MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdb8cf995f8287a1f64cd035c4e34e047e23a3218dbf50b0fcf321ecd464094e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdb8cf995f8287a1f64cd035c4e34e047e23a3218dbf50b0fcf321ecd464094e
SHA3-384 hash: d3fd51a1bd95ced05b4906362081ebe28f4078992c4991d967ecf3aa821edcfd7012e00405b78f41d96195f686d7f887
SHA1 hash: a222da21dbd932d64f9cad12b46c068ac7360f72
MD5 hash: c1b250f45de606ef95af9961496402a0
humanhash: table-delta-august-double
File name:RFQ - REF 208056-pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:117'936 bytes
First seen:2021-02-25 14:12:43 UTC
Last seen:2021-02-25 16:11:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:UC154NoTCiLdp99RDmmym7mVmLmZm7mDm7vym8mLYiUmXuSHwE7tXuItiR40Xt4W:/zTCiLXBlHzD2pB7lQSVML/hy
Threatray 2'932 similar samples on MalwareBazaar
TLSH B2B3D8735EB42F6CD36B6A23D5788723DBDD1A337BC2414EE47708A182162E6B194E4C
Reporter James_inthe_box
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:cwcpbvBhYEPeJYcCNDldHTnGK
Issuer:cwcpbvBhYEPeJYcCNDldHTnGK
Algorithm:sha256WithRSAEncryption
Valid from:2021-02-25T07:33:07Z
Valid to:2022-02-25T07:33:07Z
Serial number: 19985190b09206952efd412d3ccc18e2
Thumbprint Algorithm:SHA256
Thumbprint: 7c120d01dfb5d8540763a96dee45da554bf1373a08ae5e29bb38fb557086d5c7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ - REF #208056-pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-02-25 10:09:18 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/1c83ad40-3802-49cf-9a64-4a33a52c849b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119247/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.641.6009.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/618799
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358398 Sample: RFQ - REF 208056-pdf.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 48 coroloboxorozor.com 2->48 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 8 other signatures 2->64 8 RFQ - REF 208056-pdf.exe 23 9 2->8         started        13 explorer.exe 2->13         started        15 svchost.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 50 coroloboxorozor.com 172.67.172.17, 49708, 49730, 49736 CLOUDFLARENETUS United States 8->50 42 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 8->42 dropped 44 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->46 dropped 66 Creates an autostart registry key pointing to binary in C:\Windows 8->66 68 Adds a directory exclusion to Windows Defender 8->68 70 Hides threads from debuggers 8->70 72 Injects a PE file into a foreign processes 8->72 19 AdvancedRun.exe 1 8->19         started        21 cmd.exe 8->21         started        23 powershell.exe 23 8->23         started        25 powershell.exe 8->25         started        74 Drops executables to the windows directory (C:\Windows) and starts them 13->74 27 svchost.exe 13->27         started        76 Changes security center settings (notifications, updates, antivirus, firewall) 15->76 52 127.0.0.1 unknown unknown 17->52 file6 signatures7 process8 dnsIp9 31 AdvancedRun.exe 19->31         started        34 conhost.exe 21->34         started        36 timeout.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        54 coroloboxorozor.com 27->54 78 System process connects to network (likely due to code injection or exploit) 27->78 80 Multi AV Scanner detection for dropped file 27->80 82 Machine Learning detection for dropped file 27->82 84 Tries to delay execution (extensive OutputDebugStringW loop) 27->84 signatures10 process11 dnsIp12 56 192.168.2.1 unknown unknown 31->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdb8cf995f8287a1f64cd035c4e34e047e23a3218dbf50b0fcf321ecd464094e/
Threat name:
ByteCode-MSIL.Downloader.BaseLoader
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 14:12:38 UTC
File Type:
PE (.Net Exe)
AV detection:
15 of 29 (51.72%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zw4m7gk7qkd2d5sm2a24jy2oar7chizbrw7vbmh46mq6zvdebfha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07971958696b43eead2da2114b7a3965b492cdae39843078f16d56ad331427fe
AgentTesla
0db50b639d859d3ddf9aa74f96d12f7ecb189a0b3006a7ed1cfd73edbc34d220
AgentTesla
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
AgentTesla
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
AgentTesla
49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219
AgentTesla
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
AgentTesla
a8a9cb21be93047b223bd90d741d9eabdde0d1272f738f4c64720e5caceafe89
AgentTesla
c725eea92437455b05cf0c4007e63abff342befc67e4b8ad0e60eaa96074955e
AgentTesla
d524cd860456f8ba974792e116c29500bd251b580d42df1d115ffe96b5f79d43
AgentTesla
fe443666d12a1f8abc14589390805436e14c0131b9705c38dd425a1f687e8949
AgentTesla
+ 2'922 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210225-7rxh1kn41s/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
cdb8cf995f8287a1f64cd035c4e34e047e23a3218dbf50b0fcf321ecd464094e
MD5 hash:
c1b250f45de606ef95af9961496402a0
SHA1 hash:
a222da21dbd932d64f9cad12b46c068ac7360f72
Link:
https://www.unpac.me/results/f436036d-7d7d-4624-b84f-71aadb1df97d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/119247/

Comments