MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f68ea60a6eec9da10c87bb22327338855aa805d2d778a30c2a6352812a231394. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	f68ea60a6eec9da10c87bb22327338855aa805d2d778a30c2a6352812a231394
SHA3-384 hash:	465ed3c18f129e66a594116afaa64f1139a1253586f1cdab8396abc16fd9feba9c548b874df079606e727ddb956951ce
SHA1 hash:	d26148b31993145537aad79ef8ad4f22cf598cc2
MD5 hash:	759c99e99826c4fe3463c0f97ba0f8d7
humanhash:	jig-video-charlie-berlin
File name:	Marcelo Prieto Inquiry_pdf.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	450'585 bytes
First seen:	2021-08-09 05:22:27 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	6144:I55sBJGsvoKBHooMV40+CiBTRDseeLD3lKFvJ2E8zlPQm+TKM364h5144gs9IV:G9idBFM+LUXsdJf6PQnKM3V5144LSV
TLSH	T109A4239A979E718723EE647FD28D0D02571ECBE98BF655201C3ED2F1048341F56F2A26
Reporter	cocaman
Tags:	AgentTesla zip

cocaman

Malicious email (T1566.001)
From: "Marcelo Prieto <postmaster@loft-dev.live>" (likely spoofed)
Received: "from cp3.loft-dev.live (cp3.loft-dev.live [107.173.52.103]) "
Date: "08 Aug 2021 20:23:48 -0700"
Subject: "Marcelo Prieto Inquiry"
Attachment: "Marcelo Prieto Inquiry_pdf.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

206

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_badexts14.UNOFFICIAL

Sanesecurity.Malware.25815.ZipHeur.BadExt.UNOFFICIAL

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/f68ea60a6eec9da10c87bb22327338855aa805d2d778a30c2a6352812a231394

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f68ea60a6eec9da10c87bb22327338855aa805d2d778a30c2a6352812a231394/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-09 05:23:07 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

12 of 46 (26.09%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=62hkmcto5so2cdehxmrde4zyqvnkqbos254kgdbkmnjickrdcoka._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210809-mnhk1lmgbj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f68ea60a6eec9da10c87bb22327338855aa805d2d778a30c2a6352812a231394

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip f68ea60a6eec9da10c87bb22327338855aa805d2d778a30c2a6352812a231394

(this sample)

AgentTesla

exe d0cf8e0f34188ff75a300f318d2a91bfeae74a1dec17b4cf71833bb801b84d90

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 d0cf8e0f34188ff75a300f318d2a91bfeae74a1dec17b4cf71833bb801b84d90

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample