MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48c272ac3047c2e410a325ea623745001faa0fa9e55a58bc7688dc310ba07870. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48c272ac3047c2e410a325ea623745001faa0fa9e55a58bc7688dc310ba07870
SHA3-384 hash: a7b921c3707c689efbf4df7b24856a77b3a4dfaa61da69ad7f03ce75d29d6b19919083133d44d46bea506652f28843ef
SHA1 hash: 04f03c75933b9a03e5b4cc32de47e56c2f19bedb
MD5 hash: 5ef15abd937eb2220e45ddd243f7958d
humanhash: angel-juliet-fix-pizza
File name:Bank TT request.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:35'762 bytes
First seen:2023-01-27 07:20:14 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 768:CobYvaOCYqpGFUe2bY04d7HBTqesOvj30bF2Zsyy7ARn3uTgBAH:CGOCYqpde2bp4xHBb+F26D7AJuTgB8
TLSH T1DBF2F1C2E298164127A152512EED8B4CB01B2445AF608DDF5E0B1FEEC7C0C6F96B7E75
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:AgentTesla SWIFT zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""Mahmoud Nasr" <ashokkumar@pricolcargo.com>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [45.137.22.186]) "
Date: "26 Jan 2023 14:26:51 +0100"
Subject: "RE: Bank TT request -PO - 12619 // Swift confirmation"
Attachment: "Bank TT request.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Bank TT request.exe
File size:93'184 bytes
SHA256 hash: f01102bc0d4dd2e2508bcf195df1e52fe46afeba7b079cd7d9f51007ed9b6141
MD5 hash: 0172e22c44174c1a72395169757359cd
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.541.29747.27164.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/48c272ac3047c2e410a325ea623745001faa0fa9e55a58bc7688dc310ba07870/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63d37b5f447edb203a015e66/reports/ac501340-f20c-4910-8a02-0580bfffd3ae/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/48c272ac3047c2e410a325ea623745001faa0fa9e55a58bc7688dc310ba07870
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48c272ac3047c2e410a325ea623745001faa0fa9e55a58bc7688dc310ba07870/
Threat name:
Win64.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-01-26 15:21:03 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdbhflbqi7boiefdexvgen2faap2ud5j4vnfrpdwrdodcc5apbya._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection
Link:
https://tria.ge/reports/230127-jlyxfshh85/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/48c272ac3047c2e410a325ea623745001faa0fa9e55a58bc7688dc310ba07870

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1
Create hunting rule
Author:Florian Roth
Description:Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments
Reference:https://twitter.com/0xtoxin/status/1540524891623014400?s=12&t=IQ0OgChk8tAIdTHaPxh0Vg

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 48c272ac3047c2e410a325ea623745001faa0fa9e55a58bc7688dc310ba07870

(this sample)

AgentTesla

Executable exe f01102bc0d4dd2e2508bcf195df1e52fe46afeba7b079cd7d9f51007ed9b6141

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f01102bc0d4dd2e2508bcf195df1e52fe46afeba7b079cd7d9f51007ed9b6141
  
Dropping
AgentTesla

Comments