MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 188b9aca21242aae9a39e337159d524fb5e5c15744e1b94cfb49ed2b919265f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 188b9aca21242aae9a39e337159d524fb5e5c15744e1b94cfb49ed2b919265f7
SHA3-384 hash: e983ac58627a214af379d708d2130673acb1e51305bf1f95bd29b9c9165393ec17c94ab4d2289a449f5735dce7867ba0
SHA1 hash: a9894f5799c3a79876ef5f98e6618cab4ca490b8
MD5 hash: f3e8740562d6287d2f82cb1c56aa3872
humanhash: fanta-twelve-music-uncle
File name:MRKU8781602.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:656'541 bytes
First seen:2022-06-01 11:36:30 UTC
Last seen:2022-06-01 11:36:49 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:F1KWt8T0Vl+/nZGL6g0oyzCn2LDrlIlNYn9QgbvPlrFQecp01FOUQM:rXI0nkZ0IDCnoeDQ3RaM
TLSH T151D433FB98C66060B4F2D426D0BE6C452B9476C67276B84B7CD98806E7DB17333BA113
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:AgentTesla Maersk zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Maersk Notification <finans.onay@maersk.com>" (likely spoofed)
Received: "from postfix-inbound-v2-6.inbound.mailchannels.net (inbound-egress-6.mailchannels.net [199.10.31.238]) "
Date: "Wed, 01 Jun 2022 13:28:56 +0200"
Subject: "Your Transport Plan has Changed - Maersk"
Attachment: "MRKU8781602.zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.17812.16560.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/188b9aca21242aae9a39e337159d524fb5e5c15744e1b94cfb49ed2b919265f7
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/188b9aca21242aae9a39e337159d524fb5e5c15744e1b94cfb49ed2b919265f7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-01 11:37:09 UTC
File Type:
Binary (Archive)
Extracted files:
39
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dcfzvsrbeqvk5grz4m3rlhksj626lqkxitq3sth3jhwsxemsmx3q._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220601-nq5m1sgch8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1633482536:AAF1JIS_DaayovuRrLGy_POYaI3DRc2CrPY/sendDocument
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/188b9aca21242aae9a39e337159d524fb5e5c15744e1b94cfb49ed2b919265f7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 188b9aca21242aae9a39e337159d524fb5e5c15744e1b94cfb49ed2b919265f7

(this sample)

AgentTesla

Executable exe a310036353168d56a7d519f39e601dc7dee833a9e782b9f7661e8b55e2a31139

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a310036353168d56a7d519f39e601dc7dee833a9e782b9f7661e8b55e2a31139
  
Dropping
MD5 3ab41d1d6f9ba76b483a79900648422c

Comments