MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27890aa5f8279a9f502e5e5f5f8e30fa55803d891074d776886f5ae501cf4bf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27890aa5f8279a9f502e5e5f5f8e30fa55803d891074d776886f5ae501cf4bf4
SHA3-384 hash: 21cae4cf15bb7a2c12d526ae25ab9bc719594179c43740a2ab6105b52b690cef2640f0286d07e33cff411b1b1b5fedf6
SHA1 hash: 1a34ecc99e8bb60e6a59a5cdeaa3571b2c5bae40
MD5 hash: 6bf6b9eebca064ba7ad765e8185d0e62
humanhash: tennessee-indigo-one-cold
File name:Payment Copy (Swift-TT).zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:423'187 bytes
First seen:2023-10-28 07:22:03 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:8hfz3frxnshs5/ii21GPH3lUGUHD6RN0JeL:8hLvFshscixH19Ujp4L
TLSH T12D9423447B502C9BA47CF2FB761C85CD6A86BB63DCF721882CA32876D33F9946588D50
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:AgentTesla payment SWIFT zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Greg Palatnik <greg.palatnik@abrasiviadria.com>" (likely spoofed)
Received: "from onchannel.co.jp (unknown [72.11.157.196]) "
Date: "27 Oct 2023 17:21:03 +0200"
Subject: "payment confirmation"
Attachment: "Payment Copy (Swift-TT).zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Payment Copy (Swift-TT).xls.exe
File size:1'400'320 bytes
SHA256 hash: 8fc6c26fe82eec54cdc4c211a6535c69026adcf9d551af985ce6f79857582a78
MD5 hash: 5e051b9bb6439ed5e6e996704781b8ae
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_xls.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/27890aa5f8279a9f502e5e5f5f8e30fa55803d891074d776886f5ae501cf4bf4/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/653cb6a0a6fa5eab936934a8/reports/17804ae7-0dfb-4ef0-acb3-e867dc330e5e/overview
Verdict:
Malicious
Labled as:
Mal/DrodZp
Link:
https://www.hybrid-analysis.com/sample/27890aa5f8279a9f502e5e5f5f8e30fa55803d891074d776886f5ae501cf4bf4
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/27890aa5f8279a9f502e5e5f5f8e30fa55803d891074d776886f5ae501cf4bf4
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27890aa5f8279a9f502e5e5f5f8e30fa55803d891074d776886f5ae501cf4bf4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-27 13:25:18 UTC
File Type:
Binary (Archive)
Extracted files:
13
AV detection:
15 of 35 (42.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6eqvjpye6nj6ubolzpv7drq7jkyapmjcb2no5uin5nokaopjp2a._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231028-jhhq3ahc42/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5870878058:AAEtYpDY1LBnBQGwZvkWktoa3wzKq0kSk78/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DYEPACK
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27890aa5f8279a9f502e5e5f5f8e30fa55803d891074d776886f5ae501cf4bf4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 27890aa5f8279a9f502e5e5f5f8e30fa55803d891074d776886f5ae501cf4bf4

(this sample)

AgentTesla

Executable exe 8fc6c26fe82eec54cdc4c211a6535c69026adcf9d551af985ce6f79857582a78

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 8fc6c26fe82eec54cdc4c211a6535c69026adcf9d551af985ce6f79857582a78
  
Dropping
MD5 5e051b9bb6439ed5e6e996704781b8ae

Comments