MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44801cf505ecb773e76855ad7fbc2bd89c9e3badc7413dc5dbbd2c0b3a39609a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	44801cf505ecb773e76855ad7fbc2bd89c9e3badc7413dc5dbbd2c0b3a39609a
SHA3-384 hash:	12afe6a9a19e6b91547276b4b0fa9b0b52983f0ae8c9e0d2ff41513b049490dd7555832d3f1376cd26b95906301bf4c5
SHA1 hash:	e445cb698afd70a4812450b237d902a6a7d18b43
MD5 hash:	62ddfb121b22ceedbc44215d140e9daf
humanhash:	ack-five-vegan-red
File name:	PO FILE87965345 exl.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	675'786 bytes
First seen:	2023-05-10 09:05:59 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:ZYNyd+LLkMwBux6KR0PYWhqYTsdPuUUo7eheIImdSoJ7+v6kEyU:ZYNykLLy4FR0gWhqY1UNAebmd+SXyU
TLSH	T14DE433D9B5CAAA5A339421BDDFC73A501B2AB0DF00A73A0ECB112D92B704DB7B5017D5
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	zip

cocaman

Malicious email (T1566.001)
From: "info@adamtrd.com" (likely spoofed)
Received: "from [45.88.66.141] (unknown [45.88.66.141]) "
Date: "10 May 2023 02:05:26 -0700"
Subject: "None"
Attachment: "PO FILE87965345 exl.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

589

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	PO FILE87965345 exl.exe
File size:	1'910'784 bytes
SHA256 hash:	511bd4f1051444242dda8ae6df80720106a6b4d60eab89658baffb142affe730
MD5 hash:	26fa36b587e07bde2d99f329ba553e9c
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Variant.Lazy.340140.24482.24621.UNOFFICIAL

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/44801cf505ecb773e76855ad7fbc2bd89c9e3badc7413dc5dbbd2c0b3a39609a/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/645b5e7c8399e8849cbcbe3c/reports/2c1b7a89-4ff7-40cc-813a-cb8c2214a36a/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/44801cf505ecb773e76855ad7fbc2bd89c9e3badc7413dc5dbbd2c0b3a39609a

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/44801cf505ecb773e76855ad7fbc2bd89c9e3badc7413dc5dbbd2c0b3a39609a

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/44801cf505ecb773e76855ad7fbc2bd89c9e3badc7413dc5dbbd2c0b3a39609a/

Threat name:

ByteCode-MSIL.Trojan.Zmutzy

Status:

Malicious

First seen:

2023-05-10 09:06:08 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

12 of 37 (32.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=isabz5if5s3xhz3ikwwx7pbl3coj4o5ny5at3ro3xuwaworzmcna._file

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/230510-k7w6esfb74/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Executes dropped EXE

Modifies WinLogon for persistence

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.