MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f332e317c5116e7c9b64ea8084a39aa4fff859a056ce9463557bdb0093eab55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f332e317c5116e7c9b64ea8084a39aa4fff859a056ce9463557bdb0093eab55
SHA3-384 hash: 1053706ce1d9602143a0e28153acfcffc0bb2bf43837ffb5b9afe3d22e6aa02a6417e7b3eada29816872f0d5821bf2d5
SHA1 hash: ca0ff1e5b4cc2a26e45c129d85090a47d7b7705f
MD5 hash: 3a266a2755c4ac0ceb04cf78cb22e19c
humanhash: salami-fix-jersey-oranges
File name:αριθμός παραγγελίας. 21130250321.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:267'897 bytes
First seen:2021-03-25 10:15:16 UTC
Last seen:2021-03-25 12:09:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:fAP9HBM+YdUxVGZ7PTTABzbxBIbUCGxcR7yQL:ghWYGZ36XIbUCjMK
Threatray 3'475 similar samples on MalwareBazaar
TLSH 4344122BBBC080F7D29249F29C76AF39D1F7BA4525246103EB250F9E17382D35B1A356
Reporter abuse_ch
Tags:AgentTesla exe geo GRC


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: relay1.validname.com
Sending IP: 185.65.56.195
From: Dana Fakiri <dfakirl@lino.gr>
Subject: αριθμός παραγγελίας. 21130-250321
Attachment: αριθμός παραγγελίας. 21130250321.7z (contains "αριθμός παραγγελίας. 21130250321.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
αριθμός παραγγελίας. 21130250321.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-25 10:19:48 UTC
Tags:
installer
Link:
https://app.any.run/tasks/16e840bd-e882-4176-9f03-778e2bddde54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.21158.19883.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/653710
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f332e317c5116e7c9b64ea8084a39aa4fff859a056ce9463557bdb0093eab55/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 10:16:10 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j4zs4ml4kelopsnwj2uaqsrzvjh77bm2avwosrrvk663acj6vnkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2bff7918842a32e19021595f3276402ff1e1034130ed6dfbf4f3f11dda06a52d
AgentTesla
3813d5fe541f008c96f3a0f367113a1fa3c047f08815fcd8335c4b829523ca28
AgentTesla
5a2ce470fbe1babd44df83899f5909e3dcd031bc95de5a748f473f288084de7a
AgentTesla
91c721be1fbcbe252218eed8b8e8b89c46f49b26def8efebf1f30aaae1055725
AgentTesla
938a1c15eab21846b96971f70eac4ef78f273adf89d6305aee7b91f5212e9013
AgentTesla
b2763d0bd70e672d77d8b2e1a78e0c358bc611a2fc27df8dc90e764fc7aaea6d
AgentTesla
da292ea9e3cda3911d3e6023e9ead0e663a14a1d089cabe7830d46f9c27caeaa
AgentTesla
e99bae3896aa527b7e77c3ecda493364d913cfa2ddf1ef0b1a072d9f4289764f
AgentTesla
eb12f5ac4c8669a097af19e970c05103b43e542a4ad162401c68acef25ff8b5c
AgentTesla
f9989bce3ddcc0eb0f95bae744a31bd28e06b229f2757ad7fe7a92c8952ac78f
AgentTesla
+ 3'465 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210325-zhq6bbv1ns/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Enumerates physical storage devices
Unpacked files
SH256 hash:
feb01a9040a594bc1a4f0a00356212f3fd832a0aecbd31a860f990190706386d
MD5 hash:
f0cff1155cf594bf669213f3aae58f49
SHA1 hash:
63371ffb15fa997c80c9b824ea62358f8e6fab33
Link:
https://www.unpac.me/results/0116c287-b601-42ba-b271-9f60860a24f5/
SH256 hash:
598024c2a19f65ce2ad67f04e417ac0cf8fc469a079d88efddf29bac08ae53d1
MD5 hash:
148b545e8c0358058d2d14655b77272c
SHA1 hash:
eddd670f29c2a8e64047efdc6347239fd649d346
Link:
https://www.unpac.me/results/0116c287-b601-42ba-b271-9f60860a24f5/
SH256 hash:
4f332e317c5116e7c9b64ea8084a39aa4fff859a056ce9463557bdb0093eab55
MD5 hash:
3a266a2755c4ac0ceb04cf78cb22e19c
SHA1 hash:
ca0ff1e5b4cc2a26e45c129d85090a47d7b7705f
Link:
https://www.unpac.me/results/0116c287-b601-42ba-b271-9f60860a24f5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/4f332e317c5116e7c9b64ea8084a39aa4fff859a056ce9463557bdb0093eab55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 94ea0cfc2334b32c578f85478968b2e2115ffc0b408ddb4ba70d65e5a92d755c

AgentTesla

Executable exe 4f332e317c5116e7c9b64ea8084a39aa4fff859a056ce9463557bdb0093eab55

(this sample)

  
Dropped by
MD5 2349d86fd0959493141e22fccdf2bb8f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 94ea0cfc2334b32c578f85478968b2e2115ffc0b408ddb4ba70d65e5a92d755c

Comments