MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0cf8e0f34188ff75a300f318d2a91bfeae74a1dec17b4cf71833bb801b84d90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0cf8e0f34188ff75a300f318d2a91bfeae74a1dec17b4cf71833bb801b84d90
SHA3-384 hash: d2fd615305ed5821d82f31c7208b3902fa3cbf98ded2b5df37eb83fc1b6546761595e88f94a1ccdafc47c61c93a725e6
SHA1 hash: a41875bdfa74debd58c011d8e62128e3af12c3f6
MD5 hash: df46f6e5f6aab71a209df7f4a90fee09
humanhash: skylark-texas-ten-beryllium
File name:Marcelo Prieto Inquiry_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:568'832 bytes
First seen:2021-08-09 05:22:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:eEOwTLBumTg4zoKhHoW4V40WIihTRrseeND3jKFvJ2O8XlHQm+jKMn64hj144Esr:Hjvh34+FahOdJr4HQPKMnVj144P6K
Threatray 8'046 similar samples on MalwareBazaar
TLSH T114C48C2B21944617E47CD6FD2954060BF379DFD6B1DDEA85EC8B34D2CA72B82118828F
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Marcelo Prieto Inquiry_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-08-09 05:47:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5f98f31c-fa4f-4fce-98ca-665cd136e659

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177406/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.59225.720.25954.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df620ab0-491b-4a90-8b44-46a5732ba86f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829002
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0cf8e0f34188ff75a300f318d2a91bfeae74a1dec17b4cf71833bb801b84d90/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 02:37:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dhy4dzudch7owrqb4yy2kurx7voosq55ql3jt3rqm53qanyjwia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f19539c1aca12bf11bb1084ea7745240b7b7690a80140c757de6ed382eb58c1
AgentTesla
66c452b78b6021522f6b726773698cf4bc94e3e6a6b220ca930996afb30fab7c
AgentTesla
7e2f14e47ce41dff01f74023757a74a7352ff9ce7ee39d2f78b61ff2a5993897
AgentTesla
978adbd45151d6b915f683cef40113cc2fa08ab0686682b2ce44b9f5b33bb4dc
AgentTesla
bcbb193947047dbf82cedf1e08cb2e7aba46db9802789595d746e31f870fc4b4
AgentTesla
e12243e5bae35e437f9e88665c52d3b5086cc5dab0eb5c682132a288625b023d
AgentTesla
e9342d5c2ca95888a7589ef0fa20636b3534e64a8e7b419e772977c04745dcc7
AgentTesla
+ 8'036 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210809-yh8pkr2tls/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Contains code to disable Windows Defender
Unpacked files
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/4046165d-2ec4-4f4d-9212-ad0843af63af/
SH256 hash:
e4d676a2adf821b7cc264ae1b53b09195c3549d05d9de9d139fa487178bc7afe
MD5 hash:
6d065136edb598b07a8dcd6a5f212bd5
SHA1 hash:
9329df66c068234e5ef46a3ca7ad0aefe83705b3
Link:
https://www.unpac.me/results/4046165d-2ec4-4f4d-9212-ad0843af63af/
SH256 hash:
df3acee92bcd4408ef2404f643579ba3ebf97698f3c2923c136722e2673b7157
MD5 hash:
099fb9ecf836fa073d3e41652bf56b2e
SHA1 hash:
6b8d875ed66e2695cc669a5cd18422296ce7a4b2
Link:
https://www.unpac.me/results/4046165d-2ec4-4f4d-9212-ad0843af63af/
SH256 hash:
d0cf8e0f34188ff75a300f318d2a91bfeae74a1dec17b4cf71833bb801b84d90
MD5 hash:
df46f6e5f6aab71a209df7f4a90fee09
SHA1 hash:
a41875bdfa74debd58c011d8e62128e3af12c3f6
Link:
https://www.unpac.me/results/4046165d-2ec4-4f4d-9212-ad0843af63af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0cf8e0f34188ff75a300f318d2a91bfeae74a1dec17b4cf71833bb801b84d90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip f68ea60a6eec9da10c87bb22327338855aa805d2d778a30c2a6352812a231394

AgentTesla

Executable exe d0cf8e0f34188ff75a300f318d2a91bfeae74a1dec17b4cf71833bb801b84d90

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 f68ea60a6eec9da10c87bb22327338855aa805d2d778a30c2a6352812a231394
Cape
Cape
https://www.capesandbox.com/analysis/177406/

Comments