MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4d5fab1e5e40cf0377d5eaca0e427d01fcd61495743ea4290d8745163e84e56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	c4d5fab1e5e40cf0377d5eaca0e427d01fcd61495743ea4290d8745163e84e56
SHA3-384 hash:	e70d4d5725dc128fcccd3915463a97f1bc6fbff0e8713bc22de2b0ad34abf9550bebbe1fe7f0105bb94a02c2a132bdf1
SHA1 hash:	a98749b1465b8b212e5459cde3761f4f297ceeb3
MD5 hash:	e2f4002aff46a73990dbdc38109df9b7
humanhash:	oregon-asparagus-fish-zebra
File name:	New Order Inquiry 072820.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	489'472 bytes
First seen:	2020-08-31 13:17:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:GL65CbOeFslIVIgj2Lc191Ygp6d7jeIR75dcBnDiDC60hp7o6T+oNZqF4:v5CbhFC+aw192tjeo7
Threatray	83 similar samples on MalwareBazaar
TLSH	EEA41255663C8772DBF60FF5945E7C29D374981BA05EE3CEA8F122CA02E23984723917
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: vps.confidencegroup.co
Sending IP: 162.144.59.93
From: Hunan Standard Steel Co <info@ocepasinov.com>
Subject: New Order Inquiry 072820
Attachment: New Order Inquiry 072820.iso (contains "New Order Inquiry 072820.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

84

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/53569/

Detection(s):

SecuriteInfo.com.W32.Trojan-7.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/455536

Signature

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c4d5fab1e5e40cf0377d5eaca0e427d01fcd61495743ea4290d8745163e84e56/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-31 04:12:09 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ytk7vmpf4qgpan35l2wkbzbh2ap42ykjk5b6uquq3b2fcy7ijzla._file

Verdict:

unknown

Similar samples:

14ac862307f76bdf323ae2ae84ed2b46b35483202bf81031c716143343ba7b00

14c779eb9e7f6a3a77a4e0df7a8b64d7a74f7db8a7dede57dc5ce8936b83f5df

333bca520269ca114176493ed2b944cc38cea0bbf11844942f3b632bbe27378b

37677fa0c9255eb7368ce3d54a42e2b3e23eff33c6e2008406d9f32a71b565b8

545305810b041d0a1ea357652c1b98aa714b039c16af8d1d7ecdd8e513a59d8b

9ffb458e6d120f6d42906c102ce49ecefbe4a937d6b605a4d3a1b3a7dc15e627

ae386b6cfbca2ad61a9a4d642e99cd9bfaf9cf7fd647c2b420884df5f6692ddd

aea7319d67789e4e524c4af9bcb842d66593a97dff25cb4be43eee5f5fb86963

bf16393640303afe03a092d605a39a69d05158bce15d690128ef2b2103dfa5c7

f595019c294b2717aad61673e0214db90da5f880d5177c81b30f053004450a56

+ 73 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/200831-2zey675m9e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c4d5fab1e5e40cf0377d5eaca0e427d01fcd61495743ea4290d8745163e84e56

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso a61087385d17cb63448fcf9658bbbca52bb4679301f2e505993e6a74087b5b39

exe c4d5fab1e5e40cf0377d5eaca0e427d01fcd61495743ea4290d8745163e84e56

(this sample)

Dropped by

MD5 fbce8c0a51b32b1b1c4f32a1f3eea822

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/53569/

Dropped by

SHA256 a61087385d17cb63448fcf9658bbbca52bb4679301f2e505993e6a74087b5b39

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample