MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bb5aa536658e9c20b86ab4fd812b5378ef38b650a1e4e6aa56b4ed39cf09d6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bb5aa536658e9c20b86ab4fd812b5378ef38b650a1e4e6aa56b4ed39cf09d6d
SHA3-384 hash: 328709e0a24d8e77cf1a91c70135631a37d8170f4f5af3fa4f74dc6a06599f56c1ab72e21a50d55bfb8bed4fcdd46692
SHA1 hash: 9485c57680a3831c02dc95513c082a3db966af32
MD5 hash: e3a0d6c971935fdaf5d6cd8a290344ba
humanhash: delta-carolina-oklahoma-south
File name:proforma invoice.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:653'556 bytes
First seen:2021-04-20 06:01:17 UTC
Last seen:2021-04-20 19:49:05 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:Y0kd0aTBW3lvORUIgUEEUfL2n+CPoCUGKQfec7SzmzfBnwL8kl1FrHmj:U0D1z1ioCR5nwLXl/rGj
TLSH B4D423F72D90CB8B723A3921A1ADD372DDFECA25F0B58059C24165F9049974BC20BB78
Reporter cocaman
Tags:AgentTesla INVOICE zip


Avatar
cocaman
Malicious email (T1566.001)
From: "LEE WONG (MS.)<lw@milco.lk>" (likely spoofed)
Received: "from milco.lk (unknown [185.222.57.162]) "
Date: "20 Apr 2021 00:40:20 -0700"
Subject: "=?UTF-8?B?5oGt6LS6IENvbmZpcm0gcHJvZm9ybWEgZm9yIHBheW1lbnQ=?="
Attachment: "proforma invoice.zip"

Intelligence

File Origin
# of uploads :
6
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fn23.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.23890.ZipHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/6bb5aa536658e9c20b86ab4fd812b5378ef38b650a1e4e6aa56b4ed39cf09d6d
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bb5aa536658e9c20b86ab4fd812b5378ef38b650a1e4e6aa56b4ed39cf09d6d/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=no22uu3gldu4ec4gvnh5qevvg6hphc3fbipe42vfnnhnhhhqtvwq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210420-hnbqxzzees/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bb5aa536658e9c20b86ab4fd812b5378ef38b650a1e4e6aa56b4ed39cf09d6d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 6bb5aa536658e9c20b86ab4fd812b5378ef38b650a1e4e6aa56b4ed39cf09d6d

(this sample)

AgentTesla

Executable exe ab973b31d4c8051aa1d10711842c9059e3fbb50e7e7cf41112936f9bb03c3725

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 ab973b31d4c8051aa1d10711842c9059e3fbb50e7e7cf41112936f9bb03c3725
  
Dropping
AgentTesla

Comments