MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a9b302e255168f2985f4126b734cf622e5a90d4121d45ee3fa7579ea7b859af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 22 File information Comments

SHA256 hash:	6a9b302e255168f2985f4126b734cf622e5a90d4121d45ee3fa7579ea7b859af
SHA3-384 hash:	ca88cda879e9c7940c24b7d500328e82bcefca74d5649d19e72c497efb4ddc881e4b51ac92eeb1b2f715e5935a6e3715
SHA1 hash:	68909697e0ce09b3b9e78298cd8d6cc8e1c9fc55
MD5 hash:	9c8295c7d316278bcba262cd615cfdf8
humanhash:	alabama-missouri-mountain-red
File name:	S-O-A INVOICE.tar.001
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'120'768 bytes
First seen:	2025-04-14 14:33:06 UTC
Last seen:	Never
File type:	tar
MIME type:	application/x-tar
ssdeep	24576:gRpn6mBAiN7WU0L+Sba2njxQAp2Lz2wMiTfEW6P:I0ziNc9njPpaMiLEWk
TLSH	T1293533530A17D7AFEC5537F0A51610A7B130AA68CA12FB13C68CDDC7A94BFDE3664422
TrID	62.9% (.TAR/GTAR) TAR - Tape ARchive (GNU) (17/3) 37.0% (.TAR) TAR - Tape ARchive (file) (10/3)
Magika	tar
Reporter	cocaman
Tags:	001 AgentTesla INVOICE tar

cocaman

Malicious email (T1566.001)
From: ""Elyn Malbas" <acct3@ramadigroup.com>" (likely spoofed)
Received: "from ramadigroup.com (unknown [45.137.22.99]) "
Date: "14 Apr 2025 07:03:40 -0700"
Subject: "URGENT: SOA"
Attachment: "S-O-A INVOICE.tar.001"

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	S-O-A INVOICE.exe
File size:	1'119'232 bytes
SHA256 hash:	e4bc932751053ca7710ced80639899db651a4addacf9c05811c0e8ab1842eb66
MD5 hash:	289dc7d56c835295113515aeee1709ac
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67fd14421dba888a93d396ed

Tags:

autorun virus micro msil

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/67fd1ca4931404048d7ec1f3/reports/7a1e6064-f982-4c7c-9a7b-5e2a94472a98/overview

Verdict:

Suspicious

Labled as:

Mal/DrodTar

Link:

https://www.hybrid-analysis.com/sample/6a9b302e255168f2985f4126b734cf622e5a90d4121d45ee3fa7579ea7b859af

Result

Verdict:

MALICIOUS

Score:

100%

Verdict:

Malware

File Type:

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTeslaV5 Create hunting rule
Author:	ClaudioWayne
Description:	AgentTeslaV5 infostealer payload

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Generic_Threat_9f4a80b2 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_AgentTesla_ebf431a8 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla