MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89c7ec4e7251285bade32256b09239d6ef245f8b1efce6361954baa6ddd6fe5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	89c7ec4e7251285bade32256b09239d6ef245f8b1efce6361954baa6ddd6fe5d
SHA3-384 hash:	e4e99957a9b3f7791bf2bbf9ab6594449cf0fb900a5528e692a46ed5487b12c63080b0b6cf18b19235d51bc1dfedadb5
SHA1 hash:	cbaf201aaabfa7769449a867a28c40b78cfe130c
MD5 hash:	09cad340d06161ee616eaa1419024f53
humanhash:	romeo-winter-crazy-wolfram
File name:	CI+PL+AD+OWNERSHIP TRANSFER.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	400'649 bytes
First seen:	2021-10-07 08:51:26 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	6144:vh1NWm4Gwy1/+D4c7+A1eqxXmHUn/xrv56O7iAP0hoj1loqhNxSkjHOcrAXB:J1NWmN1/a4INeqxVnLKO1loqhNxSSPq
TLSH	T1D1842387E02D25D8737918BE8126D48212F5D0BC61694CE933E3A3C7B782E15B7FA971
Reporter	cocaman
Tags:	AgentTesla zip

cocaman

Malicious email (T1566.001)
From: "Syed Misam Raza <syed.raza@pzu.pilship.com>" (likely spoofed)
Received: "from pzu.pilship.com (unknown [103.28.70.165]) "
Date: "07 Oct 2021 08:18:34 +0200"
Subject: "POJ-000056-74 BL No : OOLU2676337880--New Container will arrive on Oct 06"
Attachment: "CI+PL+AD+OWNERSHIP TRANSFER.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615eb534e3d213d202b99e69/reports/8e6a457a-056d-4dee-b8a1-465ed88de11d/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/89c7ec4e7251285bade32256b09239d6ef245f8b1efce6361954baa6ddd6fe5d

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/89c7ec4e7251285bade32256b09239d6ef245f8b1efce6361954baa6ddd6fe5d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-07 03:56:32 UTC

AV detection:

10 of 45 (22.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rhd6yttskeufxlpdejllberz23xsix4ld36omnqzks5knxow7zoq._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/211007-ksrx6acag5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/89c7ec4e7251285bade32256b09239d6ef245f8b1efce6361954baa6ddd6fe5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 89c7ec4e7251285bade32256b09239d6ef245f8b1efce6361954baa6ddd6fe5d

(this sample)

AgentTesla

exe 9d640e68c41537494c927d0828cde421d3e55ea21b5a2d449e646d931c7614eb

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 9d640e68c41537494c927d0828cde421d3e55ea21b5a2d449e646d931c7614eb

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample