MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 499ef36050a153956d152d098eb77810da5418a7611903d3ab38644ccd4eef17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	499ef36050a153956d152d098eb77810da5418a7611903d3ab38644ccd4eef17
SHA3-384 hash:	2da48da0e76595496bbb808d25ac857f000430a3713136cbea2b57da00e809090ab9fe49eed6b70e5907c321d8801243
SHA1 hash:	4002af7016695edae675223a5190f31b46fa510c
MD5 hash:	3d487ab8ebbba7bad5687c981ec9ccbf
humanhash:	kitten-august-network-saturn
File name:	Bank Slip and our New P.O copy.pdf.ace
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	437'222 bytes
First seen:	2021-06-10 05:38:04 UTC
Last seen:	2021-06-10 08:39:45 UTC
File type:	ace
MIME type:	application/octet-stream
ssdeep	12288:gh1ix5Fu4JTljpRsBb3oguzVwnEvSLG53eZZdIQmA:d1u4JZgB0gWaEF38mA
TLSH	F49423F86ACB8BC3DA7664B2D4D032594963455B3C283B81975EF1D8B038C6C784C7B6
Reporter	cocaman
Tags:	ace AgentTesla

cocaman

Malicious email (T1566.001)
From: "Saif Khan<sales3@cvshvac.com>" (likely spoofed)
Received: "from cvshvac.com (unknown [185.222.58.158]) "
Date: "10 Jun 2021 00:35:14 -0700"
Subject: "RE:Bank Slip and our New P.O copy."
Attachment: "Bank Slip and our New P.O copy.pdf.ace"

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL

Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL

SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/499ef36050a153956d152d098eb77810da5418a7611903d3ab38644ccd4eef17/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2021-06-10 03:04:45 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

23 of 46 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jgppgycqufjzk3ivfuey5n3ycdnfigfhmemqhu5lhbseztko54lq._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210610-ltjj516n3a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Contains code to disable Windows Defender

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/499ef36050a153956d152d098eb77810da5418a7611903d3ab38644ccd4eef17

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace 499ef36050a153956d152d098eb77810da5418a7611903d3ab38644ccd4eef17

(this sample)

AgentTesla

exe 0a7a2fa6c6289f37c59ac4fc8e1cc7113c0063d2ff24a298f7a5f676e847ee77

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 0a7a2fa6c6289f37c59ac4fc8e1cc7113c0063d2ff24a298f7a5f676e847ee77

Dropping

AgentTesla

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample