MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e716a6275c285005eba76a08091ef155b7cff1bc0c417b14856e1a9bf47f0db1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	e716a6275c285005eba76a08091ef155b7cff1bc0c417b14856e1a9bf47f0db1
SHA3-384 hash:	bd5b7ef7ae28c1cef97cb7e9fe11a50dda930a4df6a68a02019094bd17c1774e2059248571a3e92556bc248ec11d9660
SHA1 hash:	2663a3fa90e8505f37d62d81c1b912ae980d64aa
MD5 hash:	904513251ac62c6df5e0be6f2f1f655a
humanhash:	fruit-nitrogen-blossom-high
File name:	Booking form 3456278910.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	730'112 bytes
First seen:	2020-08-10 11:41:25 UTC
Last seen:	2020-08-10 13:14:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:dNBq2Alqph6lp2UxH0wORgTzgrpiA9yk+NqckjQc:03qh632UIRggQA9+NlkjB
Threatray	42 similar samples on MalwareBazaar
TLSH	9CF4E4C61F8ABE80D3E50731EF3EF6B0C314BE1D17978A789A81B55E307A2237495690
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: hotmail.com
Sending IP: 37.49.224.50
From: aditia malla<aadit94malla@hotmail.com>
Subject: booking form GJD04856-=UI8H&M&N&L
Attachment: Booking form 3456278910.zip (contains "Booking form 3456278910.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

70

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42735/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.405.21512.30040.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/416822

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e716a6275c285005eba76a08091ef155b7cff1bc0c417b14856e1a9bf47f0db1/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-10 11:43:06 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=44lkmj24fbial25hnieashxrkw3474n4braxwfefnynjx5d7bwyq._file

Verdict:

unknown

Similar samples:

1676032ec92d2d7eee0c1a051e4933dff5ea63f4abad1c869502a076c0974f2a

509d77d2bb2ae90f255bac13fe2ecee5a428956c1ce54873a9e89ae73878b306

57c5d9b907c60dfa4ab6c08d01639b4ab353b60b6af84b251a6763084c3b30ff

68ac6f6254e62bc5285579d1027024a8b63f8370ece4e134361264ff53cc2294

6c6e4ab5cfae334d310d66a79b2ec9947b66f14f4115b5240632bbeadb46a0cb

6c78a32328d131b8e75b30321d925c1e11d38416e744329d4a333822e4cfb7ec

c3653e5318419f8107d8bcc07a26f01681a189a5f448c417d99bed49b4131ebf

e0832a1f553c7fb2766cd743aefc05bbff71cd5a0c6737d9e65d784d7c8ac2de

f8238f8f8e66a8a79ac7e5e9f694137ff09f691a6f62284359696ac84ec63b78

faad832bfb6f193e546aad045e0d90ff28f4b7c60bf0e711a7f5ff8b90fc5039

+ 32 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200810-y8lx24vaqx/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/e716a6275c285005eba76a08091ef155b7cff1bc0c417b14856e1a9bf47f0db1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 5a681b6a3a354019adb41da57b7f797dcb6464710c01ebcf1f34b769621c3d48

exe e716a6275c285005eba76a08091ef155b7cff1bc0c417b14856e1a9bf47f0db1

(this sample)

Dropped by

MD5 93a2dd71f703bc8ac43aa15d4378c4e9

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/42735/

Dropped by

SHA256 5a681b6a3a354019adb41da57b7f797dcb6464710c01ebcf1f34b769621c3d48

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample