MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 560a2b36202c7ffffb40372f390dddc776a8fb0d3deef44e7c7b4cbb02a61138. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	560a2b36202c7ffffb40372f390dddc776a8fb0d3deef44e7c7b4cbb02a61138
SHA3-384 hash:	6ada8b6f2306f0032f112a5b1159a46b3251e038ea80d7485933a593113e53f3b362e1e65432336219d5e90023c196a4
SHA1 hash:	f70017ccdec69e9e86afed397f094bb0fb79836e
MD5 hash:	a3ed2686da848441ca7b8daa1657c40e
humanhash:	sodium-mississippi-failed-louisiana
File name:	PRE ALERT FINAL DOCS HBL & MBL.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	494'080 bytes
First seen:	2022-11-08 09:17:37 UTC
Last seen:	2022-11-08 14:16:13 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:kqBBGWBBBBBBXrBCBQ23YnqvTbHw5wu0oQA3PbRb8elEXM+1lUEPXP642nmFOUnj:XBBGWBBBBBBXrBCBQ24UHHw5wuQA/bd+
Threatray	534 similar samples on MalwareBazaar
TLSH	T121B4021523405412F93FDD31D4C83184A63CAB36B9E64AE9693869E35F72AC3B4E5F1C
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	GovCERT_CH
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

180

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PRE ALERT FINAL DOCS HBL & MBL.exe

Verdict:

No threats detected

Analysis date:

2022-11-08 09:19:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/09b59d4f-a77e-46c8-8af9-ec206f7eb306

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/330433/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.44587.15042.8633.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

evasive packed

Link:

https://www.filescan.io/uploads/636a1eca5a33779d69ce9b62/reports/dc011909-f77b-4a5d-b7dc-b8ee34c779c4/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/e3221c2e-f693-4002-aad4-3d67d362b2e2

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1108070

Signature

.NET source code references suspicious native API functions

Creates autostart registry keys with suspicious names

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/560a2b36202c7ffffb40372f390dddc776a8fb0d3deef44e7c7b4cbb02a61138/

Threat name:

ByteCode-MSIL.Trojan.GenericML

Status:

Malicious

First seen:

2022-11-08 01:39:56 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

14 of 21 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kyfcwnrafr77762ag4xtsdo5y53kr6ynhxxpitt4pnglwavgce4a._file

Verdict:

unknown

AgentTesla

3cff9feae6b20355c809200752718f77289eb3047459663273ad7b24db351cfd

AgentTesla

44e70f14e20d43e59bee945d443ba00adc352d38a22b1a6b82731a83bc02ebfe

AgentTesla

5b65bd3beffa01f08710d696c4011d321846c81ff8248e31ce9c4bc933a54d39

AgentTesla

6189ac40feb5bca279cb7f61405df544da703a4ce1a9bda7c5111ee525f43c7b

AgentTesla

9d0cd2b1f470af7bba55345850c4f2b24ba96b9c4c361e4ff75c14a72bb3e7de

AgentTesla

c251403b9a2931b733ab581cde3c347e6eaf39e44e195c23c0314bb9f0692ac4

AgentTesla

d3c0d9f3e9555fac2f6c6431339c4556f2d87b5479543a927040c4ddfd1e25ba

AgentTesla

f4742eb31c8b2c6dfd22b03aefe30d4891d50f88e70b5bc27dae05fb3a615d69

AgentTesla

+ 524 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/221108-k9lgpsbcbr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Adds Run key to start application

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f59c1dbd-d6d8-4bbf-ba0c-4445c755e413

Unpacked files

SH256 hash:

560a2b36202c7ffffb40372f390dddc776a8fb0d3deef44e7c7b4cbb02a61138

MD5 hash:

a3ed2686da848441ca7b8daa1657c40e

SHA1 hash:

f70017ccdec69e9e86afed397f094bb0fb79836e

Link:

https://www.unpac.me/results/7100ffb3-b54b-42d9-b741-2401a2404c52/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 560a2b36202c7ffffb40372f390dddc776a8fb0d3deef44e7c7b4cbb02a61138

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/330433/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample