MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28f8639327d0298b913f95a51b29093f2bd9f4efb3442ea20ae202ec998b1bd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	28f8639327d0298b913f95a51b29093f2bd9f4efb3442ea20ae202ec998b1bd7
SHA3-384 hash:	55c984dc3a5bf783e00c2b7e069caf5bbc12a20fa2e953da054b0e087dd48070215c71e98c4d1fd924651a9152f11b4d
SHA1 hash:	f20fe6780e099d5f41efb950e2c9df8afacbbccb
MD5 hash:	d959687d78102ec87a11da1ec03a78b5
humanhash:	lake-nevada-montana-table
File name:	Arco RFQ21.02.2022.xll
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	4'608 bytes
First seen:	2022-02-22 08:07:41 UTC
Last seen:	Never
File type:	xll
MIME type:	application/x-dosexec
ssdeep	48:Zvt1Fpj7ZXpJ0u+5fbSzp3uOhqHMdsGxi78gZ+/SZ53NjZkFDXg749buJT:Z1jp59t13wMddxi66ZXjZYDA4puJT
Threatray	15'559 similar samples on MalwareBazaar
TLSH	T142910AA1EA9448F6ED3C22FA7F47452AD52AF13C17AB03E71D80243E96594C01EE5882
Reporter	abuse_ch
Tags:	AgentTesla xll

Intelligence

File Origin

# of uploads :

1

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/28f8639327d0298b913f95a51b29093f2bd9f4efb3442ea20ae202ec998b1bd7/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/621499eba2660f3bb9233d39/reports/d053debe-7904-43a3-a886-b017e094cdef/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/28f8639327d0298b913f95a51b29093f2bd9f4efb3442ea20ae202ec998b1bd7/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-02-22 08:08:11 UTC

File Type:

PE+ (Dll)

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fd4ghezh2auyxej7swsrwkijh4v5t5hpwncc5iqk4ibozgmldplq._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

2adae9b6592e71484038a7aff96306b4761fefe3f7bd7163e6bcba18c3427dd3

782e217ec684944693a03a56d29675c879b31fb570c5f9956552ba5968295463

78b89b05c3beb9d8275a36c785e9f629241c37768d3eca480ad18cd61cee01a3

7b4b00883eb4ea70e198995363a7d06706a05a73553a643bddd13433c5d04349

812a71bf7c8bec5ba792953f300d7c16f4748351b2058dfca5d38cbb1680e40b

861a80e7ce4f64bf984f2661193b0dc2c9824c7ea551a81117f2b2aee49226ff

9e33ca4eee3b2499f384dcfd926f97675258157bbdbeaa5c6720abc746c77d2c

b783afa074a1c3937be1c2267c6bc5cb81449a78d877e3702f4418e78f7af490

dea2e88e71d3b38500aca694a9ba1f476d8db14e5389a2cf70b23cad51eb33c9

f2337c174bf578f983fe2ce2da18d4616045d9dfc031822b570a1e9ff1ef7a5d

+ 15'549 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/220222-j1kndaedf5/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

AgentTesla Payload

AgentTesla

Suspicious use of NtCreateUserProcessOtherParentProcess

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/28f8639327d0298b913f95a51b29093f2bd9f4efb3442ea20ae202ec998b1bd7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample