MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42c9d1c730159fea42ed1ae38835ffc8427baf94e5e5fa59e9b140b505cd273c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	42c9d1c730159fea42ed1ae38835ffc8427baf94e5e5fa59e9b140b505cd273c
SHA3-384 hash:	163bce4b639d713331bf0a2089af19c6fb6e0c4660e717b4a4c5595fd5e8464601a7899d1ea5916ce16e2cb6ce50dc68
SHA1 hash:	fd4db67eebeab60048a85e2cf9c10510d815af58
MD5 hash:	4ad19f3b83382bd4874693be46fae7c3
humanhash:	sodium-tennis-october-low
File name:	Revised Proforma Invoice WSI116850PF.r00
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	473'851 bytes
First seen:	2023-06-09 12:55:16 UTC
Last seen:	Never
File type:	r00
MIME type:	application/x-rar
ssdeep	12288:wwc3aeUzJhOFbM4W1lBzoEfPWMquVdnAyL4bry:IKemfOFbDWfC6KCtke
TLSH	T1F2A423D1DCBC92A9CE24445024E9F556A013A35C1B7EB7E127984A1C22E215B3BCFF77
TrID	58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1) 41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	AgentTesla INVOICE r00

cocaman

Malicious email (T1566.001)
From: ""Caroline Young" <cyoung@ward.com>" (likely spoofed)
Received: "from ward.com (unknown [81.161.229.100]) "
Date: "08 Jun 2023 12:45:39 -0700"
Subject: "RE: [EXT]RE: NEW SALES CONTRACT - WSCON116850 ~Naveena Steel"
Attachment: "Revised Proforma Invoice WSI116850PF.r00"

Intelligence

File Origin

# of uploads :

# of downloads :

188

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Revised Proforma Invoice WSI116850PF.exe
File size:	905'216 bytes
SHA256 hash:	3e1f623f0b2c1b85bcbca396bbeb79e06db39138a004c14201827ed1a8ca377a
MD5 hash:	eac45e7940e2536662d67f5c2bb888f8
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin packed

Link:

https://www.filescan.io/uploads/6483216315a07ef7440e7c2b/reports/280237ed-0873-44a6-a4b6-3fafb39f69b5/overview

Verdict:

Malicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/42c9d1c730159fea42ed1ae38835ffc8427baf94e5e5fa59e9b140b505cd273c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42c9d1c730159fea42ed1ae38835ffc8427baf94e5e5fa59e9b140b505cd273c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-06-08 13:32:11 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ile5drzqcwp6uqxndlryqnp7zbbhxl4u4xs7uwpjwfalkbone46a._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/42c9d1c730159fea42ed1ae38835ffc8427baf94e5e5fa59e9b140b505cd273c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.