MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49bc379defa69635c1d23bff9f7faf3721a2dba25c3035af862734c1c87a10f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49bc379defa69635c1d23bff9f7faf3721a2dba25c3035af862734c1c87a10f8
SHA3-384 hash: 5126c09ab1c97efabf5ffab4785ddf7529e84e33a29061a46914dac945bba6f49283eca659b34d39f1aa6b67cb073b75
SHA1 hash: 255b58068db9208b5aa543c30ffc59e4fd63f07f
MD5 hash: c0c002d54d49f3bd1ddfa9f23560a710
humanhash: quebec-pip-aspen-autumn
File name:gunzipped
Download: download sample
File size:796'672 bytes
First seen:2021-04-08 15:49:51 UTC
Last seen:2021-04-08 17:23:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:mIjOdxuuLIfriVEJhMql08sgOS+UmX521bNAa2e:4ETiVEJVR1ZpJP
Threatray 7 similar samples on MalwareBazaar
TLSH 4F05DF2033A89B91E6BD83F5906100015BB5FBEA652FDB7C8D8571C91CB1B8C3CDAA57
Reporter abuse_ch
Tags:GoDaddy


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: p3plsmtps2ded01.prod.phx3.secureserver.net
Sending IP: 208.109.80.58
From: Francisco Rico - Cobra Sales <info@psicoalcala.es>
Reply-To: me <testing@bhavnatutor.com>
Subject: Requesting A Quote
Attachment: Product List.gz (contains "gunzipped")

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gunzipped
Verdict:
Malicious activity
Analysis date:
2021-04-08 15:58:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf2722a0-01d9-4296-a74e-5085721f3811

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133248/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.10371.11638.9156.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending a custom TCP request
Setting a global event handler
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/670475
Signature
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49bc379defa69635c1d23bff9f7faf3721a2dba25c3035af862734c1c87a10f8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 16:00:54 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jg6dphppu2ldlqoshp7z675pg4q2fw5clqydll4ge42mdsd2cd4a._file
Verdict:
suspicious
Similar samples:
254f4133d2bfa7ca67fdc4704022cd1c22fb1e22957c90a29626ed8f2d189a3a
552dfc754e6cdb214ed63e71645340e3e61f006b4472ec33afd6c753ed311a99
66c8e950081d5b355d0a2e9859dbf9084d30db9d12b66f6ba01c148e4e255c32
768fc212c2c6d7fa88cb45245fbdfa02e1243540de80f81087ef031e7e9fc20f
84f28d28b63ae57104a5840373d8debeec9be6886be4051e0bd965b1250dda90
86a1bdb2e8880eab5d158b6bab714ca09193ad21b8b3b72c10aec58f7f638333
f447a943893a7871b02a8a6cc992c31604b3bd6ff6f2ec184a3af14f3384954d
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210408-w3wx7tkjvn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
1cf2bef67478d8d0dc43f7ddec5346a9582896136d47d733ac608d84eb921807
MD5 hash:
94cab876e02ed2514f377c349f2bc1a2
SHA1 hash:
c13bdc8d189a3ead8608d95e9a906a5ee489d264
Link:
https://www.unpac.me/results/f9b4d858-713a-498e-aaf4-effec2772584/
SH256 hash:
254f4133d2bfa7ca67fdc4704022cd1c22fb1e22957c90a29626ed8f2d189a3a
MD5 hash:
e206bbb108e3a2e7a554897f9f4d489c
SHA1 hash:
982f441a30b5945f131350fded1587a41f848d78
Link:
https://www.unpac.me/results/f9b4d858-713a-498e-aaf4-effec2772584/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/f9b4d858-713a-498e-aaf4-effec2772584/
SH256 hash:
49bc379defa69635c1d23bff9f7faf3721a2dba25c3035af862734c1c87a10f8
MD5 hash:
c0c002d54d49f3bd1ddfa9f23560a710
SHA1 hash:
255b58068db9208b5aa543c30ffc59e4fd63f07f
Link:
https://www.unpac.me/results/f9b4d858-713a-498e-aaf4-effec2772584/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49bc379defa69635c1d23bff9f7faf3721a2dba25c3035af862734c1c87a10f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz c1ee9d13967b67852dd52969749439771274e97d4779eb8fde14bdcbd71848a8

Executable exe 49bc379defa69635c1d23bff9f7faf3721a2dba25c3035af862734c1c87a10f8

(this sample)

  
Dropped by
MD5 1de9cd0cbc1f665b959ddb33b84a2d9a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133248/
  
Dropped by
SHA256 c1ee9d13967b67852dd52969749439771274e97d4779eb8fde14bdcbd71848a8

Comments