MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cad0387688868c1c4c9958534271f430711602f4e88ad33a9eda29a6672415b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cad0387688868c1c4c9958534271f430711602f4e88ad33a9eda29a6672415b
SHA3-384 hash: 5c3c9633edeca26dd61ac96cfbd28e8ce2bccb5f2ff17b05a8daf17042245065585664d39daa2102c6955a1d3ce445dc
SHA1 hash: 15085b015a954490e4e350f318b916c396e96457
MD5 hash: 01496a0308b401533b0ced6c940c8c88
humanhash: connecticut-gee-alabama-king
File name:Purchase Order (PO) PO 00197086.rar
Download: download sample
Signature AgentTesla
Create hunting rule
File size:616'654 bytes
First seen:2023-10-02 09:20:08 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:8XZeZyCRmttRa1UgjWUlShppQ1Yh10pRO9EbqYBhty1mUIN/lm/lZlI1:2sIHa1UgyUS7u2huOOzt2Cdqe1
TLSH T194D423EBDF15F25225DE52B84A0F86B4BB930109A58E8F76B473CC24C5785D48B7B0B2
TrID 58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1)
41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Sujit Gupta <akot1@shaw.ca>" (likely spoofed)
Received: "from shaw.ca (unknown [45.137.22.123]) "
Date: "2 Oct 2023 11:18:53 +0200"
Subject: "RE: Purchase Order (PO) //// PO 00197086"
Attachment: "Purchase Order (PO) PO 00197086.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Purchase Order (PO) PO 00197086.exe
File size:672'768 bytes
SHA256 hash: 457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b
MD5 hash: 1ed5ad3e9e507982677854ddffae0bfc
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/4cad0387688868c1c4c9958534271f430711602f4e88ad33a9eda29a6672415b/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/651a8b8033582f234e097a80/reports/091d8d66-c0eb-4b8d-8eee-b0f15113d4d4/overview
Verdict:
Malicious
Labled as:
Mal/DrodRar
Link:
https://www.hybrid-analysis.com/sample/4cad0387688868c1c4c9958534271f430711602f4e88ad33a9eda29a6672415b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cad0387688868c1c4c9958534271f430711602f4e88ad33a9eda29a6672415b/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 05:11:10 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jswqhb3irbumdrgjswctijy7imdrcybpj2ek2m5j5wrjuztsifnq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231002-p2cbaace39/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4cad0387688868c1c4c9958534271f430711602f4e88ad33a9eda29a6672415b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 4cad0387688868c1c4c9958534271f430711602f4e88ad33a9eda29a6672415b

(this sample)

AgentTesla

Executable exe 457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b
  
Dropping
MD5 1ed5ad3e9e507982677854ddffae0bfc

Comments