MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7248668b5e26f4cbdb5581177d9741a6598c638d1e1128c61cc61af3068f3979. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	7248668b5e26f4cbdb5581177d9741a6598c638d1e1128c61cc61af3068f3979
SHA3-384 hash:	b14bad4fc42440a72a4326a39324fbfe26c9c1e9c964fdcc7513d5a69b16333ce2fbc44ab5a95ca5db173af3390f48c5
SHA1 hash:	dd323511ef2736ef6b46e3143745b0dd69864998
MD5 hash:	00542774cb67dda6d652d753ff4cae9a
humanhash:	mockingbird-beryllium-ten-wyoming
File name:	PO#JB2210-0005.r15
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	917'257 bytes
First seen:	2023-02-27 19:24:17 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	24576:sK5ypQPtMXPsu/A0tIrCEWrjyrJUv+CBu3hkfJi41:wQOfsuI0uCEmYJr8yhkfc41
TLSH	T15915338089FE70816FDDB352C6A4F68CCC9A69264254C352A7593A31D85AC67BCFF307
TrID	58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1) 41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	r15 rar

cocaman

Malicious email (T1566.001)
From: ""Tee Kai Ling" <teekl@ql.com.my>" (likely spoofed)
Received: "from [193.42.33.216] (unknown [193.42.33.216]) "
Date: "27 Feb 2023 12:37:50 +0100"
Subject: "RE: PO#JB/2210-0005 ARCO MARKETING"
Attachment: "PO#JB2210-0005.r15"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	PO#JB2210-0005.exe
File size:	1'100'800 bytes
SHA256 hash:	1b177241fde84d89a296288549d8a3eb09d0266b15f5cd887a5aed360e3ccc90
MD5 hash:	93a25583729db52388572ef7b3e07228
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27363.Rar5Heur.UNOFFICIAL

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/7248668b5e26f4cbdb5581177d9741a6598c638d1e1128c61cc61af3068f3979/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63fd0392589e1e4c5bd9a977/reports/5c9633a7-929f-4d7a-9937-63612e58a83a/overview

Verdict:

Malicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/7248668b5e26f4cbdb5581177d9741a6598c638d1e1128c61cc61af3068f3979

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7248668b5e26f4cbdb5581177d9741a6598c638d1e1128c61cc61af3068f3979/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2023-02-27 08:33:09 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

20 of 25 (80.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ojegnc26e32mxw2vqelx3f2buzmyyy4ndyisrrq4yynpgbuphf4q._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/7248668b5e26f4cbdb5581177d9741a6598c638d1e1128c61cc61af3068f3979

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.