MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9ad6aeba22530d244008aa13366de1bd3a609cf724d70e4af8d0f38378f65e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	c9ad6aeba22530d244008aa13366de1bd3a609cf724d70e4af8d0f38378f65e6
SHA3-384 hash:	2a1b468d78ad3639ec20ae2539ac843c967a34907f8a9ad2a6ce3576b6f443d87fd64c415f2d47a3b5657e557a611a0c
SHA1 hash:	09ada08a2d4932bd4f4b13f66595a99570bcd06e
MD5 hash:	a22762ab097f043b49576dcd32db22c0
humanhash:	magnesium-zulu-blue-cup
File name:	Scan Copy_pdf.gz
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	722'228 bytes
First seen:	2021-06-23 12:08:23 UTC
Last seen:	2021-06-23 13:12:42 UTC
File type:	gz
MIME type:	application/gzip
ssdeep	12288:raKuptR7fAf1pN6CJEDZX8SXwE0QhFvtFnZ1QDxyxExlf9kXEdFYxzhgjC411L:VwfANz62cMSgE0a5DwDxyxGOUFYhgjCq
TLSH	EAE42352B89AC9692B00B03A94AF045A17B16C4051E774EB9452357BB0FFCF1EFBE2D1
Reporter	cocaman
Tags:	AgentTesla gz HSBC

cocaman

Malicious email (T1566.001)
From: "HSBC <payment-advice@hsbc.com>" (likely spoofed)
Received: "from box.useast2compute.xyz (box.useast2compute.xyz [143.110.215.57]) "
Date: "Wed, 23 Jun 2021 13:09:37 +0100"
Subject: "Payment Advice- Ref:[HSBC99002992]"
Attachment: "Scan Copy_pdf.gz"

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.867-1.UNOFFICIAL

Sanesecurity.Malware.27383.GZipHeur.UNOFFICIAL

Sanesecurity.Malware.25902.GZipHeur.UNOFFICIAL

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c9ad6aeba22530d244008aa13366de1bd3a609cf724d70e4af8d0f38378f65e6/

Threat name:

ByteCode-MSIL.Trojan.ZmutzyPong

Status:

Malicious

First seen:

2021-06-23 10:57:28 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

10 of 45 (22.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zgwwv25ceuyneraarkqtgzw6dpj2mcopojgxbzfpruhtqn4pmxta._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210623-nybv2kb29n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c9ad6aeba22530d244008aa13366de1bd3a609cf724d70e4af8d0f38378f65e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz c9ad6aeba22530d244008aa13366de1bd3a609cf724d70e4af8d0f38378f65e6

(this sample)

AgentTesla

exe b4d78c02fa2b8e9ef61a925c1fac4750d4a7d17030ae548833f7cfb5d9d67ed3

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 b4d78c02fa2b8e9ef61a925c1fac4750d4a7d17030ae548833f7cfb5d9d67ed3

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample