147d1885ff0b2c202558d794c258b71818

AgentTesla

c95b9b5cf40c96d46c8a6443c458575ccb0cff8e0f750a3e9506c62a155bcfb0

AgentTesla

d3345db33851543b968f728d2a342c49dc72b0dc633da851518d8585e53af3ce

AgentTesla

d7f3cc72163e809b398c83abb04b237d3f900fee8886e862995a2e5995c3d627

AgentTesla

eff9f4e21fdbfe198940895948ec41f1d8e5adb4686fb4f7e72b6e9042054889

AgentTesla

fb9170b75704e2202310a4ea95652f93cfcc6d4c4700055156ebb8e5532c4a9b

AgentTesla

+ 256 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence spyware

Link:

https://tria.ge/reports/201002-t2tm45x6as/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

cbf86dd376f5333537f8aa84a0942a077b137153595467095c9efefe760455a3

MD5 hash:

f9fec0800e972de6728cd47c067097a5

SHA1 hash:

7c071b06729bb85313b426ae6c413aa612bc029a

Link:

https://www.unpac.me/results/6a506721-8729-4630-978f-e37af7d277c0/

SH256 hash:

86698f267058f00e24ae9ab44fca75418ea6133480e1deb0d0c6b8752506dd93

MD5 hash:

a71d3e22fd7935718791c1ec2e2939a6

SHA1 hash:

9cc0ecb77122481bd774bcc2d1d2768c48e45143

Link:

https://www.unpac.me/results/6a506721-8729-4630-978f-e37af7d277c0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cbf86dd376f5333537f8aa84a0942a077b137153595467095c9efefe760455a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.