MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90959e1ac99eb3c0724933bd560c8ed81bda1733aa2007c77e0fdfba1dee0854. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90959e1ac99eb3c0724933bd560c8ed81bda1733aa2007c77e0fdfba1dee0854
SHA3-384 hash: bfc23dab6106f9b3b58f15ff91fef962852c94353709e7901921d4fe989b57793a564c29f8b6f35cc9162b20076b723b
SHA1 hash: 3828a6867b093f4a30d3640b8ff828bd8eb26a94
MD5 hash: 5243b6e60f11e0b1a13689521879ef6e
humanhash: orange-river-pip-robin
File name:PO#D23042 ZZ-23IMP(MECH)NBI.pdf.z
Download: download sample
Signature AgentTesla
Create hunting rule
File size:538'012 bytes
First seen:2023-05-15 07:15:38 UTC
Last seen:Never
File type: z
MIME type:application/x-rar
ssdeep 12288:UUo9bErfTpBCxiz7r3v/uEq0LLieJ9/22F3enjo6VcHn8dOpf:I9Arrxfvn7Lj/DFOnjorHnvf
TLSH T1C5B42315E3FCCCF8245875C3769D6B14FFD99AD534ACC522A14FFA1E49C089462A4B83
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:AgentTesla z


Avatar
cocaman
Malicious email (T1566.001)
From: "Tengbin Xu <sales@excellencepump.com>" (likely spoofed)
Received: "from excellencepump.com (unknown [45.137.22.121]) "
Date: "15 May 2023 04:41:19 +0200"
Subject: "NEW ORDER- PO#D23042 ZZ-23/IMP(MECH)NBI"
Attachment: "PO#D23042 ZZ-23IMP(MECH)NBI.pdf.z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:PO#D23042 ZZ-23IMP(MECH)NBI.pdf.exe
File size:673'792 bytes
SHA256 hash: 9ade1aaf821812d038b9bab451e0b48fad06c688e738a522e2d3d9947421209a
MD5 hash: 8b4ad89036902ff2029123db385738d4
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28929.RarHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27363.Rar5Heur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6461dc33e18b58ecd89b7231/reports/94baacae-301d-4022-9534-60f0b7692970/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/90959e1ac99eb3c0724933bd560c8ed81bda1733aa2007c77e0fdfba1dee0854
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90959e1ac99eb3c0724933bd560c8ed81bda1733aa2007c77e0fdfba1dee0854/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-15 02:33:30 UTC
File Type:
Binary (Archive)
Extracted files:
16
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sckz4gwjt2z4a4sjgo6vmdeo3an5ufztviqapr36b7p3uhpobbka._file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_RAR_with_PDF_Script_Obfuscation
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:Internal Research
Rule name:SUSP_RAR_with_PDF_Script_Obfuscation_RID34A4
Create hunting rule
Author:Florian Roth
Description:Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 90959e1ac99eb3c0724933bd560c8ed81bda1733aa2007c77e0fdfba1dee0854

(this sample)

AgentTesla

Executable exe 9ade1aaf821812d038b9bab451e0b48fad06c688e738a522e2d3d9947421209a

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 9ade1aaf821812d038b9bab451e0b48fad06c688e738a522e2d3d9947421209a
  
Dropping
MD5 8b4ad89036902ff2029123db385738d4

Comments