MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af275a56902333d452e5851bdbbf6423d367f8cf1fbb454cf7b6bee5dd48b707. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	af275a56902333d452e5851bdbbf6423d367f8cf1fbb454cf7b6bee5dd48b707
SHA3-384 hash:	d54bef8281dd992d2d50eee51792ee7b04e2e2c793142bb6990b64adb93f3e74dee3a789ab51385d10c42d664b46e3b1
SHA1 hash:	f18a1734821d5446f8778ebfa3e90f5183418bce
MD5 hash:	59a096315bff6761129aaa01bde9fd48
humanhash:	spaghetti-artist-cup-enemy
File name:	BANK DETAILS.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	414'644 bytes
First seen:	2021-06-10 05:39:21 UTC
Last seen:	2021-06-10 05:40:52 UTC
File type:	zip
MIME type:	application/zip
ssdeep	6144:mIZz1EpNyx825Uy0Bulq3g8JrmFfkY9TEgj0WUGf5ud6FqEGA/wZJ7VVwH:hlsyxoUlMzTYCtbGRkPE1wZ9bq
TLSH	F594232113A933D15311127A0C93D59BCBDB6026448EF7D81581FEEBCCA69C3A6F46BD
Reporter	cocaman
Tags:	AgentTesla zip

cocaman

Malicious email (T1566.001)
From: "=?UTF-8?B?RGF2aWQgTmfCoA==?=<customercare@omfreight.com.cn>" (likely spoofed)
Received: "from omfreight.com.cn (unknown [185.222.58.149]) "
Date: "09 Jun 2021 20:22:32 -0700"
Subject: "=?UTF-8?B?UkU6UkVDT05GSVJNIEJBTksgREVUQUlMUyBGT1LCoFBBWU1FTlQ=?="
Attachment: "BANK DETAILS.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fn111.UNOFFICIAL

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/af275a56902333d452e5851bdbbf6423d367f8cf1fbb454cf7b6bee5dd48b707

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/af275a56902333d452e5851bdbbf6423d367f8cf1fbb454cf7b6bee5dd48b707/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-06-10 05:40:12 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

20 of 47 (42.55%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v4tvuvuqemz5iuxfqun5xp3eepjwp6gpd65ukthxw27olxkiw4dq._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210610-ns4xtebfg6/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Contains code to disable Windows Defender

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/af275a56902333d452e5851bdbbf6423d367f8cf1fbb454cf7b6bee5dd48b707

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip af275a56902333d452e5851bdbbf6423d367f8cf1fbb454cf7b6bee5dd48b707

(this sample)

AgentTesla

exe 8bd3e79c27a89a3876bf4ad72bd24ae1be20265b37bb99a37ee964bf7bacaa66

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 8bd3e79c27a89a3876bf4ad72bd24ae1be20265b37bb99a37ee964bf7bacaa66

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample