MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41ccff19a3b9824e1266a7f13e8d8521ae5fa933b46f1f73a9375bc40754f755. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41ccff19a3b9824e1266a7f13e8d8521ae5fa933b46f1f73a9375bc40754f755
SHA3-384 hash: 54655466cf2d5555ab224675e879fa0105fe3c2f87f3e1268db502d3b3b0b0236320875d0b6404691fcb339996d86f26
SHA1 hash: 2111f704003bd997c6a2e1f2051cb20ecf54007e
MD5 hash: fff59fde1eddd1cde551c0e690e21a14
humanhash: rugby-double-tennis-virginia
File name:Request for Quotations.r00
Download: download sample
Signature AgentTesla
Create hunting rule
File size:710'856 bytes
First seen:2023-10-30 10:48:48 UTC
Last seen:Never
File type: r00
MIME type:application/x-rar
ssdeep 12288:Gt7m3YoCc9nnpsAmo6oqN9MV32JIcJJCgHQC6v72ETaqwZyEhAwW/Lps4+nv5:GxTorHsAmbNU3e9QCi7faqu5hArl+v5
TLSH T11CE43318C82F221FA916832498366EE269ECC4B71713775AB0517B4E4BE34FDB70D963
TrID 58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1)
41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:AgentTesla QUOTATION r00


Avatar
cocaman
Malicious email (T1566.001)
From: "Procurement Officer <sales@e-nbu.top>" (likely spoofed)
Received: "from mail.e-nbu.top (unknown [194.4.56.132]) "
Date: "Mon, 30 Oct 2023 01:14:18 -0400 (EDT)"
Subject: "Business Enquiry From APEC Industries"
Attachment: "Request for Quotations.r00"

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Request for Quotations.exe
File size:915'968 bytes
SHA256 hash: 50cf7c8e4c8f102dabb270e61cd8ad3e2e9492d48ce45a9909ea78eb903aae49
MD5 hash: 24238b4a81513300b139f29e76a195a0
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/653f8a1ebc703e36b0936863/reports/eeb0369a-1356-44e3-a7ab-b5a535353ab2/overview
Verdict:
Suspicious
Labled as:
Mal/DrodRar
Link:
https://www.hybrid-analysis.com/sample/41ccff19a3b9824e1266a7f13e8d8521ae5fa933b46f1f73a9375bc40754f755
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41ccff19a3b9824e1266a7f13e8d8521ae5fa933b46f1f73a9375bc40754f755/
Threat name:
Win32.Trojan.Zmutzy
Create hunting rule
Status:
Malicious
First seen:
2023-10-30 18:23:21 UTC
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ihgp6gndxgbe4etgu7yt5dmfegxf7kjtwrxr645jg5n4ib2u65kq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 41ccff19a3b9824e1266a7f13e8d8521ae5fa933b46f1f73a9375bc40754f755

(this sample)

AgentTesla

Executable exe 50cf7c8e4c8f102dabb270e61cd8ad3e2e9492d48ce45a9909ea78eb903aae49

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 50cf7c8e4c8f102dabb270e61cd8ad3e2e9492d48ce45a9909ea78eb903aae49
  
Dropping
MD5 24238b4a81513300b139f29e76a195a0

Comments