MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52202447ca339df6818aaef87e01a5d5c78acd8d45a0bf6248f37ad3e98c9bbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52202447ca339df6818aaef87e01a5d5c78acd8d45a0bf6248f37ad3e98c9bbd
SHA3-384 hash: e90a76835656e969005b6ad77c3212bb339d20baad601d715c0c00a8b95b1dc08e27a32782f5fd73a385b696e50f8e71
SHA1 hash: 18211b975527c51f77525d92a7e97307317847af
MD5 hash: 840ea25205acdee63e20a20bb011b42b
humanhash: march-gee-double-fruit
File name:APR 20204 RFQ.xlsx.arj
Download: download sample
Signature AgentTesla
Create hunting rule
File size:146'382 bytes
First seen:2024-04-17 09:31:52 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 3072:zTAVED4LQBe+WSd/YXjaNONYcTmtylxFxnVNQPyBS2jJu5V3EqPC+K:zTeLQFWW6fxfn0720E
TLSH T13AE312624CC28658D84B132DDC454FD2F9BAA86B8B0033CC4F414BA959D714AEE7A7F7
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:AgentTesla arj QUOTATION RFQ zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""commercial" <info@bopzx.ooguy.com >" (likely spoofed)
Received: "from mail0.bopzx.ooguy.com (unknown [213.142.149.185]) "
Date: "17 Apr 2024 01:59:27 -0700"
Subject: "Quotation Required for -24-0054"
Attachment: "APR 20204 RFQ.xlsx.arj"

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:APR 20204 RFQ .xlsx.vbs
File size:285'658 bytes
SHA256 hash: f77b953a53a607e534572eda08dfaa91ad61f52491e9982a0790869c80a714c4
MD5 hash: 03e2a0c33e613d9aabf9167bd28cf3c7
MIME type:text/plain
Signature AgentTesla
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerberus finger lolbin masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/661f971247bfd8641ead7492/reports/c1ba84ab-6ab9-4794-bc4d-1332ac209cdc/overview
Verdict:
Suspicious
Labled as:
HIDDENEXT/Worm.Generic
Link:
https://www.hybrid-analysis.com/sample/52202447ca339df6818aaef87e01a5d5c78acd8d45a0bf6248f37ad3e98c9bbd
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/52202447ca339df6818aaef87e01a5d5c78acd8d45a0bf6248f37ad3e98c9bbd
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/52202447ca339df6818aaef87e01a5d5c78acd8d45a0bf6248f37ad3e98c9bbd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52202447ca339df6818aaef87e01a5d5c78acd8d45a0bf6248f37ad3e98c9bbd/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-04-17 08:49:42 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
9 of 23 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kiqcir6kgoo7namkv34h4anf2xdyvtmniwql6ysi6n5nh2mmto6q._file
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240417-lpd3kabb99/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
AgentTesla
Guloader,Cloudeye
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52202447ca339df6818aaef87e01a5d5c78acd8d45a0bf6248f37ad3e98c9bbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cerberus
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Cerberus
Rule name:unknown_dropper
Create hunting rule
Author:#evilcel3ri
Description:Detects an unknown dropper

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 52202447ca339df6818aaef87e01a5d5c78acd8d45a0bf6248f37ad3e98c9bbd

(this sample)

AgentTesla

Visual Basic Script (vbs) vbs f77b953a53a607e534572eda08dfaa91ad61f52491e9982a0790869c80a714c4

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f77b953a53a607e534572eda08dfaa91ad61f52491e9982a0790869c80a714c4
  
Dropping
MD5 03e2a0c33e613d9aabf9167bd28cf3c7

Comments