MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36033b3d2fc4a4a296c7ee367048a9c4b682674275a8e23ba76c2b1e63155f0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	36033b3d2fc4a4a296c7ee367048a9c4b682674275a8e23ba76c2b1e63155f0d
SHA3-384 hash:	0fa1836138f96b2d6355616a21bd848b058d38888f33bf188f1f31b5836592f139d589d33b6f39baa7679cb2a7e7bc80
SHA1 hash:	49a0535fba3a7e406ea31fcce5d3828fa8199bb4
MD5 hash:	bdd29a7719570ead894745646b29bd8a
humanhash:	thirteen-tennis-beryllium-ten
File name:	bank details.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	675'601 bytes
First seen:	2023-05-10 06:26:40 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:XDbZeyTYKMjcb9B4PEPwW+sLy/oZBq75mRildXk4HSj4Xv:TcN22PE4W+7Abq758illsj4/
TLSH	T111E423B16F62741D02FFD6250A237996087FDF268C5F17D5C3229A6C41C465EEEF820A
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	AgentTesla zip

cocaman

Malicious email (T1566.001)
From: "accounts125@falconglobalonline.com>" (likely spoofed)
Received: "from [45.88.66.141] (unknown [45.88.66.141]) "
Date: "9 May 2023 19:33:03 -0700"
Subject: "Fw: Re: Re: Bank Details"
Attachment: "bank details.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

436

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	bank details.exe
File size:	1'912'832 bytes
SHA256 hash:	c454fb3a97ff7f980350fda79235643956da9f30bfe1b77c37a58e61c953413a
MD5 hash:	045282dbe9692540d6468e5d765dc677
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs3385.UNOFFICIAL

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/36033b3d2fc4a4a296c7ee367048a9c4b682674275a8e23ba76c2b1e63155f0d/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/645b3937d054a0b0ef8474d4/reports/f4034cc1-c894-44ab-aed5-9a029fe27147/overview

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/36033b3d2fc4a4a296c7ee367048a9c4b682674275a8e23ba76c2b1e63155f0d

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/36033b3d2fc4a4a296c7ee367048a9c4b682674275a8e23ba76c2b1e63155f0d

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36033b3d2fc4a4a296c7ee367048a9c4b682674275a8e23ba76c2b1e63155f0d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-10 06:12:11 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

20 of 36 (55.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gybtwpjpysskffwh5y3hasfjys3iez2cowuoeo5hnqvr4yyvl4gq._file

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/230510-hpsdeage8z/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Executes dropped EXE

Modifies WinLogon for persistence

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.