MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f40737138f9d82c6b2cf048d97090173b534bdd2045ae599208a1de7bb2575ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f40737138f9d82c6b2cf048d97090173b534bdd2045ae599208a1de7bb2575ed
SHA3-384 hash: 9fc9ec4f3cee562ecce8edc9fe7136350434d33904a75ad9ded5c04bf5908dd03168eac2024d22bed9dffeb0ad0aa2fa
SHA1 hash: 578580f4f6cd2f8e35d70961aa09a668e7f207d5
MD5 hash: c5574d865f29cdb1a920dbd61c219e65
humanhash: maine-blue-social-green
File name:MV AMIS WEALTH CTM USD 40,000.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:781'330 bytes
First seen:2022-01-25 05:51:44 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:BWPG99F5StnLbLCSHQGsVouy9dWb2l0pw4/PADK92/ZEv+95pW1VISG3HD54Ed:BWO9tmGSDsquWgJe43AE2/ZEG9nW1VId
TLSH T1CDF4330096ECC5D5C07DED78E23A6B56365B35CD6EA63D94220CF189872482F8F2EA5C
Reporter cocaman
Tags:AgentTesla zip


Avatar
cocaman
Malicious email (T1566.001)
From: "ajilani@rgppl.com" (likely spoofed)
Received: "from rgppl.com (unknown [45.137.22.111]) "
Date: "25 Jan 2022 03:51:52 +0100"
Subject: "Wisdom Marine Lines S.A."
Attachment: "MV AMIS WEALTH CTM USD 40,000.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.8970.8803.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/61ef9006f81da814afa24fb3/reports/7385f41f-e40f-40b2-84a3-758b43fb1c06/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f40737138f9d82c6b2cf048d97090173b534bdd2045ae599208a1de7bb2575ed
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f40737138f9d82c6b2cf048d97090173b534bdd2045ae599208a1de7bb2575ed/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 03:13:37 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qdtoe4ptwbmnmwpasgzociboo2tjposarnolgjario6pozfoxwq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220125-gkq44shhal/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot2092755520:AAFUT-2SMjjd39KTAiZYfccbaFzWXamzjz4/sendDocument
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f40737138f9d82c6b2cf048d97090173b534bdd2045ae599208a1de7bb2575ed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip f40737138f9d82c6b2cf048d97090173b534bdd2045ae599208a1de7bb2575ed

(this sample)

AgentTesla

Executable exe d03df98c136604138b930409e4c084ac694f1e0f571fbefae620cec8cd05d619

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 d03df98c136604138b930409e4c084ac694f1e0f571fbefae620cec8cd05d619

Comments