MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a223c2fb94ee1f33dbef1176a1d996935b251de30a65a37773e6fdcf8764aab9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a223c2fb94ee1f33dbef1176a1d996935b251de30a65a37773e6fdcf8764aab9
SHA3-384 hash: 102daf8253a9ec70703f64f5c76847ae4ef6f1abffec972c2ec778e06ca4e63baa86bf511b66bb14ec0f6cc1e5a85ae0
SHA1 hash: 4600cb891ab4497355cd45f3790f5f966441ae32
MD5 hash: 9ad5960e198482ab953df81bb5320162
humanhash: video-cup-eight-grey
File name:conferma.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:598'016 bytes
First seen:2021-02-22 07:31:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:AWMEvMxhwt2YyOgjzs69fFwlVbwGkUoYW0XuUbwVFxebMxyNS:AW4OnyOqs69a3kBnUvMxCS
Threatray 16 similar samples on MalwareBazaar
TLSH 53D4136023E82B19FA7E67F0767226402B7478859835FA5D0FC0B0D5A571BA4CAE1F73
Reporter abuse_ch
Tags:AgentTesla exe geo ITA


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: box.kashinsg.xyz
Sending IP: 23.254.229.19
From: Serah <info@kashinsg.xyz>
Subject: Re: Pagamento ritardato
Attachment: conferma.ace (contains "conferma.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118250/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/613744
Signature
Binary contains a suspicious time stamp
Machine Learning detection for sample
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a223c2fb94ee1f33dbef1176a1d996935b251de30a65a37773e6fdcf8764aab9/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-22 07:31:28 UTC
AV detection:
12 of 47 (25.53%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uir4f64u5ypthw7pcf3kdwmwsnnskhpdbjs2g53t43647b3evk4q._file
Verdict:
unknown
Similar samples:
17e6d7c107027e70986b47c51333b519c0c4b779f0c010462bfaaa740e7e7b18
AgentTesla
49b8a84aa8fab0523c38305cd57874778beda7e51c3e6217fbb1ddedde47048e
AgentTesla
4a9558166c80c188e48a382edbe91a387a7e3aa877d035420bb0e7b198eccdfe
AgentTesla
6e0b67c69b922762b4dd074cb6669f1080e78577b115bb9dd673df1b44937c6b
AgentTesla
758ed7414002a966ebe4bb96fd93b745cec7fd274a2bdfccf07e40b3f8a48b5c
AgentTesla
7d66022b23aa84304657d92e2594f56331036896d42538a6aed0f24c9db6ded9
AgentTesla
872243dcfd043d984136c2be7ab859d8d2480be48bba92ef3236d6b45fd1c9f4
AgentTesla
9af6ee7679b5e12c34b0530a2b7639c65b1ff8449930ed9a6156338a2eebbb98
AgentTesla
ac4ebd8295be6f09df1b5c68d0ad49643d19206ce9e750ed47029331968298c6
AgentTesla
fd2144d3699612e4c7a1e975a495c772781b9df28be88231efcb98f54c1e86ee
AgentTesla
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210222-dvsjflqx82/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
fda6fcd830c54694f8b5fe5a8a404a9ef0f1b66cfbad408d461735b5ed335dec
MD5 hash:
97be2a842868b883dbcef13a458d6d98
SHA1 hash:
ce661ef1a131ef5ea80a0eabdf4824ff86ce3170
Link:
https://www.unpac.me/results/628323c1-6e28-42c3-9040-46a09a9283c5/
SH256 hash:
247e5ced65f2e7b09455fbe8776b3a857338d9d40ffaf1563a027c3c05a4e2f4
MD5 hash:
cac6c5cd13651340aa3261b41a797e4e
SHA1 hash:
8d652cb845efec6d5f1da52d6f131d7433c246d9
Link:
https://www.unpac.me/results/628323c1-6e28-42c3-9040-46a09a9283c5/
SH256 hash:
f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671
MD5 hash:
f984a71581f6da5732110be2a569a392
SHA1 hash:
10de05b6b35fc5dbc00c42d59a4b850bcaae01e6
Link:
https://www.unpac.me/results/628323c1-6e28-42c3-9040-46a09a9283c5/
SH256 hash:
a223c2fb94ee1f33dbef1176a1d996935b251de30a65a37773e6fdcf8764aab9
MD5 hash:
9ad5960e198482ab953df81bb5320162
SHA1 hash:
4600cb891ab4497355cd45f3790f5f966441ae32
Link:
https://www.unpac.me/results/628323c1-6e28-42c3-9040-46a09a9283c5/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace 8c46b299d2dc00c1f80af2094e53357cbf37b470856a448cfb47025cfa7b7918

AgentTesla

Executable exe a223c2fb94ee1f33dbef1176a1d996935b251de30a65a37773e6fdcf8764aab9

(this sample)

  
Dropped by
MD5 08e94337386b2b9f84a35d0fdeebf412
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118250/
  
Dropped by
SHA256 8c46b299d2dc00c1f80af2094e53357cbf37b470856a448cfb47025cfa7b7918

Comments