MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 049ba08f998d24b995efc44a84abae967ca8a948487b1595a8969f28e44e53a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 049ba08f998d24b995efc44a84abae967ca8a948487b1595a8969f28e44e53a1
SHA3-384 hash: a909a5cdd7f13c35ab4c6c6f3110d0cc0b68701fddf93717e9c022356383ddfeb1da17c85a6ba61dac22f919562bd231
SHA1 hash: 1228b1057baf79d70ddbd0fb72e937df236b8e94
MD5 hash: 8eec65a6a19f3f54da87e009289a1904
humanhash: echo-twenty-massachusetts-speaker
File name:BL-pdf.gz
Download: download sample
Signature AgentTesla
Create hunting rule
File size:509'360 bytes
First seen:2021-05-06 11:36:54 UTC
Last seen:2021-05-06 12:01:44 UTC
File type: gz
MIME type:application/x-rar
ssdeep 12288:fysbjdnvq/oukWHKWvSFHokma0SO08aBBYKx2wWz3u:fyI9vq/oukE9vAHoA0I5BhbWze
TLSH 50B423690B8161E38798C8381FAFE4473C3799E0F789FA066A9D7405DF16E7208539AD
Reporter cocaman
Tags:AgentTesla gz


Avatar
cocaman
Malicious email (T1566.001)
From: "info@hengjiapipe.com" (likely spoofed)
Received: "from hengjiapipe.com (unknown [103.139.44.91]) "
Date: "6 May 2021 02:53:01 -0700"
Subject: "BL: YMLUZ240136204"
Attachment: "BL-pdf.gz"

Intelligence

File Origin
# of uploads :
3
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/049ba08f998d24b995efc44a84abae967ca8a948487b1595a8969f28e44e53a1/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 01:57:10 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
22 of 47 (46.81%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=asn2bd4zrusltfppyrfijk5osz6krkkijb5rlfnis2psrzcokoqq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210506-62pkpdqm42/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/049ba08f998d24b995efc44a84abae967ca8a948487b1595a8969f28e44e53a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 049ba08f998d24b995efc44a84abae967ca8a948487b1595a8969f28e44e53a1

(this sample)

AgentTesla

Executable exe a49901cf034ced81b286e6873c9500bc10589dd4dadbecff02173d5142e232d8

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a49901cf034ced81b286e6873c9500bc10589dd4dadbecff02173d5142e232d8
  
Dropping
AgentTesla

Comments