MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80cd7de2ee2091b6ca3f735925eb77eb0566f6f2089ea1a322de2233750bcc58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 1 File information Comments

SHA256 hash:	80cd7de2ee2091b6ca3f735925eb77eb0566f6f2089ea1a322de2233750bcc58
SHA3-384 hash:	323bef4cf6244ae2f51bf84c747aa69c0af154c972fb613ebfb08effa19d0a63b9116d86f4dbfbaef91233e956bce63c
SHA1 hash:	b6471805895dac270c396f20c2e33942a0188a18
MD5 hash:	ce15b0662afa01dae569d0c1a2e4c877
humanhash:	eight-mississippi-whiskey-april
File name:	SHIPMENT DOCUMENT.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	343'048 bytes
First seen:	2022-12-16 19:46:33 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	6144:27HLS1TZZ+n11c/ezvvXNcXIMZsxwqjYauwXszOZwoIp1nAiiW4VSJlSFaal:2DL01JMvvXN6RGxw2YauwXGUg1nAii5l
TLSH	T1BC74239C68A42FAFC803EC15A5E1B87A7F35BBA427E644102095EFE053C4B78955FB1C
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	AgentTesla zip

cocaman

Malicious email (T1566.001)
From: ""Kathy.donald" <Kathy.donald@glship.com>" (likely spoofed)
Received: "from glship.com (unknown [45.137.22.173]) "
Date: "12 Dec 2022 14:30:03 +0100"
Subject: "RE:SHIPMENT DOCUMENT"
Attachment: "SHIPMENT DOCUMENT.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	SHIPMENT DOCUMENT.exe
File size:	487'424 bytes
SHA256 hash:	473e99cdf2dc25a6bf43a56e9b095639776294bea38321c079cceecb3678c28d
MD5 hash:	6056f18ab8a6b4fce4e2f5c6df55b481
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fn51.UNOFFICIAL

SecuriteInfo.com.Variant.MSILHeracles.55409.27208.26728.UNOFFICIAL

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/80cd7de2ee2091b6ca3f735925eb77eb0566f6f2089ea1a322de2233750bcc58/results/dashboard

Gathering data

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/80cd7de2ee2091b6ca3f735925eb77eb0566f6f2089ea1a322de2233750bcc58

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/80cd7de2ee2091b6ca3f735925eb77eb0566f6f2089ea1a322de2233750bcc58/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-12-12 13:44:54 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qdgx3yxoeci3nsr7onmsl23x5mcwn5xsbcpkdizc3yrdg5ilzrma._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/80cd7de2ee2091b6ca3f735925eb77eb0566f6f2089ea1a322de2233750bcc58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.