MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 364afe555167f1dddc5231ff116a558a65383cd947bbf67fc7fbdd85172ea871. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 364afe555167f1dddc5231ff116a558a65383cd947bbf67fc7fbdd85172ea871
SHA3-384 hash: 336fab55742dfd2a929a03a126544e80182a658d52a652cdbc09200e7c5fa1194955c7b3d94e8e1d3afc8ca36bea0a43
SHA1 hash: 1d25e2c57051f3eec7fa07b2520712e788f2b264
MD5 hash: 90c5155bc3ec966fa11833e21251a9ee
humanhash: sodium-two-sodium-mars
File name:Download Report.06.05.2021.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:76'464 bytes
First seen:2021-04-07 05:53:24 UTC
Last seen:2021-04-07 12:33:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:qGOKZBZWPdE7zQxEbS695bK4DSq4D44Di4D24Dt4Di4D34DY4D54Dz4Djx4Dtc4W:qG1/ZWj4DSq4D44Di4D24Dt4Di4D34D3
Threatray 3'854 similar samples on MalwareBazaar
TLSH 7B73C1D48891A330C534BEF9A7373F2B8E98C258B5A1C8561E9DF793350812466ECDE7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps23930.inmotionhosting.com
Sending IP: 192.249.126.31
From: mail@policelife.com
Subject: EMERGENCY REPORT
Attachment: Download Report.06.05.2021.iso (contains "Download Report.06.05.2021.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Download Report.06.05.2021.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 06:46:37 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/99ae2746-3eb9-4ca4-9782-decd6601c0de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Mal.Gen.4125.2239.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Creating a file
Moving a recently created file
Using the Windows Management Instrumentation requests
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58bce97c-4ee2-4552-aa9f-90f4edadb6b1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/668365
Signature
Adds a directory exclusion to Windows Defender
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383114 Sample: Download Report.06.05.2021.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 56 39 Multi AV Scanner detection for submitted file 2->39 41 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->41 43 Adds a directory exclusion to Windows Defender 2->43 7 Download Report.06.05.2021.exe 21 14 2->7         started        process3 dnsIp4 37 myliverpoolnews.cf 104.21.56.119, 443, 49716, 49717 CLOUDFLARENETUS United States 7->37 29 C:\...\Download Report.06.05.2021.exe.log, ASCII 7->29 dropped 31 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->31 dropped 33 323f7fd0-225b-43cb-818c-37f11a20a437.exe, PE32 7->33 dropped 45 Adds a directory exclusion to Windows Defender 7->45 12 323f7fd0-225b-43cb-818c-37f11a20a437.exe 7->12         started        14 powershell.exe 22 7->14         started        16 powershell.exe 24 7->16         started        18 AdvancedRun.exe 1 7->18         started        file5 signatures6 process7 process8 20 323f7fd0-225b-43cb-818c-37f11a20a437.exe 12->20         started        23 conhost.exe 14->23         started        25 conhost.exe 16->25         started        27 AdvancedRun.exe 18->27         started        dnsIp9 35 192.168.2.1 unknown unknown 20->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/364afe555167f1dddc5231ff116a558a65383cd947bbf67fc7fbdd85172ea871/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-07 00:01:06 UTC
AV detection:
7 of 48 (14.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzfp4vkrm7y53xcsgh7rc2svrjstqpgzi657m76h7poykfzovbyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07971958696b43eead2da2114b7a3965b492cdae39843078f16d56ad331427fe
AgentTesla
0db50b639d859d3ddf9aa74f96d12f7ecb189a0b3006a7ed1cfd73edbc34d220
AgentTesla
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
AgentTesla
3dfc4c40e95c69c2f87baf8ce364a350823404e78bb4ed97807330f398753f76
AgentTesla
49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219
AgentTesla
4dde8ce9768e8239201fd508ec359f26c1703ebcdf4147c5503b303bacecd727
AgentTesla
5242c4552e512707dbeb3b004cb441cc140b6cfe813a4d6532f4adec03bcb23c
AgentTesla
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
AgentTesla
d94cad3bda5709a80fa3ec8440f5bf135b17dcb7f364e1cbfbf003402f74edc3
AgentTesla
fe443666d12a1f8abc14589390805436e14c0131b9705c38dd425a1f687e8949
AgentTesla
+ 3'844 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210407-mx3f21p5be/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
364afe555167f1dddc5231ff116a558a65383cd947bbf67fc7fbdd85172ea871
MD5 hash:
90c5155bc3ec966fa11833e21251a9ee
SHA1 hash:
1d25e2c57051f3eec7fa07b2520712e788f2b264
Link:
https://www.unpac.me/results/09cf1571-3fbf-4258-a436-54b17b6979d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/364afe555167f1dddc5231ff116a558a65383cd947bbf67fc7fbdd85172ea871

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso 4ceefacac5bb3d0f14563d1a884ddc4c48d41b4aa3f2a573e3449fc4f2f635f0

AgentTesla

Executable exe 364afe555167f1dddc5231ff116a558a65383cd947bbf67fc7fbdd85172ea871

(this sample)

  
Dropped by
MD5 90c76319bb8aeca124f93cce3f457fde
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132747/
  
Dropped by
SHA256 4ceefacac5bb3d0f14563d1a884ddc4c48d41b4aa3f2a573e3449fc4f2f635f0

Comments