MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45c5dfba711d39c186c1a407f8e832e8c9965f71f57efafb83472a4188554928. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	45c5dfba711d39c186c1a407f8e832e8c9965f71f57efafb83472a4188554928
SHA3-384 hash:	a70705dd09d257311f3f591e45bccd151e9d4b96baf4a0ef82faca4d58b4c3e74bab6dabb8cc1895f54bde00cfc6b699
SHA1 hash:	8385b97bf2cbad2dc3a798ec1548c43718ee7290
MD5 hash:	857334fd0f47a08ecc507cef518a3e47
humanhash:	kilo-cup-xray-beer
File name:	Payment Instruction.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	754'605 bytes
First seen:	2021-07-13 05:11:48 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:qRdCJexlDMrxiVnXRL+95yffyMWp3uDI3mcwb9QO/+cXtyJiwmQl46R4yFeFJDQD:gd1bemXR85yDWp3uDFcw6O/+cgJnlz2M
TLSH	T19CF43357880BDD9289CB30AF8DC063AB8124753BA55E592FBD0211F2517EDDE029F8F9
Reporter	cocaman
Tags:	AgentTesla zip

cocaman

Malicious email (T1566.001)
From: "Ravi <ravi.nandan@hydratight.com>" (likely spoofed)
Received: "from mail.justfiction-edition.com (mail.justfiction-edition.com [195.201.227.104]) "
Date: "Tue, 13 Jul 2021 05:02:15 +0100"
Subject: "PAYMENT INSTRUCTION FROM OUR CLIENT"
Attachment: "Payment Instruction.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs2266.UNOFFICIAL

Sanesecurity.Malware.22325.ZipHeur.UNOFFICIAL

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/45c5dfba711d39c186c1a407f8e832e8c9965f71f57efafb83472a4188554928

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/45c5dfba711d39c186c1a407f8e832e8c9965f71f57efafb83472a4188554928/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-13 05:12:11 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

14 of 46 (30.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ixc57otrdu44dbwbuqd7r2bs5dezmx3r6v7pv64di4vedccvjeua._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210713-le9p86fbqs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/45c5dfba711d39c186c1a407f8e832e8c9965f71f57efafb83472a4188554928

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 45c5dfba711d39c186c1a407f8e832e8c9965f71f57efafb83472a4188554928

(this sample)

AgentTesla

exe 8e53c1e78b82ac4b4d48cd346bfe7d08600f5332dbb244d4cd6069fd9a285b8c

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 8e53c1e78b82ac4b4d48cd346bfe7d08600f5332dbb244d4cd6069fd9a285b8c

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample