MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 849d9de1b44e83d634e6c38c526b275da38689e08e148fcc77fd4fbae62d6ce5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 849d9de1b44e83d634e6c38c526b275da38689e08e148fcc77fd4fbae62d6ce5
SHA3-384 hash: 883a1ab9888c950cb3ac2ad8c6490721314bb96c132164e7963cac454f777f7cc31070455116a2a323c7808d71ff457e
SHA1 hash: 092585d379c503b94673dd6d5a1a2ce31913188e
MD5 hash: 1cef6d9c8a8d9e72c06317466a953e85
humanhash: skylark-thirteen-muppet-eleven
File name:waybill_weight.gz
Download: download sample
Signature AgentTesla
Create hunting rule
File size:623'565 bytes
First seen:2022-05-25 14:46:41 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 12288:Ty7wOw1T3qOdxE6SdLQfYkGx2ZyMEf5oo4htuQYSkD9RrYNJZ8HA:Ty7wO43ZQVdLQQkjZyMEfio4XuQBmRUH
TLSH T1F9D423DBA905AE84090F45DECEE99FE505EC3BBA3BCC85B8F64CA1579387001239D0B5
Reporter cocaman
Tags:AgentTesla DHL gz


Avatar
cocaman
Malicious email (T1566.001)
From: "DHL Express <parichard@bx22.fmoxi.sbs>" (likely spoofed)
Received: "from hp0.bx22.fmoxi.sbs (unknown [68.183.124.66]) "
Date: "Wed, 25 May 2022 03:52:21 +0200"
Subject: "CHECK DRAFT: Waybill 8991503673"
Attachment: "waybill_weight.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/628e41843ec49f83a6cac3b3/reports/7476cc50-24a6-435a-a726-282371a5c7b2/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/849d9de1b44e83d634e6c38c526b275da38689e08e148fcc77fd4fbae62d6ce5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 01:26:50 UTC
File Type:
Binary (Archive)
Extracted files:
8
AV detection:
17 of 41 (41.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qsoz3ynuj2b5mnhgyogfe2zhlwryncparyki7tdx7vh3vzrnntsq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220525-r5vm5sfccl/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/849d9de1b44e83d634e6c38c526b275da38689e08e148fcc77fd4fbae62d6ce5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 849d9de1b44e83d634e6c38c526b275da38689e08e148fcc77fd4fbae62d6ce5

(this sample)

AgentTesla

Executable exe 8283b086fa3d9a467712bb2bc822d2db194db33d49bd4a89d120283f9723461c

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 8283b086fa3d9a467712bb2bc822d2db194db33d49bd4a89d120283f9723461c
  
Dropping
AgentTesla

Comments