MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db249c52504ded3d38e809a0588479bfbd0a87a586dc0bfb2836b1b447a14535. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db249c52504ded3d38e809a0588479bfbd0a87a586dc0bfb2836b1b447a14535
SHA3-384 hash: fd54cd0cae287c4b476719c100fb596f639d42a8a99b6aece149f7480261f79f088fe1680ca4f5196e74ab4af8e92266
SHA1 hash: 354e2f0fd918981d09bce7d5732de8d8486cb983
MD5 hash: c4d1ed0b65ed485614f5c6158fbdfd9e
humanhash: yankee-india-enemy-mississippi
File name:DOCUMENTS.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:413'303 bytes
First seen:2022-11-22 07:41:06 UTC
Last seen:2022-11-22 07:53:25 UTC
File type: zip
MIME type:application/zip
ssdeep 6144:pivov0abY8bAV2pHomFdn4x8mLEKnl/b/HTTlGACNKV2c1FiOi07RXZgOr2jgTnk:pi/FsImdnqLBNb/zTlGACgzVXZgO2Ek
TLSH T1589423FF3E203B5796E445CE18ADFBD09E88C6FBB7594E71B380AD568A2C00215056CB
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:AgentTesla INVOICE Shipping zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Vua Kem <vuakem@vuakem.com>" (likely spoofed)
Received: "from mail.vuakem.com (mail.vuakem.com [45.117.82.155]) "
Date: "Tue, 22 Nov 2022 07:53:37 +0700 (ICT)"
Subject: "Proforma invoice/Shipping documents"
Attachment: "DOCUMENTS.zip"

Intelligence

File Origin
# of uploads :
3
# of downloads :
137
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:DOCUMENTS.exe
File size:503'808 bytes
SHA256 hash: 70612d4332ec94d8443df6fa1cb9fa43502e54fc7a46ade65cc52058a824f056
MD5 hash: 7fb0054fe8ab33a1ae308d8ff5de9acc
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs2920.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637c7d4b3bc7ee0904b3ffd6/reports/00d2c4f3-778a-48f8-904b-2d5e4f8af678/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/db249c52504ded3d38e809a0588479bfbd0a87a586dc0bfb2836b1b447a14535
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db249c52504ded3d38e809a0588479bfbd0a87a586dc0bfb2836b1b447a14535/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 07:42:13 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3msjyusqjxwt2ohibgqfrbdzx66qvb5fq3oax6zig2y3ir5biu2q._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221122-lm8jdscd5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db249c52504ded3d38e809a0588479bfbd0a87a586dc0bfb2836b1b447a14535

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip db249c52504ded3d38e809a0588479bfbd0a87a586dc0bfb2836b1b447a14535

(this sample)

AgentTesla

Executable exe 70612d4332ec94d8443df6fa1cb9fa43502e54fc7a46ade65cc52058a824f056

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 70612d4332ec94d8443df6fa1cb9fa43502e54fc7a46ade65cc52058a824f056
  
Dropping
MD5 7fb0054fe8ab33a1ae308d8ff5de9acc

Comments