MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 244d44fda9c8c6d0824059551aaf4a8f983affe67a77e9ce31459de208be4609. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	244d44fda9c8c6d0824059551aaf4a8f983affe67a77e9ce31459de208be4609
SHA3-384 hash:	6aeb75da9400bda7434073f2e0ca0b94958829bb7bcb6905e37502c182e866bbed3d8b775dc9693bb74f41b48c7fd38d
SHA1 hash:	0b762f89aabeefdcc5ac6dd5da3d0ead025de2ec
MD5 hash:	502e24df196ccf6d8a4c46416fd51b91
humanhash:	oregon-sad-monkey-west
File name:	RFP.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	756'224 bytes
First seen:	2020-08-27 05:47:07 UTC
Last seen:	2020-08-27 07:19:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'616 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:OcEUGovFJiR/nZMELXq3hqcBXWlsct84LxRO9vvHpa0HnyO:lEUInZmJ9WSo8QRO/a0
Threatray	54 similar samples on MalwareBazaar
TLSH	50F40264526DCF19E9EF07BC983E700502F7BC69A4F1E24E5A55B11A2AB33C24427F63
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: mx.eat-qreek.com
Sending IP: 138.68.45.109
From: iuu@eat-qreek.com
Reply-To: sales@mekar.ae
Subject: Re: Face Mask Purchase Contract
Attachment: RFP.rar (contains "RFP.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

86

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51601/

Detection(s):

SecuriteInfo.com.Fareit-FYV502E24DF196C.14276.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching the default Windows debugger (dwwin.exe)

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/452281

Signature

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/244d44fda9c8c6d0824059551aaf4a8f983affe67a77e9ce31459de208be4609/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-08-27 05:49:05 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=erguj7njzddnbasalfkrvl2kr6mdv77gpj36ttrriwo6ecf6iyeq._file

Verdict:

unknown

Similar samples:

013d92479d88b8e1c76b764f9362e1c101481b6c26ac40dacec77b7910ec7344

1b70d8bec1085949c128725ae5a8b69ccaeda7c20fb1e7be0d6e9ff2b5ef1a85

3b70052787ba01b0f7d97fe6bb0278e739e0837d827769710e0514605ab6b474

47a8274c13d1205f8651a7b2df233e51e59b369ce8250cc755ff61d422afa561

483fc85417b647e1100ca61a281e1c2bce0d2a7d66db220f72ec4f1f2d7e2ab9

82c21c0385cf81bd1bebb5be82fb080207e1189729202980c408151692637a02

98d4b7190b6a816819aa380c586680a0b5129d9516d51a2eed25f6399c93b23a

b2532be6f4f18504d0cdb50f75d84d41880203d3ad0d51a499ea8d48b2d97a64

bcef7d2e4880300c71e62f7115a3fcf5d4fd3d3a3d8684c1c9a17fd777956e0b

cb77918ae8d2691de468c12d6a6074156a81b7774eadbd7197038285140d94cc

+ 44 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200827-7nz5mec1he/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Program crash

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/244d44fda9c8c6d0824059551aaf4a8f983affe67a77e9ce31459de208be4609

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar fad7ac53bef9348970b524d1918b9e9429dfda893a60642d0081ec5a8c5d9e18

exe 244d44fda9c8c6d0824059551aaf4a8f983affe67a77e9ce31459de208be4609

(this sample)

Dropped by

MD5 db6c912d7475644d5fe3b37ded1142fb

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/51601/

Dropped by

SHA256 fad7ac53bef9348970b524d1918b9e9429dfda893a60642d0081ec5a8c5d9e18

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample