MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4126d12dd16659e5659b83bfd878c49d22c08290877b97b9f6574aa207aef55b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4126d12dd16659e5659b83bfd878c49d22c08290877b97b9f6574aa207aef55b
SHA3-384 hash: d9bb704816611d844614f099ff29aca4521eeaca758d6a8f4648b2e6d42b5a8006c0c544ae69eb6d79e2da3bdc3c69c9
SHA1 hash: cbe6725aafbd8b968b005452b475514427a9358a
MD5 hash: fe45183de09672557b6c4d693cdc639e
humanhash: mockingbird-eight-carpet-foxtrot
File name:HBL-20210508 INVOICE.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:715'389 bytes
First seen:2021-05-09 05:27:02 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:K0DrreZp1yCHUNyKhUqs/sMeUAFScREMWY6zWY0RFA2Kak4cn2p:K0RCYyKKqz/ScREMPBjZk4cno
TLSH 8DE4332B8F5C335522526395FB6E84B62A80BE5316CCE2CF5359801C6067ADFCEC42E3
Reporter cocaman
Tags:INVOICE zip


Avatar
cocaman
Malicious email (T1566.001)
From: "<customerservicehls@pilship.com>" (likely spoofed)
Received: "from pilship.com (unknown [45.87.60.140]) "
Date: "09 May 2021 07:26:34 +0200"
Subject: "Shipment // MAWB # 607-20263025/ HM-20210428 HBL | Consignee:lgpartner.ch "
Attachment: "HBL-20210508 INVOICE.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fn23.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/4126d12dd16659e5659b83bfd878c49d22c08290877b97b9f6574aa207aef55b
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4126d12dd16659e5659b83bfd878c49d22c08290877b97b9f6574aa207aef55b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-09 05:27:07 UTC
File Type:
Binary (Archive)
Extracted files:
13
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ietnclormzm6kzm3qo75q6geturmbauqq55zpopwk5fkeb5o6vnq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210509-j6clsvfhg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4126d12dd16659e5659b83bfd878c49d22c08290877b97b9f6574aa207aef55b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 4126d12dd16659e5659b83bfd878c49d22c08290877b97b9f6574aa207aef55b

(this sample)

AgentTesla

Executable exe fa86bcc4fcbe45158b39f31d771e22b54ef274173b260642f4a22476e4f84b32

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 fa86bcc4fcbe45158b39f31d771e22b54ef274173b260642f4a22476e4f84b32

Comments