MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a63c97a1fc21eb636b4256ef662d9c6079a09e85924de12a915eaa9aa7660d25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a63c97a1fc21eb636b4256ef662d9c6079a09e85924de12a915eaa9aa7660d25
SHA3-384 hash: 93d313b02a20dc6c32123deaf46654a91cca2c487ba30ba7307090ac8f23a6a27aa1b297bb028cd9e0f6025fbf381356
SHA1 hash: b41f66dc2487538cf5d8466acb48b2044538ced4
MD5 hash: cdc0548ecefc6e2bfb2aaec8631de48d
humanhash: wolfram-coffee-summer-black
File name:RFQ No.718552.docx.gz
Download: download sample
Signature AgentTesla
Create hunting rule
File size:608'905 bytes
First seen:2022-05-20 05:52:54 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 12288:S+MtEJ94x5SmEOkMbnrHLURm1R80p5xnuSDWl:S+yESd5nboRm1W6nuSil
TLSH T15CD423F50D3025A0A0C08D4576CEADC5BED75F0C47AD1E26F888A73150E24A5FEA26EF
Reporter cocaman
Tags:AgentTesla gz QUOTATION RFQ


Avatar
cocaman
Malicious email (T1566.001)
From: "PETROFAC Procurement Team <info@m2.fovoxi.sbs>" (likely spoofed)
Received: "from hp0.m2.fovoxi.sbs (unknown [147.182.155.89]) "
Date: "Fri, 20 May 2022 04:20:59 +0200"
Subject: "Request for Quotation: RFQ No.718552 - for North Caspian Operating Company -
JV NWTF"
Attachment: "RFQ No.718552.docx.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.8918.1662.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/62872cfb054dcf0ecad02db8/reports/9de16883-8c8b-478b-8f06-de8b44f64dab/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a63c97a1fc21eb636b4256ef662d9c6079a09e85924de12a915eaa9aa7660d25/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-20 02:16:32 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
19 of 39 (48.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uy6jpip4ehvwg22ck3xwmlm4mb42bhufsjg6ckurl2vjvj3gbusq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220520-glahracgh3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a63c97a1fc21eb636b4256ef662d9c6079a09e85924de12a915eaa9aa7660d25

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz a63c97a1fc21eb636b4256ef662d9c6079a09e85924de12a915eaa9aa7660d25

(this sample)

AgentTesla

Executable exe a9a3cf652bccfa1482aa9856a8c3ffe6ecd932d877f807cbe657130bd93f4de9

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a9a3cf652bccfa1482aa9856a8c3ffe6ecd932d877f807cbe657130bd93f4de9
  
Dropping
AgentTesla

Comments