MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0032f7e4b264ebd2285cc52705e82dd93caed258069f3c32b341d7c1d7948397. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	0032f7e4b264ebd2285cc52705e82dd93caed258069f3c32b341d7c1d7948397
SHA3-384 hash:	c827d6c46f78d60e8b00c4cdc745bc050b2ff8879598286444f95c429a94047b1fe794c08bba7e16880d3f4ae99c6cf2
SHA1 hash:	f7d3cfeef02d4f1f03c9f83749f27b724eec6c19
MD5 hash:	d87e05169b42accd21ad728f48c03620
humanhash:	solar-mobile-mobile-princess
File name:	Due payment.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	472'576 bytes
First seen:	2022-11-25 01:22:43 UTC
Last seen:	2022-11-25 06:29:25 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:vjUeR9Zb3yW8cS4MiC+Xx2jt/WXqLWpa1OWnReoZw40:L5Rrb3yiNPy/WXv07
Threatray	655 similar samples on MalwareBazaar
TLSH	T1CAA4F10AB6216503DBEBE93D9050B7BDB12C23D26C097C1B5D1C5E2E2C640F28D6B6F6
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	Anonymous
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

210

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Due payment.exe

Verdict:

No threats detected

Analysis date:

2022-11-25 01:23:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4427c19d-79ae-4f66-aaf4-7730f531293c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/338239/

Detection(s):

Sanesecurity.Rogue.0hr.20221124-2135.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Launching a process

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/638018f7559d07a06f474c65/reports/1a3cc3c7-537a-4ba9-b394-52bb3eb7f7d5/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4d625fc6-7d32-47a3-80ba-2199ee213ab7

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1120803

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0032f7e4b264ebd2285cc52705e82dd93caed258069f3c32b341d7c1d7948397/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2022-11-24 19:29:39 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 40 (45.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aazppzfsmtv5ekc4yutql2bn3e6k5usya2ptymvtihl4dv4uqolq._file

Verdict:

malicious

AgentTesla

17fad325e9717e20c930f698f08f711320a505560e239b5de9df67c62258a3bd

AgentTesla

4de3e9f694f5d5b215f54ad1d220511436e39751ac19201188a97f3e56d874ef

AgentTesla

55cf18f4491e2db87c5612b2501dbbd3acd9c6460b1863ab56f5d9209cbecbdc

AgentTesla

585a367610ffd8f7ae17423b182ec60048ba49a3ead6f2f84a2e4ad3fbd0195d

AgentTesla

a78731da2617fe258f08a30bb02775a66e2b8363e5b84f97aa61a0baf178a927

AgentTesla

cacae6414253adb53f45fdde77f42642cd773f2eb6061c2dbc9a2abbf095b90a

AgentTesla

d1ca3f8fb1acd28ee6ce1227880e74fca8aa908ca373931a5180f3cb76bb8fe1

AgentTesla

d442cd3002178041faa5d9d233820b84031a3432f5384ce9e8ec8990a2e15b70

AgentTesla

+ 645 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221125-brs96abh87/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a5c095a3-619e-4571-b725-37d8bb5cc8e1

Unpacked files

SH256 hash:

0032f7e4b264ebd2285cc52705e82dd93caed258069f3c32b341d7c1d7948397

MD5 hash:

d87e05169b42accd21ad728f48c03620

SHA1 hash:

f7d3cfeef02d4f1f03c9f83749f27b724eec6c19

Link:

https://www.unpac.me/results/2c0a980e-1aa1-44d2-b49b-63a7ce357af4/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0032f7e4b264/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/0032f7e4b264ebd2285cc52705e82dd93caed258069f3c32b341d7c1d7948397

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 6984463797a30174732c80f976c92eceb5f0abe5216489e735ff3917b646f256

AgentTesla

exe 0032f7e4b264ebd2285cc52705e82dd93caed258069f3c32b341d7c1d7948397

(this sample)

Dropped by

agenttesla

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/338239/

Dropped by

SHA256 6984463797a30174732c80f976c92eceb5f0abe5216489e735ff3917b646f256

Dropped by

MD5 ca844b92f7c7144b1c9a20a65219ee5f

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample