MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e65f3e7d58650711f81d06e50e53ced4b636f08df0eed8019d7927e17fec9580. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	e65f3e7d58650711f81d06e50e53ced4b636f08df0eed8019d7927e17fec9580
SHA3-384 hash:	d069d7a3179569d8376ec5775717a289f271f040b801264e117079d957bb1702481d024973c1a93987b9bdf46ef25ae7
SHA1 hash:	2fb6aa095ff9406b65f49e94303c925cf8d44fc3
MD5 hash:	8341d551a5b1665cbb0f65780530b20c
humanhash:	speaker-failed-edward-one
File name:	PO# 7431.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	2'022'400 bytes
First seen:	2020-07-09 06:39:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:51U95MorSjOQ6am6lDsp/kHpdTiAqboWyGDkz0b+ZtDVkQsUQx/VYb/3kSGZ:ErYOQxmpcHD0botGDi05Vsk1
Threatray	10'913 similar samples on MalwareBazaar
TLSH	E795E0057144ACA3CF98ABBEF96A5D4482684C364FC2E14F21447AB6DFB728DEC450DE
Reporter	abuse_ch
Tags:	AgentTesla scr

abuse_ch

Malspam distributing unidentified malware:

HELO: cloudhost-139867.us-midwest-1.nxcli.net
Sending IP: 209.126.30.106
From: Tian <enquiries@vinta.com.sg>
Subject: PO# 7431-mendesak
Attachment: PO# 7431-mendesak.IMG (contains "PO# 7431.scr")

Intelligence

File Origin

# of uploads :

1

# of downloads :

82

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.UTO.9022.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e65f3e7d58650711f81d06e50e53ced4b636f08df0eed8019d7927e17fec9580/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-07-09 06:41:10 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4zpt47kymudrd6a5a3sq4u6o2s3dn4en6dxnqam5pet6c77mswaa._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

10db1916ce0eeb68ea79bd2aa82f372ed4e2a831f36c7ccfd6292747bd6faa68

1eda9e7d4d2e9846bd9de68424eb590a324bf19465a1019fca4efda13f7716ab

2ad7e2382efb6fe85a117f20f192029091cfaeebc7a17f4164b158ab63874d94

446f16b0c437e7be8d51c9365276bcee5cd8709f0a1bbb95fad2969c21e2db54

4837818e08ee30bf269de7aea2a96c3bf5ad97dcac42a9b119011e2d9a744115

55add5e5138bf35c9ef1a148b681358e4731131a72be0ebed59a28e7f7fd7eaf

7c4cc1790fbea6474d3bca240acf5221df1aac14c332cff9bf1a56c33747d7f2

9daff52b5fd16bd2ff808e6b4ba02d6b46e00d27520ffaabdf42e20d1378a15c

ee5d2dab2b72605b3d092c5881f8485a26b8725c70a9fb77f733209e30099463

fc89e8d722a8625e80e22f5a19ef1371e388e1583e55618f2ea2451dfe356845

+ 10'903 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/200709-mp7pnrc7x2/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Suspicious use of SetThreadContext

Adds Run entry to start application

Adds Run entry to start application

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 863e9092dd311928a0798f6734fb69205c554f77681d7e23207a01e470374661

exe e65f3e7d58650711f81d06e50e53ced4b636f08df0eed8019d7927e17fec9580

(this sample)

Dropped by

MD5 1ff3016d8d86b42c14c34d9aac110e7d

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 863e9092dd311928a0798f6734fb69205c554f77681d7e23207a01e470374661

Cape

Cape

https://www.capesandbox.com/analysis/23421/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample