MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 928c7fbbdac2a97828adca1481ab55f2fa8d43214be214ecf270751476e78ad8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	928c7fbbdac2a97828adca1481ab55f2fa8d43214be214ecf270751476e78ad8
SHA3-384 hash:	a780870cf2e16f59f06a4201d92cf650f251fb92c005aea7c82707797fc77c82ea692a7f6465c57727ebcf186083c45c
SHA1 hash:	7efce721c6a3e76f3c980b4965256063e57f11aa
MD5 hash:	23b14fae5c63aed483a08da546bb1e12
humanhash:	beer-summer-fillet-cardinal
File name:	Purchase Order Lists and Specs.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	2'358'272 bytes
First seen:	2020-08-15 17:15:15 UTC
Last seen:	2020-08-15 17:53:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	49152:ibxjbKVq2heFGWUVnH2QoaZG26tJECHJV8u6VGC8odfLnqZKNCIwhU:ipqcE9H2QoPFEoX8uAHG
Threatray	583 similar samples on MalwareBazaar
TLSH	EAB523253611CE49C16A973AC79A940897FA9C0BB131DF2AFFD723D44921BB11F2148F
Reporter	abuse_ch
Tags:	AgentTesla exe Hostwinds

abuse_ch

Malspam distributing unidentified malware:

HELO: hwsrv-755268.hostwindsdns.com
Sending IP: 104.168.220.131
From: info@eleasunn.com
Subject: RFQ for ff & fa
Attachment: Purchase Order Lists and Specs.pdf.gz (contains "Purchase Order Lists and Specs.pdf.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

95

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/46324/

Detection(s):

SecuriteInfo.com.Generic.mg.23b14fae5c63aed4.25917.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/432057

Signature

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/928c7fbbdac2a97828adca1481ab55f2fa8d43214be214ecf270751476e78ad8/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-08-15 17:17:06 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=skgh7o62ykuxqkfnzikidk2v6l5i2qzbjprbj3hsob2ri5xhrlma._file

Verdict:

unknown

Similar samples:

3ac8a6bb8e3551f1889bcdbe567d78c4d1afd90f91904d5bbaffc6879abbb37a

7391f3917523baee91e92967c12e20c57448474696590fcbc6e5e6b3c5e21f78

87577cf9a668390b93b9fe82794b21cd0579d4b1a7b4f0a4d0b841d03d046daa

9dc9ad5a5c2a56c7155bc775dc4b1d53c995f1498678a1ddb5d23010dd11c889

9e685dbb18a96ef4d8877f5b516ab8e5821ae79512d7dfe011330633775c289c

cb6affdde93718be644073a946c21fee8a7c8e1312a6009c6ee76ded4a5d6eb6

d18a9ab5894eef77fd871647912b9a4aa51e4124568055c8aca3537fd150b7e3

d1dfcf2c14f3a10655f061a7833367abdcdeba8ad5ab3843edc4bed4ec19e9f9

e33ecba374a7d34a6c237fde198844930a82c27199c76f49bc0558e0caf1f4a4

f5e0fbe83739081ba2bc70e0aae26a0dd33358061b931f96e3ee12eefae90fbf

+ 573 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200815-gqv5hafz52/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.64

Link:

https://yomi.yoroi.company/submissions/928c7fbbdac2a97828adca1481ab55f2fa8d43214be214ecf270751476e78ad8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz 2b53cecb48493497e6d1d534a23a70c5acb3551270befbfef38a0f93d6170686

exe 928c7fbbdac2a97828adca1481ab55f2fa8d43214be214ecf270751476e78ad8

(this sample)

Dropped by

MD5 08c2c749dc1adf2e56e199c1144ecc20

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/46324/

Dropped by

SHA256 2b53cecb48493497e6d1d534a23a70c5acb3551270befbfef38a0f93d6170686

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample