MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 099eed2872cdf692ed40c7c7e4d760adb3c390927b72d4a332572f7ee6147ddf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	099eed2872cdf692ed40c7c7e4d760adb3c390927b72d4a332572f7ee6147ddf
SHA3-384 hash:	ff15f50cb79b0ee84d80d2fb12f3a4d1758ac2376bedfddfc7e43b02d4249e29d0cb58c836e9c668e76c0647bcfebdc2
SHA1 hash:	8dc4e34f6b1a405b2e8dce22329e4f8fb50f2719
MD5 hash:	8b52d04793b3609e8de185680551d8c1
humanhash:	michigan-georgia-aspen-indigo
File name:	STOWAGE PLAN AND PACKING LIST.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	629'463 bytes
First seen:	2021-05-04 09:47:15 UTC
Last seen:	2021-05-04 10:01:12 UTC
File type:	zip
MIME type:	application/zip
ssdeep	12288:7ICbhGrz3Lh2I2EneE83u5sqq864OvUyNb95UupyVMpB23j:zbwrz3lNXneeq864MHauwz
TLSH	45D423E34D05677E3E3BC1BA625D424274500038BF6EA7F5E9CE8E498F8689C5DF1624
Reporter	cocaman
Tags:	zip

cocaman

Malicious email (T1566.001)
From: ""Ops-Agency"<gbarbetta@mircosanti.com >" (likely spoofed)
Received: "from mircosanti.com (unknown [31.210.20.71]) "
Date: "4 May 2021 01:48:12 -0700"
Subject: "PDA REQUEST / CASH TO MASTER INQUIRY"
Attachment: "STOWAGE PLAN AND PACKING LIST.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/099eed2872cdf692ed40c7c7e4d760adb3c390927b72d4a332572f7ee6147ddf

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/099eed2872cdf692ed40c7c7e4d760adb3c390927b72d4a332572f7ee6147ddf/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-04 05:06:49 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

6 of 46 (13.04%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bgpo2kdszx3jf3kay7d6jv3avwz4heespnznjizsk4xx5zqupxpq._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210504-5k5vm6zemx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/099eed2872cdf692ed40c7c7e4d760adb3c390927b72d4a332572f7ee6147ddf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 099eed2872cdf692ed40c7c7e4d760adb3c390927b72d4a332572f7ee6147ddf

(this sample)

AgentTesla

exe fd7472363bdcd092b7fc8c1134b2a20001948c24a9ea43638beeb0dc772362d6

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 fd7472363bdcd092b7fc8c1134b2a20001948c24a9ea43638beeb0dc772362d6

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample