MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf603db11efb3551d503bed1a7b619bffb02896eb80db37a81b262c02be2c6eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf603db11efb3551d503bed1a7b619bffb02896eb80db37a81b262c02be2c6eb
SHA3-384 hash: a0735bd877c8a928848231528cb67cee64181afee913c2d6113a63883f8a12d352007bb6c276fe4d28ab7e475aa948f8
SHA1 hash: 40f101f8d173b932c92454fa2d46256aba242ed8
MD5 hash: eb6c8fc4c23b490a48f444f9d637bde0
humanhash: ohio-autumn-illinois-lake
File name:Commercial Invoice and Packing List For Shippment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:930'816 bytes
First seen:2021-02-05 10:36:34 UTC
Last seen:2021-02-06 15:52:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:UOp9gZeAnJ5eSd5tBEdflbccqeVdkIs3L/eWQ:FeZeAnld5tmdqcRt2L/eWQ
Threatray 3'638 similar samples on MalwareBazaar
TLSH 2115BEAC366079DFC917DD76CAA86C64EA2064B7570BC203902319EC9A1DADBDF105F3
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Commercial Invoice and Packing List For Shippment.exe
Verdict:
Malicious activity
Analysis date:
2021-02-05 10:36:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/90b0d18e-d4f2-4ccd-9f3a-ebd4b1449e02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115728/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45683510.23263.5192.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/600141
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cf603db11efb3551d503bed1a7b619bffb02896eb80db37a81b262c02be2c6eb/
Threat name:
ByteCode-MSIL.Trojan.Artemis
Create hunting rule
Status:
Malicious
First seen:
2021-02-05 03:23:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
36 of 48 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z5qd3mi67m2vdvidx3i2pnqzx75qfcloxag3g6ubwjrmak7cy3vq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2312da2ef323fce368c195347eb7a3e663827ccbffe04ed3977287d3268ff4a9
AgentTesla
3df7f5b80ddcfcddd7c2a5fc2e64ccfb8467b0892ab6c5315906ec5d03cb8a72
AgentTesla
65b84cb59453db1032107a51ad2cf6c31c645f954ef0d43223ee2ff15fb5f2e6
AgentTesla
6d3deba9b84a0196b94370ee9a1201893fcacacc6736638407d0c4b11b7995a2
AgentTesla
7b87995c3121e530fa11c32b58690f875c58f5dec133c5cb57c22fdf4ee237bb
AgentTesla
a9af2bddccc4126a93f8b0a3413df57fd0f70d8829c8cba61c8aae21c07423f6
AgentTesla
abe6a77fefdede7de287d151689f87a3f59eb496d94351f4085b3bc1a6b755c2
AgentTesla
b3169da25d6a50990a664203361eac74ab36b8f9412e46fd89e19f450993e307
AgentTesla
d6815935b80fc0d39cceab37523c71add55b175d975fa0d42169894b551e27cd
AgentTesla
f0211e8781298a2e49374b3ec7e974a4284fc81ee973f20048878f7eee5bbd3c
AgentTesla
+ 3'628 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210205-8jcq72n642/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
9ff32da41deb851163746bc45087ddaa14ef694a345a7d1237bbac5b5349b5f1
MD5 hash:
3574506ea4f129fe98af908d45536972
SHA1 hash:
f93869133f029ebbefc9ee6b6165b29adcf5c82a
Link:
https://www.unpac.me/results/73e35f82-e5b6-4edd-991d-aedc5ea23bf0/
SH256 hash:
a2a0bbbe8c9ee88441356010f63455c50dfcafe663db757bbc453c815c51d720
MD5 hash:
11e80c54bfeff7f0c120dae46df0a8be
SHA1 hash:
d597b9b0dcac06f0aa00a931bb90de8eba564651
Link:
https://www.unpac.me/results/73e35f82-e5b6-4edd-991d-aedc5ea23bf0/
SH256 hash:
6774fb2db5cf37d8e1da93d31874d0e8201d73a65389c9f75330b3f9cba2dd24
MD5 hash:
2cf6c02088ee8f8b4a4782bd47f8deb8
SHA1 hash:
8292695310084754446459cb61090e9a50df75e3
Link:
https://www.unpac.me/results/73e35f82-e5b6-4edd-991d-aedc5ea23bf0/
SH256 hash:
cf603db11efb3551d503bed1a7b619bffb02896eb80db37a81b262c02be2c6eb
MD5 hash:
eb6c8fc4c23b490a48f444f9d637bde0
SHA1 hash:
40f101f8d173b932c92454fa2d46256aba242ed8
Link:
https://www.unpac.me/results/73e35f82-e5b6-4edd-991d-aedc5ea23bf0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf603db11efb3551d503bed1a7b619bffb02896eb80db37a81b262c02be2c6eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 0fface91e0888e5b57448dd002ba9c5c78111b22c423da495a16fd7b4c879186

AgentTesla

Executable exe cf603db11efb3551d503bed1a7b619bffb02896eb80db37a81b262c02be2c6eb

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 0fface91e0888e5b57448dd002ba9c5c78111b22c423da495a16fd7b4c879186
Cape
Cape
https://www.capesandbox.com/analysis/115728/

Comments