MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cb8eb0f60dc522ec6b24a5e8e7efe9e343bb6b2965e152cdabc2c32c99a06b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	9cb8eb0f60dc522ec6b24a5e8e7efe9e343bb6b2965e152cdabc2c32c99a06b7
SHA3-384 hash:	e0b9e88523470dd3dd386b928f5f8d58bf4574dd1b943685c89247c13c4a35028720f0218e8a6a351d981cc1b2b234f3
SHA1 hash:	2c5ff6d0093b7cada423d9a30700e3d480f36760
MD5 hash:	84df2426afac1cb72c728294e5dc07b1
humanhash:	ack-virginia-wyoming-nevada
File name:	00987654345678.r09
Download:	download sample
Signature	XWorm Create hunting rule
File size:	379'200 bytes
First seen:	2023-03-15 07:54:31 UTC
Last seen:	2023-03-15 07:55:42 UTC
File type:	r09
MIME type:	application/x-rar
ssdeep	6144:ltxcW014ebTOWXeGaJkSGb+JAdX9Z5c3ywMnRiNom3QDLK2zVrDpAUgLaHOiWKzj:ltxcW0ZbSxJk7bDtCyjnRljLK2snghWk
TLSH	T1A8842397D51279528123584F353EA17DC68CC6747E0A02C87F9BAF6801285DEB13F9EB
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	HSBC payment r09 xworm

cocaman

Malicious email (T1566.001)
From: "HSBC Advising Service <advising.service@mail.hsbcnet.hsbc.com>" (likely spoofed)
Received: "from [103.187.4.59] (unknown [103.187.4.59]) "
Date: "15 Mar 2023 06:42:59 +0700"
Subject: "Payment Advice - Advice Ref:[PL09456789876] / ACH credits / Customer Ref/ Second Party Ref:[SF]"
Attachment: "00987654345678.r09"

Intelligence

File Origin

# of uploads :

# of downloads :

171

Origin country :

n/a

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	00987654345678.exe
File size:	853'504 bytes
SHA256 hash:	c6af80e6ed0b9f93b7e14e956dac74d7affe71097f9ab14786e8fdd0469f4d25
MD5 hash:	a849578e8bd54ed3528453a03dcd8760
MIME type:	application/x-dosexec
Signature	XWorm

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cerbu vidar

Link:

https://www.filescan.io/uploads/641179d806c49bd8b6b5e4a4/reports/b95ed0f8-e3a1-45fd-b398-668aa0d7da6f/overview

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/9cb8eb0f60dc522ec6b24a5e8e7efe9e343bb6b2965e152cdabc2c32c99a06b7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9cb8eb0f60dc522ec6b24a5e8e7efe9e343bb6b2965e152cdabc2c32c99a06b7/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-03-14 17:11:39 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ts4owd3a3rjc5rvsjjpi47x6ty2dxnvsszpbklg2xqwdfsm2a23q._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9cb8eb0f60dc522ec6b24a5e8e7efe9e343bb6b2965e152cdabc2c32c99a06b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.