MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c86586d215ee3395e87231829f5583f1dd49fe6b29f593e83f8fea31793cab29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c86586d215ee3395e87231829f5583f1dd49fe6b29f593e83f8fea31793cab29
SHA3-384 hash: 50b82fd5d29dc890cfbdf55d315baa738d860375a66e3013145016e35688244794dbe68c2de6c60f5143a391dd43c938
SHA1 hash: ce06fb6a4d8c4a98c3efe4434dec777f8cde7f74
MD5 hash: 14e0790687a48ad366b38b0ee3f384e9
humanhash: one-monkey-oranges-paris
File name:Purchase_order_Y93747710.7z
Download: download sample
Signature AgentTesla
Create hunting rule
File size:703'413 bytes
First seen:2023-11-30 08:38:57 UTC
Last seen:Never
File type: 7z
MIME type:application/x-7z-compressed
ssdeep 12288:VO10SNS+xRlvuwtg9ReEhCdKKUpQFmfrqVhpsn3TjqE1EHxHDudz5aHr:VOOSNXRtuUgv8OpQgfYI3/nuRHDuBMHr
TLSH T1A7E4239DCAC0D4C325AA6136C35BF8DC487FC89A3A50F14C37696E4111AE7A2647BEF1
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter cocaman
Tags:7z AgentTesla


Avatar
cocaman
Malicious email (T1566.001)
From: "Ogawa, Carolina <Carolina.Ogawa@agcocorp.com>" (likely spoofed)
Received: "from agcocorp.com (unknown [91.92.248.50]) "
Date: "29 Nov 2023 20:09:27 -0800"
Subject: "UPDATE SCHEDULE - AGCO ZHEJIANG SHUANGHUAN"
Attachment: "Purchase_order_Y93747710.7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Purchase_order_Y93747710.exe
File size:980'480 bytes
SHA256 hash: 2a33dbe8548389084bc412b6d906717ed20751b2ea63d94bfff0a693a32c6ada
MD5 hash: 9f771ec413240eb2885fbcb26c2fb048
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.11087.27950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/c86586d215ee3395e87231829f5583f1dd49fe6b29f593e83f8fea31793cab29/results/dashboard
Verdict:
Malicious
Labled as:
Mal/Drod7zip
Link:
https://www.hybrid-analysis.com/sample/c86586d215ee3395e87231829f5583f1dd49fe6b29f593e83f8fea31793cab29
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
0%
Verdict:
Benign
File Type:
Archive
Link:
https://malprob.io/report/c86586d215ee3395e87231829f5583f1dd49fe6b29f593e83f8fea31793cab29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c86586d215ee3395e87231829f5583f1dd49fe6b29f593e83f8fea31793cab29/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-30 08:39:01 UTC
File Type:
Binary (Archive)
Extracted files:
24
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbsynuqv5yzzl2dsggbj6vmd6hout7tlfh2zh2b7r7vdc6j4vmuq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231130-kqe6kshh5y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c86586d215ee3395e87231829f5583f1dd49fe6b29f593e83f8fea31793cab29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z c86586d215ee3395e87231829f5583f1dd49fe6b29f593e83f8fea31793cab29

(this sample)

AgentTesla

Executable exe 2a33dbe8548389084bc412b6d906717ed20751b2ea63d94bfff0a693a32c6ada

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2a33dbe8548389084bc412b6d906717ed20751b2ea63d94bfff0a693a32c6ada
  
Dropping
MD5 9f771ec413240eb2885fbcb26c2fb048

Comments