MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1b314c2bffba860a728261b057cfca79035882cded006f28a95b0de01fdf23e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1b314c2bffba860a728261b057cfca79035882cded006f28a95b0de01fdf23e
SHA3-384 hash: b017ee2be33e68f980e3f514f228b2997d7934a0cc1d18d03d8ea1031b3d197ca56948c3c7029806d1513611ecfddf96
SHA1 hash: d7cc5f1c415f78df91f34ee9a3be06b9935e8900
MD5 hash: 3613773fbf8572f6fbed2c4e2dd0afea
humanhash: fix-mockingbird-xray-failed
File name:XHLK00987654323456789987654.Z
Download: download sample
Signature AgentTesla
Create hunting rule
File size:12'546 bytes
First seen:2022-03-21 07:06:00 UTC
Last seen:2022-03-21 07:06:26 UTC
File type: zip
MIME type:application/zip
ssdeep 384:z9CelYKh6p2ntXQreipynFiLDWolIn99A2w:x/Wc6p2n9QKhnGO9mr
TLSH T18B42C0DCDFA2798598A58E741374F12C8957E86A8441E6A8CA134F48F17C4E3894B37B
Reporter cocaman
Tags:AgentTesla INVOICE z zip


Avatar
cocaman
Malicious email (T1566.001)
From: "ars_construcciones@hotmail.com" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [185.222.57.217]) "
Date: "21 Mar 2022 03:45:10 +0100"
Subject: "INVOICE-0987009"
Attachment: "XHLK00987654323456789987654.Z"

Intelligence

File Origin
# of uploads :
2
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623823ddb94fb38cb4c0d328/reports/66aef586-47d6-4415-a207-1c80caed81b4/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a1b314c2bffba860a728261b057cfca79035882cded006f28a95b0de01fdf23e
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1b314c2bffba860a728261b057cfca79035882cded006f28a95b0de01fdf23e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-21 07:06:10 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
15 of 42 (35.71%)
Threat level:
  5/5
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:xloader campaign:pot0 collection keylogger loader rat spyware stealer trojan
Link:
https://tria.ge/reports/220321-hw3sqahhf3/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/a1b314c2bffba860a728261b057cfca79035882cded006f28a95b0de01fdf23e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a1b314c2bffba860a728261b057cfca79035882cded006f28a95b0de01fdf23e

(this sample)

AgentTesla

Executable exe bf4d80e2514ae5284dcb0db44946adc67640f8a005049951ee46a03f80c1d3b5

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 bf4d80e2514ae5284dcb0db44946adc67640f8a005049951ee46a03f80c1d3b5
  
Dropping
AgentTesla
  
Dropping
SHA256 519613b7d1ac99793523eed3df18438ecf95f4da29fd4c1ccaddc08cf0600960

Comments