MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b029f16ada90435e49b9e418b20ada1da70b00faf95e7c1d42a82c35a791bea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	8b029f16ada90435e49b9e418b20ada1da70b00faf95e7c1d42a82c35a791bea
SHA3-384 hash:	8dbf2496ed2df780a42f303b3871b0f3bc9d76eac686eafdd78391f6636bc6e1767758d16f4f200ac26f57929016262f
SHA1 hash:	f67338253bc01a4a9a911ef38874783260b533e2
MD5 hash:	de23f4384202baf1211b1fb83dbe7a5a
humanhash:	double-april-arkansas-july
File name:	DOC030520-0~.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'058'816 bytes
First seen:	2020-06-05 06:06:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	24576:yO6ft70Nqr1oMIauUEE8lOyOs0kaMQu7PMG:L6ftKqZoNauHxln0bu
Threatray	2'572 similar samples on MalwareBazaar
TLSH	A9359ED47A34D4CDC0A97EB13529EC700BB4AD366D2BC9010272BDD8F8B97547E0A6B6
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: serve0.barunka.pw
Sending IP: 173.82.94.231
From: Nahm Gil-Hyun <wgd20091001@163.com>
Subject: [NEW ORDER] PO TRD20026 // CHOYANG TRADING
Attachment: DOC030520-0~.7z (contains "DOC030520-0~.exe")

AgentTesla SMTP exfil server:
smtp.pbrend.com:587

Intelligence

File Origin

# of uploads :

1

# of downloads :

77

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-05 01:21:00 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rmbj6fvnvecdlze3tzaywifnuhnhbmapv6k6pqoufkbmgwtzdpva._file

Verdict:

malicious

Similar samples:

4fd457b5e2ff2430dbce5692ba6c47253ade9e105ffb192d01aee29d6ba7c912

500e233a6338c45f2a562a06021fb6b2a63dd5e4d42d5c4db69e7f7b90f023fd

6ee9c2dbb4e02add4966f1a720be2c6dd22cb0088fff92aa0e9a6b4d91e85b67

8f27118a7a0517e6c4d8b6cd4c4750a5c931bc0629194b331608b7109d7d202f

a8a34f7cc54c8a10102365b8937d4fa2cffd931abf4f5f0acc4c3aa7992b8605

cac67b5ab04de81f69b8f4f882ad22e26672a61ed96d2e1f69d72f59c36bf401

e4c60dcd8e589bb396186142764e1c233cb2540f28552f35eeb4f9d87d707eca

eb6b605e87d9b95d3025dc253f41a29839939410291038e1cbe630338578d17e

eca1fdae380cc050ec988abc1b455a2694c0c838e90fb6d7c02806de60a54e03

fdd0837f186808dee6bf7c2c54797c3e44fb203f956f0ff9b9aee6e8397a2d3e

+ 2'562 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence spyware

Link:

https://tria.ge/reports/201109-7tv64d9pms/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Adds Run key to start application

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

7z 3976e95d0a418f7c78982799743a4ea6ec94127a4a788e32b4c321a06cf05721

exe 8b029f16ada90435e49b9e418b20ada1da70b00faf95e7c1d42a82c35a791bea

(this sample)

Dropped by

MD5 c2a8fb57470a48f1ea2a9d2a50e39afe

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 3976e95d0a418f7c78982799743a4ea6ec94127a4a788e32b4c321a06cf05721

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample