MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21a3b261641329b4b3fbb79d32476bdd05a7a4453848cd0cd41407b90b2948e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21a3b261641329b4b3fbb79d32476bdd05a7a4453848cd0cd41407b90b2948e8
SHA3-384 hash: 1c80cac2341d909e0a5cd42a4e444fbce3bc8260a333ff9676a1744207bc6559fbe386be63aae881a1be2331f1d5165c
SHA1 hash: ffcc73d7319bf496f38bb53950caf89acdd4b603
MD5 hash: 2d2000ae7f5fe844c579d1e90f455b06
humanhash: robin-october-west-yankee
File name:URGENT REQUIREMENT.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:487'109 bytes
First seen:2022-11-29 08:42:28 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:1dvfUKAHgug+bms2h+mqHlwCsRpA6Mm6CHR:1dvfUDg+bjHwk6MmrHR
TLSH T189A423AE73F29A7DC27A732575F147B9871C94502CAC230AB8ABDC78D1D85CC6B43824
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:AgentTesla RFQ zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""Aprille G. Castaneda"<sales@shenghai-alu.com>" (likely spoofed)
Received: "from shenghai-alu.com (unknown [45.137.22.154]) "
Date: "28 Nov 2022 15:24:58 +0100"
Subject: "RE: RFQ 4130 / Supply of WAREHOUSE TOOLS AND CONSUMABLES / URGENT REQUIREMENT"
Attachment: "URGENT REQUIREMENT.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:URGENT REQUIREMENT.exe
File size:489'984 bytes
SHA256 hash: 81278e61b365975c3ba6eb47c4734c4831e2488dfd3357cf8d0d018b4a57123f
MD5 hash: 9d97e728e9d190e4be44cd0e2b6af94e
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs3149.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Malware.PDB-57.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6385c617151dc20f68a7dd19/reports/2fa2c32a-d971-450c-be65-52f9249c445e/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/21a3b261641329b4b3fbb79d32476bdd05a7a4453848cd0cd41407b90b2948e8
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21a3b261641329b4b3fbb79d32476bdd05a7a4453848cd0cd41407b90b2948e8/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-11-28 01:38:04 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egr3eylecmu3jm73w6oter3l3uc2pjcfhbem2dgucqd3sczjjdua._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221129-qmsv6acg23/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/21a3b261641329b4b3fbb79d32476bdd05a7a4453848cd0cd41407b90b2948e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 21a3b261641329b4b3fbb79d32476bdd05a7a4453848cd0cd41407b90b2948e8

(this sample)

AgentTesla

Executable exe 81278e61b365975c3ba6eb47c4734c4831e2488dfd3357cf8d0d018b4a57123f

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 81278e61b365975c3ba6eb47c4734c4831e2488dfd3357cf8d0d018b4a57123f
  
Dropping
AgentTesla

Comments