MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 432563b33bc9c2b8c2367e8d1602224c4c56a875257e79e7585a6c8f70591ddc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	432563b33bc9c2b8c2367e8d1602224c4c56a875257e79e7585a6c8f70591ddc
SHA3-384 hash:	0081d6a33f7f3fe23f3094b53ee2634b838be1ea1ffc882b32082ba2e657ad56326579d610db048d400ce2920eb0af34
SHA1 hash:	463d7f1097c8951785fa8b3c86b9d4f7f86c3750
MD5 hash:	343ad317ac3f77f38ab473e20b1b50f4
humanhash:	emma-louisiana-alanine-arkansas
File name:	wise.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'305'088 bytes
First seen:	2020-10-06 05:49:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:6AHnh+eWsN3skA4RV1Hom2KXMmHaIOSv4jyTEsIg0wJIkaLPdc/tD5:Nh+ZkldoPK8YaIjYyxBBoLl+
Threatray	771 similar samples on MalwareBazaar
TLSH	3655BE02B3D1C036FFABA2739B6AB2455ABD79254133852F13981D79BC701B1277E263
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: out.sendnow.ph
Sending IP: 203.119.6.20
From: JENNY ZANG <sales5@cnsafeline.com>
Subject: *** FILTERED-VIRUS? *** Advance payment
Attachment: swift.zip (contains "wise.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

93

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/68415/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file

Launching a process

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/482311

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

AutoIt script contains suspicious strings

Binary is likely a compiled AutoIt script file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/432563b33bc9c2b8c2367e8d1602224c4c56a875257e79e7585a6c8f70591ddc/

Threat name:

Win32.Trojan.Predator

Status:

Malicious

First seen:

2020-10-06 00:38:23 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=imswhmz3zhblrqrwp2grmarcjrgfnkdvev7htz2yljwi64czdxoa._file

Verdict:

unknown

Similar samples:

314f0f442df7637e5a3fe94fadbc03b82d1165e58fa41c5d6881f857f61e3575

48b1f899e7ad8d880a6bf9d97ada6507c4403c8d8e81815f83fb8181ca247008

4951a0fc882c8d7590f4edac6f7b7e0408510d2db4353c3f5ff20c25ac60a92e

628fb13f63d68b25083522f21c084fc565fd8fe57e05b95b35b76ac01fdbf5ff

6d1cfff093998c807b9c5dc3fd122adbea40c5bad0cad4cbe10b43932c28bdd9

89f1ed8a332907a1e20a452f773576cc53bc7bfcb2aeb20eb4501d57a5574d2e

b052d189fbba69117efc6e10e1cada3faee844cb59b5f0d1482734976c72bd58

cda432c107c3fa22908941cec37a18edb507ceb2c83d70caf87031d2b5817afa

da362c114efb6a8f52b94b4554a7dcf6594eb2408f16d22cbd3cdbc520eb86eb

e897888dd36ab2a5740030d628f510ef0563d9d039e896b45134a4a5c4a82bb7

+ 761 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201006-6znvxdadgj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops startup file

Unpacked files

SH256 hash:

432563b33bc9c2b8c2367e8d1602224c4c56a875257e79e7585a6c8f70591ddc

MD5 hash:

343ad317ac3f77f38ab473e20b1b50f4

SHA1 hash:

463d7f1097c8951785fa8b3c86b9d4f7f86c3750

Link:

https://www.unpac.me/results/bf7358f9-a437-4400-bca2-bb03078ed161/

SH256 hash:

56d845c4c54873089aac1dc5c465367c3f3bd36d7c0ae0693eeb0841ce1d06c9

MD5 hash:

1f62563adf802698506be8b851c46ce2

SHA1 hash:

afbe3131cc7a613a839d11e2cacc6197f6e5ecf4

Link:

https://www.unpac.me/results/bf7358f9-a437-4400-bca2-bb03078ed161/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/432563b33bc9c2b8c2367e8d1602224c4c56a875257e79e7585a6c8f70591ddc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 80c21e684bc92e6c5ce8e7cc96aa3c8f657d41ee1137402d21dba065f344af6d

exe 432563b33bc9c2b8c2367e8d1602224c4c56a875257e79e7585a6c8f70591ddc

(this sample)

Dropped by

MD5 f27eea6791c36f8f1666b3186e4a6e72

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 80c21e684bc92e6c5ce8e7cc96aa3c8f657d41ee1137402d21dba065f344af6d

Cape

Cape

https://www.capesandbox.com/analysis/68415/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample