MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e7ae5b0051218bcf8da91747d6f0447c3cdd097c13376900df66dd71c989f07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 19 File information Comments

SHA256 hash:	6e7ae5b0051218bcf8da91747d6f0447c3cdd097c13376900df66dd71c989f07
SHA3-384 hash:	6fc4656a1ba09e2b1371eeb21d23f2851b5621b7b2f8a944ce9bd2060ca6ab4d6a79396cee58dfa34ae77931a9293fb2
SHA1 hash:	debfa90d46ebbfae5cb7a5e616c40deec507c6b8
MD5 hash:	62d4a6a90855f121d8970bd8603577aa
humanhash:	west-music-high-high
File name:	Comanda de achiziție OP nr. 1068 16-01-2024.PDF.uu
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	617'379 bytes
First seen:	2024-01-27 13:15:24 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:bitKwrp/2QQYnszw3z4ic+YWBNfHBR2QvoeLP5/ZXdyPRM:+tVl2QQXsy5wfhIZeLR/ZtsK
TLSH	T158D433EF6C797691691F2F436B2C3BC2062615FA0F95465E26EDEF94902CCB170ADC20
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	e24111111111111
Tags:	AgentTesla rar

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Comanda de achiziție OP nr. 1068 16-01-2024.PDF.exe
File size:	1'247'232 bytes
SHA256 hash:	65e6a5426b11cfc1a6556314ae5e6de77f798bc9f3a25d9205c3999e705d2b9c
MD5 hash:	9a7dc3bb327b210acfa0354ed58dad1e
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/6e7ae5b0051218bcf8da91747d6f0447c3cdd097c13376900df66dd71c989f07/results/dashboard

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6e7ae5b0051218bcf8da91747d6f0447c3cdd097c13376900df66dd71c989f07/

Threat name:

Script-AutoIt.Spyware.Negasteal

Status:

Malicious

First seen:

2024-01-25 11:15:38 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

17 of 38 (44.74%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nz5olmafcimlz6g2sf2h23yei7b43uexyezxnean6zw5oheyt4dq._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6e7ae5b0051218bcf8da91747d6f0447c3cdd097c13376900df66dd71c989f07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV2 Create hunting rule
Author:	ditekshen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	MALWARE_Win_AgentTeslaV2 Create hunting rule
Author:	ditekSHen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Imphash_Mar23_3 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:	Internal Research

Rule name:	Windows_Trojan_AgentTesla_ebf431a8 Create hunting rule
Author:	Elastic Security

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 6e7ae5b0051218bcf8da91747d6f0447c3cdd097c13376900df66dd71c989f07

(this sample)

AgentTesla

exe 65e6a5426b11cfc1a6556314ae5e6de77f798bc9f3a25d9205c3999e705d2b9c

Dropping

SHA256 65e6a5426b11cfc1a6556314ae5e6de77f798bc9f3a25d9205c3999e705d2b9c

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample