MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a4f79751237850a96ceb4de45cc650d7b5903327219ae26e83fe61633aba581. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	8a4f79751237850a96ceb4de45cc650d7b5903327219ae26e83fe61633aba581
SHA3-384 hash:	57ab061160a8e3e374ed390e7086b03a6db54ae025bc1d2f4eb43d426e7182fbfeb9340a64341cad23204b251a15b720
SHA1 hash:	08197a749f433c9a36af6911a0f06808d0937d24
MD5 hash:	f9bf67697d0da7a78d8b436bde5ef431
humanhash:	india-stairway-virginia-nine
File name:	CGK HAWB 01.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	391'910 bytes
First seen:	2021-10-07 10:00:29 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	6144:9cJqwdQUNZnyh854mdGq+0jG5BD4wwQ0NIj8GDML/bduHC/LNPceDWca8JJJw:qJkh8CPz0qDB0xGQL/kizNPzfg
TLSH	T1FF842367452520C7DDB6894B378F37A8BB31A0D69B0064593CE2DBE0F8EB2A811357C7
Reporter	cocaman
Tags:	AgentTesla zip

cocaman

Malicious email (T1566.001)
From: "Raza Syed Misam <syed.raza@pzu.pilship.com>" (likely spoofed)
Received: "from pzu.pilship.com (unknown [103.28.70.165]) "
Date: "07 Oct 2021 11:59:07 +0200"
Subject: "DOC-76 AIRSHIPMENT"
Attachment: "CGK HAWB 01.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

166

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615ec55fe3d213d202b9b0d9/reports/b279d09d-24be-4191-9273-5e9bdf44db65/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/8a4f79751237850a96ceb4de45cc650d7b5903327219ae26e83fe61633aba581

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8a4f79751237850a96ceb4de45cc650d7b5903327219ae26e83fe61633aba581/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-07 06:47:51 UTC

AV detection:

2 of 45 (4.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rjhxs5isg6cqvfwowtpeltdfbv5vsazsoim24jxih7tbmm5luwaq._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/211007-l175sacdhl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8a4f79751237850a96ceb4de45cc650d7b5903327219ae26e83fe61633aba581

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 8a4f79751237850a96ceb4de45cc650d7b5903327219ae26e83fe61633aba581

(this sample)

AgentTesla

exe f28ab5d1c3e9e6e4b38e4c2ffc2a724544ee06d0616db88d4f836902f8a27012

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 f28ab5d1c3e9e6e4b38e4c2ffc2a724544ee06d0616db88d4f836902f8a27012

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample