MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac1105960cf8c5fa7855e5568751ed483e429d72ad8a272bc5ef8f1e38631b1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	ac1105960cf8c5fa7855e5568751ed483e429d72ad8a272bc5ef8f1e38631b1c
SHA3-384 hash:	fd76667a165f1ff78798a07dd1284e35e90ba487355cb3ea31359b2624e442375807c4989d746f0f93cf33a1c3c97a6d
SHA1 hash:	e219ccc86159adb4d10e423d9caa07bb0a6b26b4
MD5 hash:	2d1734382db4af4677c7c3a35635e750
humanhash:	uncle-victor-red-uniform
File name:	SOA FREIGHT SLIP.r00
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	453'453 bytes
First seen:	2023-07-17 07:50:24 UTC
Last seen:	2023-07-17 07:51:01 UTC
File type:	r00
MIME type:	application/x-rar
ssdeep	12288:7NLng3EUG37IRjR/gJv6dkGsKKBRXEImuWB8BDo401nix:WO3kZR/yvpXBhEEWBZY
TLSH	T1E1A423600235E4877B998757CE44323CC2BA81911A3F166E7EBF4AECA90C71A1CDD6F5
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	AgentTesla Maersk r00

cocaman

Malicious email (T1566.001)
From: ""Hao Lam" <albert@petvacationinfo.com>" (likely spoofed)
Received: "from petvacationinfo.com (unknown [185.222.57.70]) "
Date: "17 Jul 2023 07:27:39 +0200"
Subject: "RE: LATEST SOA Maersk "
Attachment: "SOA FREIGHT SLIP.r00"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	SOA FREIGHT SLIP.exe
File size:	645'632 bytes
SHA256 hash:	6fb64f7e90516c0003e7cd104a2370a22c5949871bc653067d0100229f8f9717
MD5 hash:	38d09df667df0e7a16b89d00e5c0b323
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Rogue.0hr.20230717-0737.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin packed replace

Link:

https://www.filescan.io/uploads/64b4f2e7fd9e198dc114d98b/reports/42b26b06-7ca0-47f3-8179-c363f3bc9ad0/overview

Verdict:

Malicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/ac1105960cf8c5fa7855e5568751ed483e429d72ad8a272bc5ef8f1e38631b1c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ac1105960cf8c5fa7855e5568751ed483e429d72ad8a272bc5ef8f1e38631b1c/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-17 03:22:31 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vqiqlfqm7dc7u6cv4vlioupnja7efhlsvwfcok6f56hr4odddmoa._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/ac1105960cf8c5fa7855e5568751ed483e429d72ad8a272bc5ef8f1e38631b1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.