MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 872f6e199585552edeed7104508fc56ccc1d4c6a5a2501e7608522dbb9eab798. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 872f6e199585552edeed7104508fc56ccc1d4c6a5a2501e7608522dbb9eab798
SHA3-384 hash: 2c65c31d7686189b46498ec375c9baa14b544400b9ef1ed8ba9940b663ec1ced3a393b0ef299959dc11f2f1e1a04bd5b
SHA1 hash: 80bcb39315620d4d1c989d07a46bb566246a11f3
MD5 hash: a266e6e5da5ffa1e35b5f6e3316376ac
humanhash: purple-december-jupiter-hydrogen
File name:invoice.pdf.z
Download: download sample
Signature AgentTesla
Create hunting rule
File size:729'800 bytes
First seen:2023-03-28 07:23:42 UTC
Last seen:Never
File type: z
MIME type:application/x-rar
ssdeep 12288:6Qug8Ha7BvETWnZJNBSrUoPV5iu/JbY/qNQ0FxQOcpSS63dhiQqYPmvsBlFIXy:6Rg8HaZ/ZfBAUMVQAJ0uDQOESt3riTMP
TLSH T1EBF433C248F341A8AEDFBDE5364AA8CA536AF7370B19661EE99D3511335BD0B014F0C2
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:AgentTesla HSBC INVOICE z


Avatar
cocaman
Malicious email (T1566.001)
From: "HSBC BANK PLC <no-reply@hsbc.com>" (likely spoofed)
Received: "from hsbc.com (unknown [103.183.114.51]) "
Date: "28 Mar 2023 10:55:21 +0700"
Subject: "Fw: HSBC TT Copy"
Attachment: "invoice.pdf.z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:invoice.pdf.exe
File size:809'984 bytes
SHA256 hash: 0447c43cc9d78ef162784c4ae1ce6baa8289f9c159ec6baf735072a93bb51a88
MD5 hash: 083c066431159d98ebffd1788bf43ee9
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28929.RarHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook packed remcos
Link:
https://www.filescan.io/uploads/642296159c109cf74b303d97/reports/9b6a4925-0db9-4706-90d7-425e90f2d85d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/872f6e199585552edeed7104508fc56ccc1d4c6a5a2501e7608522dbb9eab798
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/872f6e199585552edeed7104508fc56ccc1d4c6a5a2501e7608522dbb9eab798/
Threat name:
Win32.Trojan.Tisifi
Create hunting rule
Status:
Malicious
First seen:
2023-03-28 07:24:07 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4xw4gmvqvks5xxnoecfbd6fntgb2tdklisqdz3aqurnxopkw6ma._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/872f6e199585552edeed7104508fc56ccc1d4c6a5a2501e7608522dbb9eab798

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_RAR_with_PDF_Script_Obfuscation
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:Internal Research
Rule name:SUSP_RAR_with_PDF_Script_Obfuscation_RID34A4
Create hunting rule
Author:Florian Roth
Description:Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 872f6e199585552edeed7104508fc56ccc1d4c6a5a2501e7608522dbb9eab798

(this sample)

AgentTesla

Executable exe 0447c43cc9d78ef162784c4ae1ce6baa8289f9c159ec6baf735072a93bb51a88

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0447c43cc9d78ef162784c4ae1ce6baa8289f9c159ec6baf735072a93bb51a88
  
Dropping
MD5 083c066431159d98ebffd1788bf43ee9

Comments