MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b99f6a15a14cd9dcaaac8653eec35e1c2d0dc7a72b4df26dec87e34cc7ad061. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	7b99f6a15a14cd9dcaaac8653eec35e1c2d0dc7a72b4df26dec87e34cc7ad061
SHA3-384 hash:	c49d4596cbe430d234da00df571e6c9768114614ffc9bf258377f55a812dc9a1a00ebe35d73e0f07ffc89fbee852a068
SHA1 hash:	f267d072b2cd036b00fa7e13fe22f2053e6cff30
MD5 hash:	83a916a76a8ad16ba04dec3ca84ba634
humanhash:	papa-snake-minnesota-hawaii
File name:	3301-20200923023.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'067'656 bytes
First seen:	2020-10-17 06:54:11 UTC
Last seen:	2020-10-17 08:03:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:ZWKnf1XmBFdU8x2fzjhVLHtalUmJsTEOA:HnmdMvQllOA
Threatray	604 similar samples on MalwareBazaar
TLSH	FE35CB082C84763AAFDD33709F20D460977062B3056959FDE8EE4ACEC7578A7A84D8F5
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: vps.sz-hopestown.com
Sending IP: 45.95.169.180
From: Ing. Kiss Róbert <info@sz-hopestown.com>
Reply-To: Ing. Kiss Róbert <ingrid.roloplasts@gmail.com>
Subject: 3301-20200923023
Attachment: 3301-20200923023.zip (contains "3301-20200923023.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

92

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.44094023.15919.11491.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Sending a UDP request

DNS request

Sending a TCP request to an infection source

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/494317

Signature

Antivirus / Scanner detection for submitted sample

Connects to a pastebin service (likely for C&C)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7b99f6a15a14cd9dcaaac8653eec35e1c2d0dc7a72b4df26dec87e34cc7ad061/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-10-16 23:11:36 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pom7nik2ctgz3svkzbst53bv4hbnbxd2ok2n6jw6zb7djtd22bqq._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

38d67003a3e33b0ff622758a04b631ac24d0f55f04c007834fd61bf8c2e9074d

67e8fcfa65a48b5ef7288e91ac8ddab1180cf33150471357485511509955413c

757d376a5edc5d260ab3fb209797dbbdf3ce43f6331432174b1398f14e723e20

98f16bf7fd0d32ebf300230c3992712556f0bebc91678c4a6da74f7a900be68b

b2027562cdbec2beeb72eb09715b7615a62c0050d663eafc82de9d3461a05dc0

bae353be3d64c66c76ca33280e436b02460497265e503b772db81c2e84971cba

bd5f6e5567639e5e1c4619a02ff2db2eb3242cd6e25e50f7b7559202fc7f061c

c1fa48c0b9c81541dc2ba39db3fc1c410f6231e8df9aa69c02bdd1c8549b453a

e6793974644f3523b0e79add22e915ae65bcda618b397dd42a6877d2b3e9e2c0

f740b4f32c0d32f5ee1525c3da775efdb4cc6535fc7ef372b373c9c67f32cd2e

+ 594 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201017-yt82bbaqba/

Behaviour

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

7b99f6a15a14cd9dcaaac8653eec35e1c2d0dc7a72b4df26dec87e34cc7ad061

MD5 hash:

83a916a76a8ad16ba04dec3ca84ba634

SHA1 hash:

f267d072b2cd036b00fa7e13fe22f2053e6cff30

Link:

https://www.unpac.me/results/75cd9002-c502-4c52-9c4b-aef71ec6b494/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Dropper

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/7b99f6a15a14cd9dcaaac8653eec35e1c2d0dc7a72b4df26dec87e34cc7ad061

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 7953666bda7e8d71d3ae39c5a2efc7c5ded1895cddc059983524f2481b7ebda8

exe 7b99f6a15a14cd9dcaaac8653eec35e1c2d0dc7a72b4df26dec87e34cc7ad061

(this sample)

Dropped by

MD5 c220ffcbd5db95a7dfc21dc8e03f15c7

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/72467/

Dropped by

SHA256 7953666bda7e8d71d3ae39c5a2efc7c5ded1895cddc059983524f2481b7ebda8

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample