MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66b9cdf3bf244301931140487c95600c42fc4863725892d36717538f72b6474e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66b9cdf3bf244301931140487c95600c42fc4863725892d36717538f72b6474e
SHA3-384 hash: 13ac18a5b1e71f5906b1b7bcfdba038ffa6f87f6819277f53ed1f70cbe48dc18913ad718171db05d25d6fe06c1a97be9
SHA1 hash: 2f29452f7370a18fbe86bd416a4a33858ff2bcb3
MD5 hash: 973f07dd0c89cc52bca20eb9fc1395b6
humanhash: east-avocado-zebra-idaho
File name:invoice.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:573'912 bytes
First seen:2023-03-14 16:04:22 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:WWuPR8LrMx4N8pEPX5Ve8DU/fPHAMsNrdaIfXl8qDdgcFx2bA:WWq8PMxm8pEPX5sYU//slgIPhzFx20
TLSH T195C423D00627D96E9BA0B032935867033F469E168F625B1F1AAFB17F4FCD696E10076C
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:AgentTesla INVOICE payment zip


Avatar
cocaman
Malicious email (T1566.001)
From: "mahindranorthcoast@telkomsa.net" (likely spoofed)
Received: "from telkomsa.net (unknown [45.137.22.58]) "
Date: "14 Mar 2023 17:03:09 +0100"
Subject: "RE:Confirm revised invoice to proceed with payment ASAP."
Attachment: "invoice.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:invoice.exe
File size:1'191'936 bytes
SHA256 hash: 7b0b81c17dfb8b053c8cf68519837b7afdfd12e95a46c97ef887881c674039fb
MD5 hash: e8af0f15ab522536c2effe7171cbc2a9
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fn23.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.21615.ZipHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.23810.ZipHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/66b9cdf3bf244301931140487c95600c42fc4863725892d36717538f72b6474e/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64109b30949a950538ed0b09/reports/4c65fe34-94e6-4ccc-b312-6b4439fca5bc/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/66b9cdf3bf244301931140487c95600c42fc4863725892d36717538f72b6474e
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/66b9cdf3bf244301931140487c95600c42fc4863725892d36717538f72b6474e
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66b9cdf3bf244301931140487c95600c42fc4863725892d36717538f72b6474e/
Threat name:
Win32.Trojan.Sonbokli
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 16:04:28 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
6 of 39 (15.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2443457erbqdeyribehzflabrbpysddojmjfu3hc5jy64vwi5ha._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230314-v65fhsgg95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Uses the VBS compiler for execution
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5711515928:AAGr5pLEJgjvMf5yBzvNPjftYdw-oXyzKzg/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66b9cdf3bf244301931140487c95600c42fc4863725892d36717538f72b6474e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1
Create hunting rule
Author:Florian Roth
Description:Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments
Reference:https://twitter.com/0xtoxin/status/1540524891623014400?s=12&t=IQ0OgChk8tAIdTHaPxh0Vg
Rule name:SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments
Reference:https://twitter.com/0xtoxin/status/1540524891623014400?s=12&t=IQ0OgChk8tAIdTHaPxh0Vg

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 66b9cdf3bf244301931140487c95600c42fc4863725892d36717538f72b6474e

(this sample)

AgentTesla

Executable exe 7b0b81c17dfb8b053c8cf68519837b7afdfd12e95a46c97ef887881c674039fb

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 7b0b81c17dfb8b053c8cf68519837b7afdfd12e95a46c97ef887881c674039fb
  
Dropping
MD5 e8af0f15ab522536c2effe7171cbc2a9

Comments