MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69f49473268949bb7e90561282c6c8a2ab009c50100a552ee09bb7d071a6b360. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69f49473268949bb7e90561282c6c8a2ab009c50100a552ee09bb7d071a6b360
SHA3-384 hash: 8b48d70db50ef75687429473696213dd345fa59dc2a2c6257316d537523576de5a67ce6fad400bb9475afd322a29ebb0
SHA1 hash: 0a7f258af6aa9a2c2c7de54d66545f95fe68c79a
MD5 hash: 8eacf32f5e068dacba69c25c8f58146e
humanhash: coffee-mars-apart-blue
File name:product inquiry pdf.arj
Download: download sample
Signature AgentTesla
Create hunting rule
File size:396'950 bytes
First seen:2020-06-16 12:10:06 UTC
Last seen:Never
File type: arj
MIME type:application/x-rar
ssdeep 12288:EkRIME3awwW9aN2vx98KX9VOiDbidFk3rdmiNHfW:tRI362p5X9V9KCpd9+
TLSH 5B8423A3370559202D5C0DB716F9C621CAD09E49C49FAAFC3D169B27348F3FA7726089
Reporter abuse_ch
Tags:AgentTesla arj


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: teamwavelength.com
Sending IP: 37.48.85.240
From: Mary<techsupport@teamwavelength.com>
Subject: Product inquiry
Attachment: product inquiry pdf.arj (contains "product inquiry pdf.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27342.RarHeur.v5.HideExt.UNOFFICIAL
Create hunting rule

Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/374083
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 239098 Sample: product inquiry pdf.arj Startdate: 17/06/2020 Architecture: WINDOWS Score: 100 64 Found malware configuration 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 10 other signatures 2->70 8 YYtJku.exe 2->8         started        11 unarchiver.exe 5 2->11         started        13 wscript.exe 1 2->13         started        15 YYtJku.exe 2->15         started        process3 signatures4 96 Multi AV Scanner detection for dropped file 8->96 98 Detected unpacking (changes PE section rights) 8->98 100 Detected unpacking (creates a PE file in dynamic memory) 8->100 106 7 other signatures 8->106 17 YYtJku.exe 8->17         started        21 notepad.exe 8->21         started        102 Early bird code injection technique detected 11->102 23 cmd.exe 1 11->23         started        25 7za.exe 2 11->25         started        28 product inquiry pdf.exe 13->28         started        104 Maps a DLL or memory area into another process 15->104 30 notepad.exe 15->30         started        32 YYtJku.exe 15->32         started        process5 dnsIp6 58 208.91.198.143, 49719, 587 unknown United States 17->58 60 us2.smtp.mailhostbox.com 17->60 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->72 74 Tries to steal Mail credentials (via file access) 17->74 76 Tries to harvest and steal ftp login credentials 17->76 84 2 other signatures 17->84 34 product inquiry pdf.exe 23->34         started        37 conhost.exe 23->37         started        54 C:\Users\user\...\product inquiry pdf.exe, PE32 25->54 dropped 39 conhost.exe 25->39         started        78 Writes to foreign memory regions 28->78 80 Allocates memory in foreign processes 28->80 82 Maps a DLL or memory area into another process 28->82 41 product inquiry pdf.exe 4 28->41         started        44 notepad.exe 1 28->44         started        56 C:\Users\user\AppData\Roaming\...\app.vbs, ASCII 30->56 dropped file7 signatures8 process9 dnsIp10 86 Maps a DLL or memory area into another process 34->86 88 Queues an APC in another process (thread injection) 34->88 46 notepad.exe 1 34->46         started        49 product inquiry pdf.exe 2 6 34->49         started        62 us2.smtp.mailhostbox.com 208.91.199.223, 49718, 587 unknown United States 41->62 90 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->90 92 Tries to steal Mail credentials (via file access) 41->92 94 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->94 signatures11 process12 file13 108 Drops VBS files to the startup folder 46->108 110 Delayed program exit found 46->110 52 C:\Users\user\AppData\Roaming\...\YYtJku.exe, PE32 49->52 dropped 112 Hides that the sample has been downloaded from the Internet (zone.identifier) 49->112 signatures14
Gathering data
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 12:12:04 UTC
AV detection:
20 of 31 (64.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nh2ji4zgrfe3w7uqkyjifrwiukvqbhcqcaffklxato35a4ngwnqa._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj 69f49473268949bb7e90561282c6c8a2ab009c50100a552ee09bb7d071a6b360

(this sample)

AgentTesla

Executable exe dbb1903e42379efd23198fa3464b174687a24588816f470802304fec3ebc3805

  
Dropping
MD5 459113eb87726128b911cbcafc68e973
  
Dropping
AgentTesla
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 dbb1903e42379efd23198fa3464b174687a24588816f470802304fec3ebc3805

Comments