MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b62b7c9631eb0083e3db46652bc2a5f3156cea745191a70ac100e926c3e2877. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 5 File information Comments

SHA256 hash:	5b62b7c9631eb0083e3db46652bc2a5f3156cea745191a70ac100e926c3e2877
SHA3-384 hash:	d7a53a41969891e855fb3e303263543f6fd796a5e0e1caa02359d580cac9fe699fe0aad1b376aa37d05a93d9a50229d6
SHA1 hash:	d8d4a523c3a1f806434aef612d7545488b3bb292
MD5 hash:	92937757cdfa70b1128e934cd48e935c
humanhash:	mango-florida-east-crazy
File name:	PO TH23193_docx.img
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	282'624 bytes
First seen:	2023-09-12 06:50:32 UTC
Last seen:	2023-09-12 07:02:28 UTC
File type:	img
MIME type:	application/x-iso9660-image
ssdeep	3072:jAMD66PZwYQ39/VKQg1S/q6UmnmEAHmFYAmQKK20+cbk8ur7F4L3BX:k+Pe9/r9UXEADAmQf5+Qk8yaL3
TLSH	T13654E503B64A89A2D7885736C4DF09001362FD82A7A3DB1E358E73D50B733B6DD4A61B
TrID	99.5% (.NULL) null bytes (2048000/1) 0.2% (.ATN) Photoshop Action (5007/6/1) 0.1% (.ISO) ISO 9660 CD image (2545/36/1) 0.0% (.BIN/MACBIN) MacBinary 1 (1033/5) 0.0% (.ABR) Adobe PhotoShop Brush (1002/3)
Reporter	cocaman
Tags:	AgentTesla img

cocaman

Malicious email (T1566.001)
From: "Abudul <info@q-nap.com>" (likely spoofed)
Received: "from q-nap.com (unknown [141.98.6.209]) "
Date: "11 Sep 2023 22:11:44 +0200"
Subject: "NEW PURCHASE ORDER"
Attachment: "PO TH23193_docx.img"

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	PO TH23193_docx.exe
File size:	229'888 bytes
SHA256 hash:	6f550b705f890d3427d275958ea6f610de816cd420cc394ed2a6470349340c31
MD5 hash:	57115364d62ad88c9072f41e6a29e4fc
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Rogue.0hr.20230912-0039.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

context-iso control formbook lolbin masquerade packed replace

Link:

https://www.filescan.io/uploads/65000a5769c1cf3b6ab3dcd3/reports/3fc169c6-0f70-4fde-a37e-d143338bf971/overview

Verdict:

Malicious

Labled as:

Mal/DrodIso

Link:

https://www.hybrid-analysis.com/sample/5b62b7c9631eb0083e3db46652bc2a5f3156cea745191a70ac100e926c3e2877

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5b62b7c9631eb0083e3db46652bc2a5f3156cea745191a70ac100e926c3e2877/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-09-11 10:45:59 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

14 of 23 (60.87%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lnrlpsldd2yaqpr5wrtffpbkl4yvntvhiumru4fmcahje3b6fb3q._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/5b62b7c9631eb0083e3db46652bc2a5f3156cea745191a70ac100e926c3e2877

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_EXE_in_ISO Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects ISO files that contains an Exe file. Does not need to be malicious
Reference:	Internal Research