MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0aa319b22736e50f9486096af97cf5d70a4b072116d52c2872708295732862a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0aa319b22736e50f9486096af97cf5d70a4b072116d52c2872708295732862a5
SHA3-384 hash: 96121c1cfd24649e628bb61ffd9ed04cf3c6b6d791906925189139fc91c3a4c0e2320153b2e7149bcebbbc9391d198c7
SHA1 hash: 32cd3114bec19a799c46f044cdc1016bdf88965f
MD5 hash: 39fb50145f41597129835d91952df737
humanhash: wolfram-summer-nuts-michigan
File name:Quote FOB Price For Attach.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'247'232 bytes
First seen:2021-01-18 08:34:37 UTC
Last seen:2021-01-18 10:42:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:aw5jc5Jp6dJxgLvHNXsbiEsOqL+jsQmrcoWj9U7d+c:aw9c5edJxgLHNii9nlQ6XWj9SU
Threatray 2'239 similar samples on MalwareBazaar
TLSH B4459D3053EC9B60D3BF5EF8D90CB15963A8A506A254E368F9BD52F24FE1864449FF80
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp2.hiworks.co.kr
Sending IP: 121.254.168.210
From: 임승범(영업) <salem2@sunmyung.com>
Reply-To: "임승범(영업)" <salem2@sunmyung.com>
Subject: a new inquiry
Attachment: Quote FOB Price For Attach.rar (contains "Quote FOB Price For Attach.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quote FOB Price For Attach.exe
Verdict:
No threats detected
Analysis date:
2021-01-18 09:06:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/18cabbed-526e-458a-806e-ad5e1b70f5c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112492/
Detection(s):
SecuriteInfo.com.generic.ml.29207.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/583492
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0aa319b22736e50f9486096af97cf5d70a4b072116d52c2872708295732862a5/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bkrrtmrhg3sq7fegbfvps7hv24fewbzbc3ksykdsocbjk4zimksq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
26512ebf31c0f58d0d294d695f1a00c75ae5c9fc1a2938454fd91c0665ceb96a
AgentTesla
5e31a4916e479c18347d59e0a98dc12738efb5acbad3ba3e677fb24fd87e7adc
AgentTesla
67710323c3dd7ba7cc04081512bdb304b4d7edd72975f2891c1f5893fdb75a8a
AgentTesla
6b090efc032911140a9b027ae65b205eb4b6aef2ab0dec995e473470f6706240
AgentTesla
8806e27a6f463fd221e6c97240c59e879bb6896d4f8f0e5291bc6c2e4c2c6fb9
AgentTesla
9972434ebdd96cf98cbc8849f08d6ca3120e5cf2553b3416bc0fccc5396c74b5
AgentTesla
9c9adb16561049288fd3f771b795890e2f9efa66c2eeb121cea935e7f843ce46
AgentTesla
b70435027f6fd88676d6b54087422fd696f41bffb783a8248affee5e6a62a97d
AgentTesla
f3b3138f016ca71657f2289fa5dec16bec138c3ed5632c244e6e36161106b45d
AgentTesla
f3dd0364478f5e8db5e914033bf34cd7e0a1cc3a66698883a3798ef35f61a36c
AgentTesla
+ 2'229 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210118-4rcr9ah24a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
1d6ecf546163882d34d4bb2b7afa3889506ca3036ed536c4ed972ed89bdf5035
MD5 hash:
fb169513679d349cb2a7e4121bacfd4a
SHA1 hash:
26619d7ce0a175b9fc4fbfd7f4b105050562924f
Link:
https://www.unpac.me/results/b7aa100a-efe4-4065-a6d3-ce6a07caa771/
SH256 hash:
0aa319b22736e50f9486096af97cf5d70a4b072116d52c2872708295732862a5
MD5 hash:
39fb50145f41597129835d91952df737
SHA1 hash:
32cd3114bec19a799c46f044cdc1016bdf88965f
Link:
https://www.unpac.me/results/b7aa100a-efe4-4065-a6d3-ce6a07caa771/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0aa319b22736e50f9486096af97cf5d70a4b072116d52c2872708295732862a5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar cbfe82729be1554a04027fc5a3a0dc09376c893d8b00cf8eee3c66c9b1b0dd22

AgentTesla

Executable exe 0aa319b22736e50f9486096af97cf5d70a4b072116d52c2872708295732862a5

(this sample)

  
Dropped by
MD5 0cd9f83259ab254c9b129a0acbe7fb99
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112492/
  
Dropped by
SHA256 cbfe82729be1554a04027fc5a3a0dc09376c893d8b00cf8eee3c66c9b1b0dd22

Comments