MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c310fa4a37776fd5a0a9b015d77606cdae9c2492620fee44fd45df088037f2cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c310fa4a37776fd5a0a9b015d77606cdae9c2492620fee44fd45df088037f2cc
SHA3-384 hash: 7643349fd0b9f3068a65ceff37a520701641d13328302b0981a03f6e30b648394b854e8ea9f65c7fa450d06afe1ac3a5
SHA1 hash: 07a99a2cb9738429d55a4d46c7ff0a460308f980
MD5 hash: 943fde4ec9a2c64e2802f5d7940ed0cf
humanhash: network-single-fifteen-undress
File name:js_plus_100_bytes.msi
Download: download sample
Signature AgentTesla
Create hunting rule
File size:103'524 bytes
First seen:2022-05-09 03:42:32 UTC
Last seen:2022-05-09 04:38:43 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:Vlnjg5f3DXJLA4hogTCt4TlfIoGNl7BTYjP+0Yk/NJWIaVIZwDY9r+Agn2s:DoJLA4XXlfQgPGk/NJ1ZwDm+Agn2s
Threatray 1'721 similar samples on MalwareBazaar
TLSH T14FA396163F0A6133CB4D53396907D2D0A6F58D178AE1C2033162B1DC9D725DFAAAFAD2
TrID 89.6% (.MSI) Microsoft Windows Installer (454500/1/170)
8.7% (.MSP) Windows Installer Patch (44509/10/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter obfusor
Tags:AgentTesla msi Ransom

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Gen.Variant.Lazy.178670.21696.28811.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed replace.exe
Link:
https://www.filescan.io/uploads/62788dc6bd5c76586e23132a/reports/cf63d221-9e39-4bd7-8d2c-a3bbc5e44a98/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c310fa4a37776fd5a0a9b015d77606cdae9c2492620fee44fd45df088037f2cc
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/989925
Signature
.NET source code contains very large array initializations
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 622421 Sample: js_plus_100_bytes.msi Startdate: 09/05/2022 Architecture: WINDOWS Score: 80 62 Multi AV Scanner detection for submitted file 2->62 64 .NET source code contains very large array initializations 2->64 66 Deletes shadow drive data (may be related to ransomware) 2->66 9 msiexec.exe 7 18 2->9         started        13 msiexec.exe 2 2->13         started        process3 file4 54 C:\Windows\Installer\MSIF7BB.tmp, PE32 9->54 dropped 72 Drops executables to the windows directory (C:\Windows) and starts them 9->72 15 MSIF7BB.tmp 10 9->15         started        signatures5 process6 dnsIp7 56 138.124.184.8, 49847, 80 NOKIA-ASFI Norway 15->56 58 Multi AV Scanner detection for dropped file 15->58 60 Detected unpacking (overwrites its own PE header) 15->60 19 cmd.exe 1 15->19         started        22 cmd.exe 15->22         started        24 cmd.exe 15->24         started        26 39 other processes 15->26 signatures8 process9 signatures10 68 May disable shadow drive data (uses vssadmin) 19->68 70 Deletes shadow drive data (may be related to ransomware) 19->70 42 4 other processes 19->42 28 conhost.exe 22->28         started        30 taskkill.exe 1 22->30         started        32 conhost.exe 24->32         started        34 taskkill.exe 1 24->34         started        36 taskkill.exe 1 26->36         started        38 taskkill.exe 1 26->38         started        40 taskkill.exe 1 26->40         started        44 67 other processes 26->44 process11 process12 46 conhost.exe 28->46         started        48 taskkill.exe 28->48         started        50 conhost.exe 32->50         started        52 taskkill.exe 32->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c310fa4a37776fd5a0a9b015d77606cdae9c2492620fee44fd45df088037f2cc/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-05-09 03:43:05 UTC
File Type:
Binary (Archive)
Extracted files:
21
AV detection:
8 of 42 (19.05%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06eb951a9c5d3ce99182d535c5d714cc4e1aae53ef9fe51838189b41fc08380b
AgentTesla
0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81
AgentTesla
46802842ff967e3810af08e372b0f969de57f2ed826498398c5367525fec0bc9
AgentTesla
4b12f4fdf07d06fb59b5619d01a293c51d32efd183d45a87459b47d5169cfe51
AgentTesla
590e531489556cfb9de022bc52bce2489c3609e693209c59fdce5698c6fc0be3
AgentTesla
5f5d1f324ed8dc18d76f200a176d40ab2ae48e336f33c2f7b5d047d682f3260a
AgentTesla
7f9c8c44079baed3e635a5d894ddad9c0db48022a19e80af11c79699727de3e0
AgentTesla
a617fdbff227afe8c89ba96d34724fb03c0c08857c508c8c80f3fedc916fe2b4
AgentTesla
d42926eb5339410141c90bad9b9b0b3c5cc00fcf0e1a467d753671c567343139
AgentTesla
+ 1'711 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
ransomware
Link:
https://tria.ge/reports/220509-d9w5wacce8/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c310fa4a3777/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/c310fa4a37776fd5a0a9b015d77606cdae9c2492620fee44fd45df088037f2cc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments