MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 463c5534c07f97b15b3f18392fc551ca49e77189df414c15bba397389737d952. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 463c5534c07f97b15b3f18392fc551ca49e77189df414c15bba397389737d952
SHA3-384 hash: 2f0891be77b3a134ddd9095b843636dc8dab1b93154dfcac4b04efcb05ea84aa96169c95aa04f60b087488009a3dbca9
SHA1 hash: f759e18e411e9212ce9f79a9b96491cc13b8067b
MD5 hash: 3797f60ef9fa73228b3c105a99ccfe8f
humanhash: mango-don-monkey-nineteen
File name:INV_S1016628.gz
Download: download sample
Signature AgentTesla
Create hunting rule
File size:585'812 bytes
First seen:2023-08-28 13:27:43 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 12288:TORYZheo85wTUfDZ/Lw3S4Vu3PFrgpNj77/7sqhw79IPdwonoh4iD:TORYZUo8sdu36B/4qc3Tn
TLSH T1A9C4231C62416F62FA34240661B6F6C06044756FC9D13880CCD7EB5D576AA8ABF2CDFE
TrID 58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1)
41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:AgentTesla gz INVOICE payment


Avatar
cocaman
Malicious email (T1566.001)
From: "Aadila Al Shanfari <info@dwappu.com>" (likely spoofed)
Received: "from erwinville.dwappu.com (erwinville.dwappu.com [88.209.206.114]) "
Date: "23 Aug 2023 01:41:58 -0700"
Subject: "Re: Payment for Outstanding Invoice"
Attachment: "INV_S1016628.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:INV_S1016628.exe
File size:636'928 bytes
SHA256 hash: 8a74737cd563828a070e74b5fa4af0eefc7a98cf8b52fcc0ee5db3c83a2d9cb0
MD5 hash: 66232823c66e96a4346fb0db1949b6b6
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64eca0e3611c4e16e111c246/reports/61087f44-c8ac-4285-9d4d-c7a5d3bbd337/overview
Verdict:
Malicious
Labled as:
Mal/DrodRar
Link:
https://www.hybrid-analysis.com/sample/463c5534c07f97b15b3f18392fc551ca49e77189df414c15bba397389737d952
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/463c5534c07f97b15b3f18392fc551ca49e77189df414c15bba397389737d952/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-23 07:43:51 UTC
File Type:
Binary (Archive)
Extracted files:
9
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iy6fkngap6l3cwz7da4s7rkrzje6o4mj35auyfn3uoltrfzx3fja._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230828-rvpn5sbf66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/463c5534c07f97b15b3f18392fc551ca49e77189df414c15bba397389737d952

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 463c5534c07f97b15b3f18392fc551ca49e77189df414c15bba397389737d952

(this sample)

AgentTesla

Executable exe 8a74737cd563828a070e74b5fa4af0eefc7a98cf8b52fcc0ee5db3c83a2d9cb0

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 8a74737cd563828a070e74b5fa4af0eefc7a98cf8b52fcc0ee5db3c83a2d9cb0
  
Dropping
MD5 66232823c66e96a4346fb0db1949b6b6

Comments