MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3052467eedb90e28e1aad78395fc21e5f2bc53e90d5b8a1c7865464e86d9b19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3052467eedb90e28e1aad78395fc21e5f2bc53e90d5b8a1c7865464e86d9b19
SHA3-384 hash: 08a1a4643ffb4e7a66d422167a781f8aec8efe81ff01112546b13eb1ffa9c46f6340803d690337c411def64aa2118199
SHA1 hash: e228f830e3736ab82d08f73edc28a386e510e3a4
MD5 hash: d2fa98dc5aa22635cb321bf6f1c7df8d
humanhash: west-xray-stairway-lamp
File name:PI.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'314'816 bytes
First seen:2020-10-09 06:02:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:6AHnh+eWsN3skA4RV1Hom2KXMmHapU69JVWkjkHkgB+BQD5:Nh+ZkldoPK8YapU69fWkjUB+2
Threatray 596 similar samples on MalwareBazaar
TLSH F455BE0273D5D036FFABA2739B6AB60156BC79250133852F13981DB9BD701B2273E663
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: stock.ovh
Sending IP: 51.178.87.221
From: Youssef Azeez <sales5@cnsafeline.com>
Subject: Attached PI
Attachment: PI.zip (contains "PI.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69407/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Launching a process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/486277
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3052467eedb90e28e1aad78395fc21e5f2bc53e90d5b8a1c7865464e86d9b19/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 15:38:48 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mcsiz7o3oiofdq2vv4dsx6cdzpsxrj6sdk3riohqzkgj2dntmmq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0282b710d24b3d098017e3231c93e1b46bf8586a6e0cc83ec76f2a1d710c6813
AgentTesla
06e0e3da562a627b84f328a76d70b62326e2b5a82fd28bf943b6d3dfd1f26cb7
AgentTesla
07bea1f0f5a11fdada688ba215ee670c1a77d2f05b0e1125edaee37e66a0819c
AgentTesla
34cedb568c833efef91d94869b50b0d0b41f51e9dd882f9c2602f14f391b15aa
AgentTesla
37dd9ac0253be5eb6036877963ff457db90932e34d9bbd2c18852bf8bfd873c2
AgentTesla
48b1f899e7ad8d880a6bf9d97ada6507c4403c8d8e81815f83fb8181ca247008
AgentTesla
9c5315409c9ccb1e74195e244a17531781b973f9f489743602c18aaf5a22e7fb
AgentTesla
a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91
AgentTesla
d76bb689a401094eee47a075368224161d261665c2b285b155d1b7833ba4fbaa
AgentTesla
e897888dd36ab2a5740030d628f510ef0563d9d039e896b45134a4a5c4a82bb7
AgentTesla
+ 586 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201009-s1swmr7cvx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Unpacked files
SH256 hash:
f3052467eedb90e28e1aad78395fc21e5f2bc53e90d5b8a1c7865464e86d9b19
MD5 hash:
d2fa98dc5aa22635cb321bf6f1c7df8d
SHA1 hash:
e228f830e3736ab82d08f73edc28a386e510e3a4
Link:
https://www.unpac.me/results/4acbd08e-e82f-454b-94b7-b778f88c271a/
SH256 hash:
adfac934ed33f14679d743c906c407a6243773bbb2b26ffd591947bf7c6f60f2
MD5 hash:
fdeac8676b5a996889f8499939c4b790
SHA1 hash:
0397c0ea4c0bca72269b08fe0d65e872c48a27e9
Link:
https://www.unpac.me/results/4acbd08e-e82f-454b-94b7-b778f88c271a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f3052467eedb90e28e1aad78395fc21e5f2bc53e90d5b8a1c7865464e86d9b19

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip c9f8ae52872f007051678889a24bbacf21312f69d4540f6639f79c5fd10642d8

AgentTesla

Executable exe f3052467eedb90e28e1aad78395fc21e5f2bc53e90d5b8a1c7865464e86d9b19

(this sample)

  
Dropped by
MD5 c17ab0b08f103943a661740fa6887726
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69407/
  
Dropped by
SHA256 c9f8ae52872f007051678889a24bbacf21312f69d4540f6639f79c5fd10642d8

Comments