MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4254158f9b148912ce76c09a33e9f40af66e40a3893dbfd8019c774ab5662fa6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	4254158f9b148912ce76c09a33e9f40af66e40a3893dbfd8019c774ab5662fa6
SHA3-384 hash:	ed81a1f9493bec42ff8caf6eea2ac01568f5a05882a6a91f7943aafa4641ae5e7ac78c0aecb08101f0c11f5b553fe64b
SHA1 hash:	cfa58e037a4dcfe52fe8bb29169c07d783a7a568
MD5 hash:	459745fa791c6e63c98eaf9f8f4cbcd3
humanhash:	neptune-single-oscar-wyoming
File name:	Inv,Delivery note.jpg.ace
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	492'353 bytes
First seen:	2022-05-09 11:15:28 UTC
Last seen:	Never
File type:	ace
MIME type:	application/octet-stream
ssdeep	12288:fiyZMhW9gZDIZv8Oio3LdvxHjCVonsHfAeZWvz:f12WB/Rv9jCVH/Amo
TLSH	T196A423A5DFDDC42FE7DECE4A4C186132343E8D88E8E98F91BC52F3498573246256A613
TrID	77.8% (.ACE) ACE compressed archive (3509/2/1) 22.1% (.) QuickBasic BSAVE binary data (1000/1)
Reporter	cocaman
Tags:	ace AgentTesla

cocaman

Malicious email (T1566.001)
From: "mariotti@mariotticarlo.com" (likely spoofed)
Received: "from mariotticarlo.com (unknown [85.202.169.187]) "
Date: "09 May 2022 11:30:21 +0200"
Subject: "Re: Corrections"
Attachment: "Inv,Delivery note.jpg.ace"

Intelligence

File Origin

# of uploads :

# of downloads :

175

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL

Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL

SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6278f80736c061db6e5d6501/reports/a957ac7a-fb07-45a2-80a7-7696558c8e7c/overview

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4254158f9b148912ce76c09a33e9f40af66e40a3893dbfd8019c774ab5662fa6/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2022-05-09 11:16:07 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

14 of 42 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ijkbld43cserfttwycndh2publ3g4qfdre637wabtr3uvnlgf6ta._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220509-nc4tkadab7/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5353503679:AAEJ2PXDCuq1nn55H7AnHpcP0d_3E3empJM/sendDocument

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/4254158f9b148912ce76c09a33e9f40af66e40a3893dbfd8019c774ab5662fa6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ACE_Containing_EXE Create hunting rule
Author:	Florian Roth - based on Nick Hoffman' rule - Morphick Inc
Description:	Looks for ACE Archives containing an exe/scr file