MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e4d94a8cbae20e551bd82c5663b5da3efdc5acaf22c765d21b392da761d5678. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	6e4d94a8cbae20e551bd82c5663b5da3efdc5acaf22c765d21b392da761d5678
SHA3-384 hash:	2880396947acd386219bd0c4f7df2a3d46d66cb8525cb3c8f3373749f9a1eea86d2eba69daa4163bc5018cea7cfef5ea
SHA1 hash:	ea563d43c95aa93536b23e3282086d340f21f6bc
MD5 hash:	2ecb63642970c6bb5b7e612b0cacdb9b
humanhash:	salami-arizona-green-november
File name:	QUOTATION 9982_pdf.r01
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	786'946 bytes
First seen:	2023-06-23 07:10:02 UTC
Last seen:	Never
File type:	r01
MIME type:	application/x-rar
ssdeep	24576:InmCN0NlG/xiZ73K+4MbPwl1IlqOHDvcNP:ImJNluxU76+Z0IlhjvI
TLSH	T115F4230C7F2C68E867E7BDE68054612359EEE6A1882947FB79D311CB169736E0490AC3
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	AgentTesla QUOTATION r01

cocaman

Malicious email (T1566.001)
From: "Fred Richardson <pbm@lasaulec.nl>" (likely spoofed)
Received: "from lasaulec.nl (unknown [194.93.58.112]) "
Date: "22 Jun 2023 23:05:48 -0700"
Subject: "Re: inquiry product."
Attachment: "QUOTATION 9982_pdf.r01"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	QUOTATION 9982.exe
File size:	1'017'856 bytes
SHA256 hash:	270c725317f2b853d6881e7d7bab116fca000142390eeac19d9dd50d8b8c10ef
MD5 hash:	2fb3915f59e56ce44042d6e356e2d19e
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6495455043d6e275c26b110b/reports/e5fd32e5-3ca9-43ce-8a83-6d0472bc9063/overview

Verdict:

Malicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/6e4d94a8cbae20e551bd82c5663b5da3efdc5acaf22c765d21b392da761d5678

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6e4d94a8cbae20e551bd82c5663b5da3efdc5acaf22c765d21b392da761d5678/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-06-22 12:26:14 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nzgzjkglvyqokun5qlcwmo25upx5ywwk6iwhmxjbwojnu5q5kz4a._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6e4d94a8cbae20e551bd82c5663b5da3efdc5acaf22c765d21b392da761d5678

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.