MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf6b85c52f185fd07650cc5b26152f6a225ae59b3d64da7cea71718f330a2c46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf6b85c52f185fd07650cc5b26152f6a225ae59b3d64da7cea71718f330a2c46
SHA3-384 hash: 16517e1093403d5b076e2c70f3d90aa49e0dac6d6b8dd5217dea3cb1859cb41b6130ecad22382df51d1301e6ee2d6bd7
SHA1 hash: d5a0f22539cd8338cf47c45dfe74f4bb9135481e
MD5 hash: 1de6424d16897795e92171d0351eacfa
humanhash: helium-sink-wolfram-early
File name:FedEx Express-Reciept.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:601'088 bytes
First seen:2021-05-24 14:16:14 UTC
Last seen:2021-05-24 15:03:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:hzZU4qtozt/sTPKzUuBRj3fOUYBdfAU85IvM+X6I+9u:hzZU4qtozt/rzUuBtOPZ8IvBXw
Threatray 5'140 similar samples on MalwareBazaar
TLSH CFD4F13813649E55D0BE4B3E802612A083F4D5258643F31D6E8E60FDBDA3773CD676AA
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FedEx Express-Reciept.exe
Verdict:
Malicious activity
Analysis date:
2021-05-24 14:31:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ad257ec8-1733-4ca1-9438-a91f552fdca8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161509/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.747-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/790437
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 422831 Sample: FedEx Express-Reciept.exe Startdate: 24/05/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 6 other signatures 2->37 7 FedEx Express-Reciept.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\KcLtKRAVY.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmp5D0A.tmp, XML 7->21 dropped 23 C:\Users\...\FedEx Express-Reciept.exe.log, ASCII 7->23 dropped 39 Writes to foreign memory regions 7->39 41 Allocates memory in foreign processes 7->41 43 Injects a PE file into a foreign processes 7->43 11 RegSvcs.exe 8 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 us2.smtp.mailhostbox.com 208.91.199.223, 49738, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->25 27 208.91.199.225, 49739, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->27 29 192.168.2.1 unknown unknown 11->29 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->47 49 Tries to steal Mail credentials (via file access) 11->49 51 4 other signatures 11->51 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cf6b85c52f185fd07650cc5b26152f6a225ae59b3d64da7cea71718f330a2c46/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-20 09:16:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z5vylrjpdbp5a5sqzrnsmfjpnirfvzm3hvsnu7hkofyy6mykfrda._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
30ccedd667db53d5b9671da566a13669c109c57c96a0a07dec50252e396114c3
AgentTesla
3f5a7effc340c773a1ef95a0c709a9e92e3daccd1e584ba3e8c1270fdd54dc7c
AgentTesla
4d346a1b7ce11e30a28c5b58ecbce47f9cbcd14a11b449ca4a360e37e865adc9
AgentTesla
4db148b755b23786d900184cbaa5a8c84943b34270186638aaf29933a2b1b6ed
AgentTesla
6087c3fc050366e4c7f5b6118679ca85e5a1ab205e994919f41e035a386f5270
AgentTesla
751f26f5904fc057154022582141035b962f1593cdb08ef9d27a12e0965d16f4
AgentTesla
9d3ab8d52c79c14a132e08fd1c15d7b0078fef6bbf2bfa2cf5a2dca07a34286e
AgentTesla
a70c61eddfae506d2e24ab77c133ca0f60ed4d4b03077b3d4218b978faca6547
AgentTesla
b6621e6fa87f923bb57c6d71912366ce6043ae4e43bab3c7644499e8ae883544
AgentTesla
dcfdc0825f9965ecd51cdcae8eabcdca7aa1aea7625d3918d8bdc529b87114b1
AgentTesla
+ 5'130 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210524-yyb86qbnk2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf6b85c52f185fd07650cc5b26152f6a225ae59b3d64da7cea71718f330a2c46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 2ce5a9f8be3febcaec5cd8354e4ba701508ee579654a770ea56244b0e810973d

AgentTesla

Executable exe cf6b85c52f185fd07650cc5b26152f6a225ae59b3d64da7cea71718f330a2c46

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 2ce5a9f8be3febcaec5cd8354e4ba701508ee579654a770ea56244b0e810973d
Cape
Cape
https://www.capesandbox.com/analysis/161509/

Comments