MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4930b77f5a3202d0ddc12d8f34453d347359b0af6f1775d9158e2608d4292b57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	4930b77f5a3202d0ddc12d8f34453d347359b0af6f1775d9158e2608d4292b57
SHA3-384 hash:	27499ccf9da2a511f929bdfb81ed6ba931076a0d15ff6fb5a29ce896a60a1046761aada531d0db9b15fa02e9aedb9029
SHA1 hash:	d168501667b5fd29b34db4c9cdd6e0edb1298687
MD5 hash:	4a7b51dfbf4ca71b234dece32bddce4c
humanhash:	asparagus-single-triple-don
File name:	PI Payment for darwin 46841310 MT103 Swift receipt receipt.pdf.gz
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	796'702 bytes
First seen:	2022-03-03 08:50:50 UTC
Last seen:	Never
File type:	gz
MIME type:	application/x-rar
ssdeep	24576:SLQ9250UCHJ31TZ9B/Y4IvgFQXeX/hoI/:eQ96xCHJ3xZPdVX/hr/
TLSH	T1D90533C2314767C01ABE02E397BB34E30DAC7517361E85448DFEF646B1E56A4B292B4A
Reporter	cocaman
Tags:	AgentTesla gz HSBC SWIFT

cocaman

Malicious email (T1566.001)
From: "HSBC BANK PLC <accounts@hsbc.com>" (likely spoofed)
Received: "from hsbc.com (unknown [185.222.57.201]) "
Date: "03 Mar 2022 09:49:48 +0100"
Subject: "TR : RE : RE: MT103 Swift receipt /// PI PAYMENT FROM HSBC"
Attachment: "PI Payment for darwin 46841310 MT103 Swift receipt receipt.pdf.gz"

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4930b77f5a3202d0ddc12d8f34453d347359b0af6f1775d9158e2608d4292b57/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-03 02:32:26 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

21 of 42 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jeylo722gibnbxobfwhtirj5grzvtmfpn4lxlwivrytarvbjfnlq._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220303-kr54dsaag6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4930b77f5a3202d0ddc12d8f34453d347359b0af6f1775d9158e2608d4292b57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_RAR_with_PDF_Script_Obfuscation Create hunting rule
Author:	Florian Roth
Description:	Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:	Internal Research

Rule name:	SUSP_RAR_with_PDF_Script_Obfuscation_RID34A4 Create hunting rule
Author:	Florian Roth
Description:	Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:	Internal Research