MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 229687681fc621afc633bbd34f87759df1ac2d952828565b381b84f1cf7d7a8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	229687681fc621afc633bbd34f87759df1ac2d952828565b381b84f1cf7d7a8c
SHA3-384 hash:	fe472522df7e5aa30306d4517bcdf966ea813878bcc728e87f6fa20f6db5b43f1be41662a82a889f429afc1b7fdb09b9
SHA1 hash:	bd90319610781d2b4cf9c4c53c06bb97e7e1fddf
MD5 hash:	751540d8bb06b1a78856f1ce061c7665
humanhash:	aspen-rugby-uranus-batman
File name:	PAYMENT INVOICE.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	305'119 bytes
First seen:	2023-02-17 11:33:59 UTC
Last seen:	2023-02-17 11:35:49 UTC
File type:	zip
MIME type:	application/zip
ssdeep	6144:EStnj/2D+b/7pcDKnxk811TCKSHZN63iUvfIFhipcnqz:Ntnj/37pwwh11295giUvfIKsqz
TLSH	T19B542317BE18209B21DA10D6DE66F69312DA5D1F146E5AA9BBC5CB34D1EBF38CC0C434
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	INVOICE payment zip

cocaman

Malicious email (T1566.001)
From: ""BDD1"<bdd1_sha@unitex-log.com>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [185.222.57.94]) "
Date: "17 Feb 2023 11:31:54 +0100"
Subject: "RE: Unitex SHA - Invoice & SOA ready for dispatch"
Attachment: "PAYMENT INVOICE.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

n/a

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	PAYMENT INVOICE.exe
File size:	319'892 bytes
SHA256 hash:	45e3147f1b2fdcd97492b8bf95ca8f6b18493f395f1f8725a2cfad936391d4e2
MD5 hash:	6e2e0c79e5a40859fdb2153a9a32a04f
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fn23.UNOFFICIAL

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.30834.20015.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63ef662a87510c38b7353477/reports/0c6625a4-37ec-404a-80d3-1138d929d354/overview

Verdict:

Malicious

Labled as:

Mal/BredoZp

Link:

https://www.hybrid-analysis.com/sample/229687681fc621afc633bbd34f87759df1ac2d952828565b381b84f1cf7d7a8c

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/229687681fc621afc633bbd34f87759df1ac2d952828565b381b84f1cf7d7a8c

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/229687681fc621afc633bbd34f87759df1ac2d952828565b381b84f1cf7d7a8c/

Threat name:

Win32.Trojan.Zmutzy

Status:

Malicious

First seen:

2023-02-17 08:49:35 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

13 of 39 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eklio2a7yyq27rrtxpju7b3vtxy2ylmvfaufmwzydocpdt35pkga._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230217-nqj2bafb87/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/229687681fc621afc633bbd34f87759df1ac2d952828565b381b84f1cf7d7a8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	pe_imphash Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1 Create hunting rule
Author:	Florian Roth
Description:	Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments
Reference:	https://twitter.com/0xtoxin/status/1540524891623014400?s=12&t=IQ0OgChk8tAIdTHaPxh0Vg

Rule name:	SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments
Reference:	https://twitter.com/0xtoxin/status/1540524891623014400?s=12&t=IQ0OgChk8tAIdTHaPxh0Vg