MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22ad1cf85cf71eac95fccd0564f47b3203a31399097c1e95bc2a6c0089a78ccd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22ad1cf85cf71eac95fccd0564f47b3203a31399097c1e95bc2a6c0089a78ccd
SHA3-384 hash: 8c7b6ff7a395f38f57901ffeba4c9557403b490c17c2e8a917659aea15ada59367119254bf8fb89e79b501ab4297be41
SHA1 hash: d38fd197dd535da5f62b23f9d35a16e02d559463
MD5 hash: acbb93273e9eb24b6982c51b038a90cb
humanhash: king-leopard-steak-muppet
File name:PRE ALERT DOCUMENTS.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:680'527 bytes
First seen:2022-06-08 16:24:19 UTC
Last seen:2022-06-09 05:54:23 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:lqR8h14zDdrXKFClTPi5Wp0HIU07FqkXowm8yE7OAZ5wUVBAhYoN4wJ:E2hSzhXKFCVPi5P6YwmFPAZSUchF+wJ
TLSH T1C3E4230B9E27AFBF1BB095EF0159FD33A0968A42479971DC34E8409297E05CC89779F2
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:AgentTesla Maersk Shipping zip


Avatar
cocaman
Malicious email (T1566.001)
From: "fuxidong<fuxidong@goldenrock.cn>" (likely spoofed)
Received: "from goldenrock.cn (unknown [180.214.236.254]) "
Date: "8 Jun 2022 10:43:28 -0700"
Subject: "=?UTF-8?B?UkU6IDR0aCBTSElQTUVOVCAvLzEgeCAyMCDCtE9NVCBURVhUSUxTIC8gRVZBU0lPTiAvIFRVVElDT1JJTi0gVkFMRU5DSUEgU1BBSU4gLSBPTVQvNTY0Ni00?="
Attachment: "PRE ALERT DOCUMENTS.zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.16595.10521.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62a0cd676aa17a21fc2cc9d0/reports/eb41d662-2fbe-4c19-9038-958f8a2abd5a/overview
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/22ad1cf85cf71eac95fccd0564f47b3203a31399097c1e95bc2a6c0089a78ccd
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22ad1cf85cf71eac95fccd0564f47b3203a31399097c1e95bc2a6c0089a78ccd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-08 15:46:35 UTC
File Type:
Binary (Archive)
Extracted files:
25
AV detection:
23 of 40 (57.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ekwrz6c464pkzfp4zucwj5d3gib2ge4zbf6b5fn4fjwabcnhrtgq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220608-twx31sbad6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1562684159:AAF0RHsedAMUFPfvPk6IyrreCEPxQ_b3Y3g/sendDocument
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22ad1cf85cf71eac95fccd0564f47b3203a31399097c1e95bc2a6c0089a78ccd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 22ad1cf85cf71eac95fccd0564f47b3203a31399097c1e95bc2a6c0089a78ccd

(this sample)

AgentTesla

Executable exe 01b9dcef06125de378e0a88f398cb651e2b3200eaef8d4847136b1dc6560057f

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 01b9dcef06125de378e0a88f398cb651e2b3200eaef8d4847136b1dc6560057f
  
Dropping
AgentTesla

Comments