MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3aed1fc591ecfec392005089c870bd1f645f352a99912c1de774918e1de67f8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3aed1fc591ecfec392005089c870bd1f645f352a99912c1de774918e1de67f8d
SHA3-384 hash: 9ee5716b461376fbfe2bffc93a9678c03f15652be4ebace30c39d68044ed83e8321b7e3bbbfb599788a5dc11e58ffdbd
SHA1 hash: 27a504f4aeefc4e3738d718d478db8518ceab7ff
MD5 hash: e1772cd858fa9fc99555967ca5442ed5
humanhash: fourteen-fruit-butter-maryland
File name:rpt_29336446_20201905161204798.pdf.exe
Download: download sample
File size:842'752 bytes
First seen:2020-05-20 07:49:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ZXQWsvxbhTVEtgrtyumXuzUzXRz/B+H8kHJjLwLNK/7aEGLU0MGUg:ZXCbhJEertTjz4RDBtkptgPMGT
Threatray 1'002 similar samples on MalwareBazaar
TLSH E9056CA4B634C4C6C0E83EF23529D8710FF49E366967C9404232FDD8F8E57A57A0A5B6
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.websitetestingtoday.best
Sending IP: 79.124.8.124
From: Tom Nosker <tjnoskar@gmail.com>
Subject: Urgent Onahama booking AWP CN12E ex USA - X
Attachment: rpt_29336446_20201905161204798.pdf.7z (contains "rpt_29336446_20201905161204798.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 03:37:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
21 of 31 (67.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlwr7rmr5t7mheqakce4q4f5d5sf6njktgisyhphosiy4hpgp6gq._file
Verdict:
unknown
Similar samples:
00b85c15e241bfcd6a5a9d64029e117876da5029b60b8f4828f859277dafc6f2
41c7d6bad3849fb7c5365745b2be8678e3e8ad63d5b4e8329b1b3206c5d1adf6
4cc5578e9b753897ef8d0659635de7aab82fe0e17b99caf8b622ba16b0ebb764
664f6eaa9564770b3bcf02dd9f3627bde68bf98de0d9ae17829a1b122060a313
69c606a2bc7954124a33b2026dc7ef62941df3485f3a68fe368502d008b2f67c
705f488d08262ffb7161421b0de427be7e83342895cd6af5f5f7aad593725d34
c4bb2da6ebc3708faa91997e5863224a41e8f177793064728f8a0a3201da46a2
d8450acc64ddba18cda3926697f2953a4bc632607bb975a31c8dbeaa882765d0
ea670197c4b63ece359ea040ed0bf43b585b5c16b82441e5e628aab0542ca37d
fba5658815c50ae760c7baf3e1bd1bc7f3f78a7bf71066c4b4502b755b35826c
+ 992 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-fmfffs3552/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

7z ce122155dda106a8535e459e97cc26aeb4d0257a3f0d0cdd91440623748891f7

Executable exe 3aed1fc591ecfec392005089c870bd1f645f352a99912c1de774918e1de67f8d

(this sample)

  
Dropped by
MD5 a85f5bbfdffd94528a586ad2e427ba3d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ce122155dda106a8535e459e97cc26aeb4d0257a3f0d0cdd91440623748891f7

Comments