MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf3d34b8ae35248e2a3894ab18b95ca6b9a1432bb1951839d7bb70a4f1b5a99f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf3d34b8ae35248e2a3894ab18b95ca6b9a1432bb1951839d7bb70a4f1b5a99f
SHA3-384 hash: 85c656ca1eb7f3de925bd3313ad61d02a3d2df0cfadaabb5f8409c2f80b4669348a939100ada8f6e52a793ace3257b0b
SHA1 hash: 4192351ccb2ea68e96bd0075ae543945c7afa0c6
MD5 hash: c4a95ca000fde758d15acdf7e63d7f09
humanhash: freddie-lamp-lake-skylark
File name:Bid RFQ_pdf.gz
Download: download sample
Signature AgentTesla
Create hunting rule
File size:498'628 bytes
First seen:2022-03-15 14:48:23 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 12288:nzUG/ACQLuu3aNReqcC4AR68ArvcEFFcE+Zw5fgR1ktvO:nzT/6ah4Z8cvkE++mktG
TLSH T154B423F755FCF2E8386A20DA0A2C91752623D6173FB0643B23DE6239885DF401F4A5B9
Reporter cocaman
Tags:AgentTesla gz


Avatar
cocaman
Malicious email (T1566.001)
From: "Maria Samiao <dtsharma@outlook.com>" (likely spoofed)
Received: "from 3039.hostingviet.vn (3039.hostingviet.vn [42.112.30.39]) "
Date: "15 Mar 2022 13:19:25 +0100"
Subject: "Invitation To Bid RFQ"
Attachment: "Bid RFQ_pdf.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Temonde-6571898-0
Create hunting rule

Sanesecurity.Malware.27383.GZipHeur.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6230a769dfdfa8501ca45e13/reports/2814a88f-2751-4bf6-a4df-68c908434e4b/overview
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf3d34b8ae35248e2a3894ab18b95ca6b9a1432bb1951839d7bb70a4f1b5a99f/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 15:28:28 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z46tjofogusi4kryssvrrok4u242cqzlwgkrqooxxnykj4nvvgpq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220315-r61wjschh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf3d34b8ae35248e2a3894ab18b95ca6b9a1432bb1951839d7bb70a4f1b5a99f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz cf3d34b8ae35248e2a3894ab18b95ca6b9a1432bb1951839d7bb70a4f1b5a99f

(this sample)

AgentTesla

Executable exe a9d56a970eec658eb67a023fe7b188a4275499d2acf9f91819ae95ffcbebbdad

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a9d56a970eec658eb67a023fe7b188a4275499d2acf9f91819ae95ffcbebbdad

Comments