MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 792c668098335d1e1c8c189f9657bd5be1a1eb49da39cd06dbfda61a34f8c148. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	792c668098335d1e1c8c189f9657bd5be1a1eb49da39cd06dbfda61a34f8c148
SHA3-384 hash:	85435ea89182a456fdc3f81091573e98d3084a37bbf6c95a168a8e8af7b0b6f4f77ff6ae234ddf85a557589822fd53e8
SHA1 hash:	a2c6a6b6ca6059efc0bbc7c4cfbf2f3bd8a6fa3d
MD5 hash:	19fd1d1ac49af7a99ff3594147c33fe4
humanhash:	hawaii-december-skylark-three
File name:	Invoice.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	429'562 bytes
First seen:	2022-04-16 20:17:51 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:IqfDde19beIQzoHdqY9T8rJ55tqczmw0gdbsW:LDIKIQ8qSKJ7tqcSwbbsW
TLSH	T174942345D9372C2EBD03EE86959C8D923A46B038CB932B3477F3A4BD8292C4E275D147
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	AgentTesla INVOICE payment zip

cocaman

Malicious email (T1566.001)
From: "saleel@grandhyper.com" (likely spoofed)
Received: "from grandhyper.com (unknown [45.137.22.156]) "
Date: "16 Apr 2022 06:53:25 +0200"
Subject: "RE: Confirm revised invoice to proceed with payment ASAP."
Attachment: "Invoice.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

516

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fn23.UNOFFICIAL

SecuriteInfo.com.Suspicious.Win32.Save.a.30503.16124.UNOFFICIAL

Sanesecurity.Malware.25244.ZipHeur.UNOFFICIAL

Sanesecurity.Malware.21103.ZipHeur.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/625b247bffe27d5119eacbff/reports/b20e140a-5857-4f6e-bc04-12cd4aaa2226/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/792c668098335d1e1c8c189f9657bd5be1a1eb49da39cd06dbfda61a34f8c148

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/792c668098335d1e1c8c189f9657bd5be1a1eb49da39cd06dbfda61a34f8c148/

Threat name:

ByteCode-MSIL.Infostealer.DarkStealer

Status:

Malicious

First seen:

2022-04-16 01:32:55 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pewgnaeygnor4hemdcpzmv55lpq2d22j3i442bw37wtbunhyyfea._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger persistence spyware stealer suricata trojan

Link:

https://tria.ge/reports/220416-y29q8agbcr/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Checks computer location settings

Drops file in Drivers directory

AgentTesla

suricata: ET MALWARE AgentTesla Exfil Via SMTP

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/792c668098335d1e1c8c189f9657bd5be1a1eb49da39cd06dbfda61a34f8c148

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 792c668098335d1e1c8c189f9657bd5be1a1eb49da39cd06dbfda61a34f8c148

(this sample)

AgentTesla

exe 71cef6c774b7a7cfbc7519cef16125c27f08f4ece2760f02c1baeb2ce5fd96bb

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 71cef6c774b7a7cfbc7519cef16125c27f08f4ece2760f02c1baeb2ce5fd96bb

Dropping

AgentTesla

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample