MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7a9a7dcd5187d2536d44acb472f5dd9775880f9f3a5f9a5bd87a634286a3553. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7a9a7dcd5187d2536d44acb472f5dd9775880f9f3a5f9a5bd87a634286a3553
SHA3-384 hash: a827eca98bc82c557aa351c8ec359ad3fd0fd151367f8dc81065bee1b9defb2995637acb3b60b9819e59001a484d71eb
SHA1 hash: 6782cbf6c6fe9e107087143f3e3ebfc07a791f04
MD5 hash: 50616586d85274a8b27f0d654e6c91a1
humanhash: timing-mobile-helium-mirror
File name:SOA.r15
Download: download sample
Signature AgentTesla
Create hunting rule
File size:633'159 bytes
First seen:2024-08-03 09:51:49 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:WKggXUf8Krrvle85Sgbtys+M051RksGUwW1RBy8nA9w9fOvvmFb:PgiOr0gSzs3WLf/jnCwcvvw
TLSH T150D42387B4F55880469AE1BD78BAE6F08E4276C825F0FEC7DB27092867871667CF4413
TrID 58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1)
41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:AgentTesla r15 rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Waltraud.Zehentner@insa-airandsea.com" (likely spoofed)
Received: "from [141.98.10.55] (unknown [141.98.10.55]) "
Date: "1 Aug 2024 07:49:49 +0200"
Subject: "SOA JULY, 2024 Statement - 22387 "
Attachment: "SOA.r15"

Intelligence

File Origin
# of uploads :
1
# of downloads :
427
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:SOA.exe
File size:1'161'216 bytes
SHA256 hash: 36136923c9475c273bce4a1c5bff84b565635565a6bf470e6626ea33a4c3a358
MD5 hash: c5222a9cc1037a4cb2b18d0a88d936d0
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ab3984037b02d0daece35a
Tags:
Shellcodecrypter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit epmicrosoft_visual_cc fingerprint keylogger lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66adfdc7dfa8b2fced5140ce/reports/8c9af987-b393-4a6d-b419-0317f4710d31/overview
Verdict:
Suspicious
Labled as:
Mal/DrodRar
Link:
https://www.hybrid-analysis.com/sample/a7a9a7dcd5187d2536d44acb472f5dd9775880f9f3a5f9a5bd87a634286a3553
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7a9a7dcd5187d2536d44acb472f5dd9775880f9f3a5f9a5bd87a634286a3553/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-08-01 05:46:25 UTC
File Type:
Binary (Archive)
Extracted files:
29
AV detection:
22 of 38 (57.89%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6u2pxgvdb6sknwujlfuol253f3vrahz6os7tjn5q6tdikdkgvjq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7a9a7dcd5187d2536d44acb472f5dd9775880f9f3a5f9a5bd87a634286a3553

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar a7a9a7dcd5187d2536d44acb472f5dd9775880f9f3a5f9a5bd87a634286a3553

(this sample)

AgentTesla

Executable exe 36136923c9475c273bce4a1c5bff84b565635565a6bf470e6626ea33a4c3a358

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 36136923c9475c273bce4a1c5bff84b565635565a6bf470e6626ea33a4c3a358
  
Dropping
AgentTesla

Comments