MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6991faf79c628d50dbd139f281c43bab222ac7e95294a9875b96eb7fcdacaa1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	6991faf79c628d50dbd139f281c43bab222ac7e95294a9875b96eb7fcdacaa1a
SHA3-384 hash:	db717919f3e5d0c3914e60ced97dc2c5ef7933622588f7b784ab527cbe0e22e306d3fcb265f04a491489f9248a9a6f83
SHA1 hash:	a7b89834422a13030cf76e341a35ef33075ebbf5
MD5 hash:	2cef92fcd50d57952eddda55222bc29f
humanhash:	summer-berlin-solar-mexico
File name:	PURCHASE ORDER.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	390'877 bytes
First seen:	2023-02-16 12:13:09 UTC
Last seen:	2023-02-16 12:14:46 UTC
File type:	zip
MIME type:	application/zip
ssdeep	6144:ISt9N9UEWE3oo8/VPNIaMUCpWqTpBG2gRyn3Kyqia5q0a0p6+y/UTtC/MOZ8b:htqEW4obVFnM1K2gon3gi0q0vp6+rTI+
TLSH	T140842342F8D7956913D509609BE6822DDEB8870996CD03C3DCE70232EF88E67F466C1B
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	AgentTesla zip

cocaman

Malicious email (T1566.001)
From: ""Angie Lee"<snp@sgp.pilship.com>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [185.222.57.94]) "
Date: "16 Feb 2023 09:58:47 +0100"
Subject: "RE: HR AARAI / PO No.: RAI-202200016-11 message, 1 unread"
Attachment: "PURCHASE ORDER.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	PURCHASE ORDER.exe
File size:	405'627 bytes
SHA256 hash:	0271087f4a8d83387ba502d987722d40d40dc8109972a3e4e199ca122648e8a9
MD5 hash:	cfc2c744cf64184b7b3881e2e890fee1
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs3213.UNOFFICIAL

Sanesecurity.Malware.22360.ZipHeur.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63ee1e0bf4ccf83b8358a5f5/reports/be88b268-9b38-4802-a159-aef4e5347d1e/overview

Verdict:

Suspicious

Labled as:

Suspect-BW

Link:

https://www.hybrid-analysis.com/sample/6991faf79c628d50dbd139f281c43bab222ac7e95294a9875b96eb7fcdacaa1a

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/6991faf79c628d50dbd139f281c43bab222ac7e95294a9875b96eb7fcdacaa1a

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6991faf79c628d50dbd139f281c43bab222ac7e95294a9875b96eb7fcdacaa1a/

Threat name:

Win32.Trojan.Zmutzy

Status:

Malicious

First seen:

2023-02-16 08:57:45 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

15 of 39 (38.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ngi7v544mkgvbw6rhhzidrb3vmrcvr7jkkkktb23s3vx7tnmvina._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230216-p3gmdshb8t/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6991faf79c628d50dbd139f281c43bab222ac7e95294a9875b96eb7fcdacaa1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	pe_imphash Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1 Create hunting rule
Author:	Florian Roth
Description:	Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments
Reference:	https://twitter.com/0xtoxin/status/1540524891623014400?s=12&t=IQ0OgChk8tAIdTHaPxh0Vg

Rule name:	SUSP_Archive_Phishing_Attachment_Characteristics_Jun22_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects characteristics of suspicious file names or double extensions often found in phishing mail attachments
Reference:	https://twitter.com/0xtoxin/status/1540524891623014400?s=12&t=IQ0OgChk8tAIdTHaPxh0Vg