MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abaa0a631b47aa89596ec18a9f1600e0dad07ee7c40c7dd6dcde69202db335c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 7 File information Comments

SHA256 hash:	abaa0a631b47aa89596ec18a9f1600e0dad07ee7c40c7dd6dcde69202db335c7
SHA3-384 hash:	c5d333fc26bc5f884a5e4ad945e60220a0f87a7be3c90e9568f01e8eddc3a25635aaf6cbdc36f1e132ed3cb085c0d4e2
SHA1 hash:	a898a9b7d71b7424b8698247a824e085592bac92
MD5 hash:	ebbbb2342220ade28af68b49a9048969
humanhash:	blossom-beryllium-virginia-coffee
File name:	Payment invoice.z
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	532'669 bytes
First seen:	2023-07-26 05:17:01 UTC
Last seen:	Never
File type:	z
MIME type:	application/x-rar
ssdeep	12288:gxVWy3Gx8F6A8LzxrWvrsVR+LFWT51BCM6Mbw0AlU:gC/8jez64VRRrjtAlU
TLSH	T185B423EB7196F6D1A2526AE8E1308EB3447A3794104D8CFAC8192BF5EC6C1DD3F43919
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	AgentTesla INVOICE payment z

cocaman

Malicious email (T1566.001)
From: "Accounts Department <rud-division@alkuhaimi.com>" (likely spoofed)
Received: "from alkuhaimi.com (unknown [87.120.88.254]) "
Date: "26 Jul 2023 00:40:36 +0200"
Subject: "Re: Payment Invoices #091118"
Attachment: "Payment invoice.z"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Payment Invoice.exe
File size:	582'656 bytes
SHA256 hash:	44629b23544b686ea4d3956e054acbeea83904dce8ebc1e6beb8dd4d0b64032b
MD5 hash:	6fa87097292d2a613d24e8dd53aa7b48
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27502.Rar5Heur.UNOFFICIAL

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/abaa0a631b47aa89596ec18a9f1600e0dad07ee7c40c7dd6dcde69202db335c7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/abaa0a631b47aa89596ec18a9f1600e0dad07ee7c40c7dd6dcde69202db335c7/

Threat name:

ByteCode-MSIL.Trojan.Negasteal

Status:

Suspicious

First seen:

2023-07-25 18:46:29 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

14 of 23 (60.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vovauyy3i6viswloygfj6fqa4dnna7xhyqgh3vw43zusalntgxdq._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/abaa0a631b47aa89596ec18a9f1600e0dad07ee7c40c7dd6dcde69202db335c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV4 Create hunting rule
Author:	Rony (r0ny_123)

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it