MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf0bad09c814bb64da93ebdb2ef5830c3b83e5106ae967e2155ebae2f2c63cc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf0bad09c814bb64da93ebdb2ef5830c3b83e5106ae967e2155ebae2f2c63cc3
SHA3-384 hash: 18209e961eedba685598b493aee9b255c1479303bc88f17c2abe0a260a56649422a2bb15ac14ffdf838bed634511041b
SHA1 hash: fcd967ab2afd3c0dc91cbe43a5112e8caf423c80
MD5 hash: a39eb134c963ff450009962b24819629
humanhash: india-crazy-football-table
File name:Recibo da TNT shipping.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:833'536 bytes
First seen:2020-11-07 10:19:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6cea15fcbfd6616496bbe80d9d9d0796 (26 x Loki, 25 x AgentTesla, 10 x ISRStealer)
ssdeep 12288:NVKdZyObtOG0OHttZpOohFSsymCpiuyWKNpaj31NhaF9ji1fZgpt:NVMHwG0ON514iuyWEpajc7uJZKt
Threatray 2'646 similar samples on MalwareBazaar
TLSH 6B058EE2ADB14837C0633A79CC1B5A649F26BF313924A9861BFD3D0F5F396417825293
Reporter abuse_ch
Tags:AgentTesla exe geo PRT TNT


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.tnt.com
Sending IP: 185.239.242.114
From: myTNT <reply@mail.tnt.com>
Subject: Notificação de transferência de TNT
Attachment: Recibo da TNT shipping.zip (contains "Recibo da TNT shipping.exe")

AgentTesla SMTP exfil server:
mail.cosur.pe:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BackDoor.SpyBotNET.25.3911.4845.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Moving of the original file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523775
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Maps a DLL or memory area into another process
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf0bad09c814bb64da93ebdb2ef5830c3b83e5106ae967e2155ebae2f2c63cc3/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 10:28:04 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4f22coics5wjwut5pns55mdbq5yhziqnluwpyqvl25of4wghtbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d851cea1f67f96084284555592a8b7037595b8cde621342489c7d52efccc8f2
AgentTesla
360b4186f8359ad7db7f3183a454bdb954156220a8f9a5a0fa2c955ce9f4cfe7
AgentTesla
493ba8398eed500e3af5e0ae2ea45fa5bfdfbc6371bf67a17ee20c050c117927
AgentTesla
9a8d62fa3b66f6afa63911f0e456899199f80686435ac3253a18214ed27460c2
AgentTesla
9fdaeab4153639b870fcb0522b1e0801aceb515e51b20603a1413086a82825bf
AgentTesla
b6064cc9790f02ae68fe4150b25be527352129e5d9c49f81ac320c603996ae70
AgentTesla
dbf19db7d0a4b842c4652e84edf70acbf1e1d2a9bd50403ba8fa0cd5abbba587
AgentTesla
e2842ccca2aa0d0ad397af687936f09c819f4329c523af263ec058003bbc8497
AgentTesla
e81b7365448d43584265f438b0291abdc8985c12f8b27246e8424ef941995f10
AgentTesla
f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1
AgentTesla
+ 2'636 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201107-sllx5tjcxs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
cf0bad09c814bb64da93ebdb2ef5830c3b83e5106ae967e2155ebae2f2c63cc3
MD5 hash:
a39eb134c963ff450009962b24819629
SHA1 hash:
fcd967ab2afd3c0dc91cbe43a5112e8caf423c80
Link:
https://www.unpac.me/results/638c772f-60e1-4b2c-8dbd-1ea4700ba697/
SH256 hash:
10fa87cd908dabe73900b595525d44bbbda7a2102bc454d1b1fcc78b85f2c3ea
MD5 hash:
93ef231997718721270d2b7dce3c1ef7
SHA1 hash:
af0f549063b83bb0aed30bee88b06ce5425a3f91
Link:
https://www.unpac.me/results/638c772f-60e1-4b2c-8dbd-1ea4700ba697/
SH256 hash:
3efa5db93782f62ac3b204f7aa6d02c5adbb22e5f5ce141af12a4be6899b3553
MD5 hash:
6387a6bcb038d197d4e4e5929a507a96
SHA1 hash:
78c1860f9b38211db5fae65d73eccfa1245d4da4
Link:
https://www.unpac.me/results/638c772f-60e1-4b2c-8dbd-1ea4700ba697/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:Embedded_PE
Create hunting rule
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e6156f0d394e75a5b11ff962cf488987b6fe6378b3bc0b77de8067d5f97ef39c

AgentTesla

Executable exe cf0bad09c814bb64da93ebdb2ef5830c3b83e5106ae967e2155ebae2f2c63cc3

(this sample)

  
Dropped by
MD5 c0ea49cf2b0cf2de7e92143a75892503
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e6156f0d394e75a5b11ff962cf488987b6fe6378b3bc0b77de8067d5f97ef39c

Comments