MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3273a366f61e4512703b8f4ab1b3ba60f613ef1f679eb589d1ad0e96cd35a25d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3273a366f61e4512703b8f4ab1b3ba60f613ef1f679eb589d1ad0e96cd35a25d
SHA3-384 hash: d4847066c49f4cbfb3eed25b4fed89795758ba158882134a68d0f5ad47b73f94c2fb0b5ea33ef2f8cfb7d9105ffdb64d
SHA1 hash: bf6d5d54260f7bff109e1ddd440712e459973fcb
MD5 hash: ef4af155df4c3f9bc43582a68737c77c
humanhash: eight-green-spaghetti-twenty
File name:COMPANY UPDATE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:113'376 bytes
First seen:2020-10-12 14:49:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 1536:T36ExBzFZOL92kGWB554WHyv1qA6gYx6HP4ynbUfz:T36ExBzFZycWL5GvMzgjdA
Threatray 473 similar samples on MalwareBazaar
TLSH B8B35F513087BE07DDBA463515F2D88126F2ADB66420C35CACC4A1CDFED26A93F099DE
Reporter abuse_ch
Tags:AgentTesla exe HostGator


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gateway31.websitewelcome.com
Sending IP: 192.185.143.33
From: Account <account@goldentools.ae>
Subject: COMPANY UPDATE
Attachment: COMPANY UPDATE.zip (contains "COMPANY UPDATE.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70133/
Detection(s):
SecuriteInfo.com.ArtemisEF4AF155DF4C.2441.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/488595
Signature
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3273a366f61e4512703b8f4ab1b3ba60f613ef1f679eb589d1ad0e96cd35a25d/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 10:49:09 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjz2gzxwdzcre4b3r5fldm52md3bh3y7m6pllcorvuhjntjvujoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2df3cf76977b778b4ffe30de57192b6db63debdd422a296d788f8552be32181f
AgentTesla
2f02f87bd00996719cd97c827f1bd4578033a03d7e3884ec18ec0eca32cee516
AgentTesla
5b48475bbc32e2dbd6ebfb746071c6192e57dfdfcfc0cfb1ae9f381663728537
AgentTesla
782784b7a36998823584c4967ce23c48f66f8a0716755f8b4ba8edcca793a185
AgentTesla
8f1df804a5fc826de1487d95db7e15faede754cd925132f7e920fd712e154208
AgentTesla
a0062b106277324b51718baac12082f12f735f370173fa3073abf70b86b016be
AgentTesla
bf56f62cbc583924d71c51afea9546cbfd6dafafe877553a3d1ca37a25d34767
AgentTesla
c82132cbb99629877f81482148e3667c3c64b376d6c7486475dc25dd25a64b9e
AgentTesla
e8e343cbb5ec9cf1c0d2d4ce34773c03b18cbdc29811acbee054b0731660ad02
AgentTesla
f924ed04e2ce70872e8e341379288a15579ade521df2e4d248054fe2d9357ee2
AgentTesla
+ 463 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/201012-y66zfsq5zs/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
3273a366f61e4512703b8f4ab1b3ba60f613ef1f679eb589d1ad0e96cd35a25d
MD5 hash:
ef4af155df4c3f9bc43582a68737c77c
SHA1 hash:
bf6d5d54260f7bff109e1ddd440712e459973fcb
Link:
https://www.unpac.me/results/84047bf2-e9c0-4a1c-b073-b0e4fb8f4d52/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3273a366f61e4512703b8f4ab1b3ba60f613ef1f679eb589d1ad0e96cd35a25d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 16980249e2784964038e918030a9246a1682b2562cb18eb410a0a778db142b0e

AgentTesla

Executable exe 3273a366f61e4512703b8f4ab1b3ba60f613ef1f679eb589d1ad0e96cd35a25d

(this sample)

  
Dropped by
MD5 28aa986e4bf6c7d07f3edb9e6fe36c26
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 16980249e2784964038e918030a9246a1682b2562cb18eb410a0a778db142b0e
Cape
Cape
https://www.capesandbox.com/analysis/70133/

Comments