MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf0f9462ba658c843a0487fc3480a46395d317808b190ce54167a0a8e2ded7a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf0f9462ba658c843a0487fc3480a46395d317808b190ce54167a0a8e2ded7a0
SHA3-384 hash: 411dfa0abe9764100f3d0d39fd3565496a92c719555d069ebbeafed96892081d2dc4b6bb4e6c8542a5d0161eee2a95e8
SHA1 hash: e91854c61a77913a2b73c5e70c63814cecc03eda
MD5 hash: fcf267c5a024af4a880c33317eaa5432
humanhash: triple-early-oxygen-ink
File name:fcf267c5a024af4a880c33317eaa5432.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:888'320 bytes
First seen:2021-03-16 18:52:32 UTC
Last seen:2021-03-16 20:37:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Q1vgP7wNvG4bkaDv/JP2EcwdiH6gZlrBngZKqHqlNiliIDkEltmdTozW6ESajWiK:O6tZlNgrHsfItltmdQWVbJOtYeSx
Threatray 3'269 similar samples on MalwareBazaar
TLSH 0415C0302AE95619F17BAF794AE470959BFFF6237706D41D2CA103C60713E41CE92A3A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0c51657aae82b4c6c4b5704f72c33521c6cd81e217af49c71d794078ddf07d77
Verdict:
Malicious activity
Analysis date:
2021-03-15 04:43:29 UTC
Tags:
exploit CVE-2017-11882 encrypted loader rat agenttesla trojan
Link:
https://app.any.run/tasks/2ba7b816-8066-40bd-bae0-a4ecd5772c99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/124381/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.576.13314.10711.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08d67372-b4b8-4634-a945-03d73a925fd1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/641235
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cf0f9462ba658c843a0487fc3480a46395d317808b190ce54167a0a8e2ded7a0/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-03-15 06:06:36 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4hziyv2mwgiioqeq76djafemok5gf4armmqzzkbm6qkryw626qa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
274bb5ebe00e54abcb11eab5afa80ad58e3756bf531e464308d6e3f2b5622775
AgentTesla
420eb55a610b87b50a1f216ad003ef777283224e1aaedad7723f240ff1fed218
AgentTesla
492a4a339324e1bb41f6d4d74b43c8bd886fed3f808532e599a49a3f220d1878
AgentTesla
747ee0971e16540fa80072cdcc9e28a2f3fca2303303920c802219ea64c5bef2
AgentTesla
a03e120f219832ce89401ddfe77837c3710b505e5480842bf298704b3cc38085
AgentTesla
ada9e40cc23034647f8fc8f61c2beab53b8b9974fe1456c63aeb934e4ea43816
AgentTesla
b90e1e7edc9c706f49052560be86957b71f1dd905ee08c9441dd686546bd9804
AgentTesla
b9c82068f2880f34b3bf0dfb60d5c14c51d9317845cc58cb181a1e2639a960c4
AgentTesla
d62db8a909debd7ac39dca5850db5bf150756f27cc50417efc285a812b378b84
AgentTesla
d7e0b6706a39df884a2ca79cec3551afb17970eaf1b7fa1828bb7ef0af6718ca
AgentTesla
+ 3'259 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210316-bwxp864l72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
da3a99534824255ff1ec7683cc02bb4de7086b7ac0d4b69205434638c50510b3
MD5 hash:
ca7979e7723dfb802f49395076754b11
SHA1 hash:
3143a40ad67116cba11d167dc1eaffed6fce4b07
Link:
https://www.unpac.me/results/526ee611-12b0-4969-8c01-f4ce8fca6a6d/
SH256 hash:
cf0f9462ba658c843a0487fc3480a46395d317808b190ce54167a0a8e2ded7a0
MD5 hash:
fcf267c5a024af4a880c33317eaa5432
SHA1 hash:
e91854c61a77913a2b73c5e70c63814cecc03eda
Link:
https://www.unpac.me/results/526ee611-12b0-4969-8c01-f4ce8fca6a6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf0f9462ba658c843a0487fc3480a46395d317808b190ce54167a0a8e2ded7a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe cf0f9462ba658c843a0487fc3480a46395d317808b190ce54167a0a8e2ded7a0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1067146/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/124381/

Comments