MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a80d7a2da8c373a9087cc7bb556bfe243019fa6c78714888ffb17e5ba0499648. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a80d7a2da8c373a9087cc7bb556bfe243019fa6c78714888ffb17e5ba0499648
SHA3-384 hash: bfdf1de9fd5b6e77f5ad297336e48c34cbd40f1f6886e764c418bc1490491b04017d47662c50df76e484cdb4b103043c
SHA1 hash: 9e45d9f426d6bb886676e73bb2a9bb8ccd591f9a
MD5 hash: 0f7a3d499db481c0a6938a32e22074be
humanhash: fifteen-vermont-lamp-helium
File name:Payment _confirmation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:624'712 bytes
First seen:2022-02-22 20:23:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:zb6UG1NAN8Axjam22QMPnJjUisFtlH2UMq2PZgue0yzgX3GXfl5OzE:zbm1YfV2vhFtlH2UgPZgpgXWXTH
Threatray 1'622 similar samples on MalwareBazaar
TLSH T184D412562021C5DFE2E202360825275FA6F0AF622332A58F57507EBDBF75F919F65302
File icon (PE):PE icon
dhash icon 2c047ccce4e0dc1c (2 x AgentTesla, 1 x Formbook, 1 x GuLoader)
Reporter TeamDreier
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:pseudonavicular
Issuer:pseudonavicular
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-21T08:18:11Z
Valid to:2023-02-21T08:18:11Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: c45533be95345ca13d55c363054869d82ef9006768fd1ef38a36a298f9e5d298
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/243445/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7052/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62154667a2660f3bb9288c3d/reports/a62c77d4-8d13-4ca0-beb7-1dc554da2d58/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/77d199e8-688d-4a45-a914-88b28dd92809
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944287
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 576765 Sample: Payment _confirmation.exe Startdate: 22/02/2022 Architecture: WINDOWS Score: 100 28 mail.hotelfundador.com 2->28 30 hosting.hotelfundador.com 2->30 32 3 other IPs or domains 2->32 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 5 other signatures 2->46 8 Payment _confirmation.exe 22 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\Local\Temp\usp10.dll, PE32 8->20 dropped 22 C:\Users\user\AppData\...\raschapext.dll, PE32 8->22 dropped 24 C:\Users\user\AppData\...\provmigrate.dll, PE32 8->24 dropped 26 2 other files (none is malicious) 8->26 dropped 48 Writes to foreign memory regions 8->48 50 Tries to detect Any.run 8->50 52 Hides threads from debuggers 8->52 12 CasPol.exe 11 8->12         started        16 CasPol.exe 8->16         started        signatures6 process7 dnsIp8 34 drive.google.com 142.250.186.142, 443, 49805 GOOGLEUS United States 12->34 36 googlehosted.l.googleusercontent.com 142.250.186.65, 443, 49806 GOOGLEUS United States 12->36 38 hosting.hotelfundador.com 94.126.168.68, 49818, 587 FLESK-ASPT Portugal 12->38 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->54 56 Tries to steal Mail credentials (via file / registry access) 12->56 58 Tries to harvest and steal ftp login credentials 12->58 64 3 other signatures 12->64 18 conhost.exe 12->18         started        60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->60 62 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->62 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a80d7a2da8c373a9087cc7bb556bfe243019fa6c78714888ffb17e5ba0499648/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-02-21 16:27:05 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vagxulniynz2scd4y65vk276eqybt6tmpbyurch7wf7fxicjszea._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
06139d63dd6245a7ddc44c5d812a80da0b23b984c42fde376465238cb4430064
AgentTesla
0ea4b5e412d2be79038ea367836d33c48b10b9ed9d26215c8e2c98e751418d9c
AgentTesla
4959de8067a62478d5192edb0c7822484ea3f75c643100b4c73b0165eadd8911
AgentTesla
7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
AgentTesla
c5072b4120ac9daa3dc0e000cce9e6d6e3a1ca01fed779e0b43d877a744409cd
AgentTesla
c5c0fbca778f53dc085d84ad3f038e4a20bce7add5f07012594194bc3bca522a
AgentTesla
c6f93eb69924750adbe61115b2d6a200d534e783c6bd4ca0e2c0cd2969e9469e
AgentTesla
+ 1'612 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220222-y6pxlsdch8/
Behaviour
Enumerates physical storage devices
Loads dropped DLL
Unpacked files
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
Link:
https://www.unpac.me/results/c39ad881-2637-42d6-a93f-b9255cb38d0c/
SH256 hash:
a80d7a2da8c373a9087cc7bb556bfe243019fa6c78714888ffb17e5ba0499648
MD5 hash:
0f7a3d499db481c0a6938a32e22074be
SHA1 hash:
9e45d9f426d6bb886676e73bb2a9bb8ccd591f9a
Link:
https://www.unpac.me/results/c39ad881-2637-42d6-a93f-b9255cb38d0c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/a80d7a2da8c373a9087cc7bb556bfe243019fa6c78714888ffb17e5ba0499648

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a80d7a2da8c373a9087cc7bb556bfe243019fa6c78714888ffb17e5ba0499648

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/243445/

Comments