MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3328a16746a549a97c2948b0e2f723c84c2e80920bec50b2cbb6d6a5b0716419. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 8 File information Comments

SHA256 hash:	3328a16746a549a97c2948b0e2f723c84c2e80920bec50b2cbb6d6a5b0716419
SHA3-384 hash:	054de48af780ca4fc1c5c134e5d138b2e0f0b3bcbee753d53a7a66e3715229298b54b988ade0d749006fbbb806c4c66e
SHA1 hash:	fa55f73160a931c76a1375784183af72fa7d72bc
MD5 hash:	3579d296037283a5a3a84b0b0cf99b58
humanhash:	thirteen-georgia-lake-potato
File name:	Booking new air shipment from TAO TO MEX PIFEX2306131004.7z
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	823'206 bytes
First seen:	2024-07-09 05:35:48 UTC
Last seen:	Never
File type:	7z
MIME type:	application/x-7z-compressed
ssdeep	24576:3pZ4B4Dvh+fHxb874GfDcjFNgmialfOZ5mknT:gqDvhqR84ScjFNgLa85mg
TLSH	T1FB0523A5A0A4C235FECCC50F2727A826B045314FB5FD6DADDC1B0F11A53F6286A19A3C
TrID	57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1) 42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter	cocaman
Tags:	7z AgentTesla

cocaman

Malicious email (T1566.001)
From: ""Nancy Su" <nancy.su@piflogistics.com>" (likely spoofed)
Received: "from piflogistics.com (216-131-75-250.atl.as62651.net [216.131.75.250]) "
Date: "08 Jul 2024 14:03:44 -0700"
Subject: "The new air shipment from TAO TO MEX //PIF//EX2306131004"
Attachment: "Booking new air shipment from TAO TO MEX PIFEX2306131004.7z"

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Booking new air shipment from TAO TO MEX PIFEX2306131004.exe
File size:	1'189'852 bytes
SHA256 hash:	f71c34128bf5c4a4ecc05e5aa4fbd02740b96c4aaf075124f3a4e33f36c17c92
MD5 hash:	7714e94a0d99c9684ffc81cbcac31d78
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.15220.7463.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=668c84c7d6caced36c82d107win10vpnfull_triage

Tags:

Encryption Execution Infostealer Network Stealth Malware

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/3328a16746a549a97c2948b0e2f723c84c2e80920bec50b2cbb6d6a5b0716419/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade overlay packed

Link:

https://www.filescan.io/uploads/668ccc4508c0fe0eb9615bd0/reports/0cfc3a35-e0e3-46aa-8d32-826be9632ddd/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/3328a16746a549a97c2948b0e2f723c84c2e80920bec50b2cbb6d6a5b0716419

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

95%

Verdict:

Malware

File Type:

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla execution keylogger spyware stealer trojan

Link:

https://tria.ge/reports/240709-hx8qcsthqg/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3328a16746a549a97c2948b0e2f723c84c2e80920bec50b2cbb6d6a5b0716419

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 3328a16746a549a97c2948b0e2f723c84c2e80920bec50b2cbb6d6a5b0716419

(this sample)

AgentTesla

exe f71c34128bf5c4a4ecc05e5aa4fbd02740b96c4aaf075124f3a4e33f36c17c92

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 f71c34128bf5c4a4ecc05e5aa4fbd02740b96c4aaf075124f3a4e33f36c17c92

Dropping

AgentTesla

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample