MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ce5233b9943994e9f9b6fa2b76e2309955958abecd7d0afa08ffc6211507756. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	6ce5233b9943994e9f9b6fa2b76e2309955958abecd7d0afa08ffc6211507756
SHA3-384 hash:	abb578085cc51f25f8451be27d880e17d9c7aa75606d6ad653f1e6533d84902b1e0f27fe930f73fb893356d63ccca0ed
SHA1 hash:	cdd6d1028eddf14371767e14afdd7431660831c2
MD5 hash:	160f2588a4461b11598465eea0165fd6
humanhash:	nineteen-edward-lithium-speaker
File name:	Invoice for Qutation no 72QC-GMI2022.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	587'101 bytes
First seen:	2022-08-31 12:14:31 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:VgiLPJPLyLzw5JnfqyH/csMKrnPDkpeICtPAtd:VgiLPl+AjnCj1YPDIOPA3
TLSH	T138C42394247E7CB8E078BB6406F1C49E6634E4898060F0C96FE37FD78BDE112979D9A4
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	AgentTesla INVOICE zip

cocaman

Malicious email (T1566.001)
From: "info@msmemart.com" (likely spoofed)
Received: "from msmemart.com (unknown [185.222.58.58]) "
Date: "31 Aug 2022 14:13:27 +0200"
Subject: "Invoice for Qutation no 72/QC-GMI/2022"
Attachment: "Invoice for Qutation no 72QC-GMI2022.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Variant.Barys.28265.17868.20575.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/630f51835e025f2e7b04129b/reports/cfa335da-89a9-41c8-b291-bbb660c2eb7e/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/6ce5233b9943994e9f9b6fa2b76e2309955958abecd7d0afa08ffc6211507756

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6ce5233b9943994e9f9b6fa2b76e2309955958abecd7d0afa08ffc6211507756/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2022-08-31 09:16:28 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

19 of 40 (47.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ntssgo4ziomu5h43n6rlo3rdbgkvswfl5tl5bl5ar76geekqo5la._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220831-pewreaffa6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/6ce5233b9943994e9f9b6fa2b76e2309955958abecd7d0afa08ffc6211507756

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 6ce5233b9943994e9f9b6fa2b76e2309955958abecd7d0afa08ffc6211507756

(this sample)

AgentTesla

exe 2930abb6e31cbdf6d1af24a7cabf3d6c42de617e4fe399f40ecb2203fe96c075

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 2930abb6e31cbdf6d1af24a7cabf3d6c42de617e4fe399f40ecb2203fe96c075

Dropping

MD5 e2a590743a14705d3906dcbfc105bb44

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample