MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6e43bc6db8a1c08e57ed374eeb81886a0153a835dcf6ac6b87ee3a26a7401ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	b6e43bc6db8a1c08e57ed374eeb81886a0153a835dcf6ac6b87ee3a26a7401ef
SHA3-384 hash:	2b09bbefd18619b8feb61b69125b129eee16cc6ccf8f488d76215f3d6a8db9574e36851bf8662bfe0824a87f2147aea9
SHA1 hash:	ce914af526c30982c41b5b14c217828ed1b0ca91
MD5 hash:	5dbaa84ca2b84f693e9122285fa2de6b
humanhash:	vegan-white-delta-lemon
File name:	TT copy.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	511'096 bytes
First seen:	2023-04-22 09:34:59 UTC
Last seen:	2023-04-22 10:00:03 UTC
File type:	zip
MIME type:	application/zip
ssdeep	12288:AKsYtCEfn3y1a9P+WFPsGgnO4HjOzAmGdIEO63cB:8aCEa1al+cPrgO4HkesB
TLSH	T166B423F5769E66F2D36A182AC240454CFC58F82BBFD029C6B47657705AA3287D87C383
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	AgentTesla payment zip

cocaman

Malicious email (T1566.001)
From: "huasheng@gths.cn" (likely spoofed)
Received: "from gths.cn (unknown [208.67.107.136]) "
Date: "22 Apr 2023 03:08:23 +0200"
Subject: "RE: PAYMENT"
Attachment: "TT copy.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

751

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	TT copy.exe
File size:	686'592 bytes
SHA256 hash:	9e1788c269afe73af312508280bf1f8ca7f9049d47e4f0b125c7a75c98610e4c
MD5 hash:	3ecd1a9eddd94cb8761519f43c294da5
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs3293.UNOFFICIAL

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Sanesecurity.Rogue.0hr.20230422-0734.UNOFFICIAL

Sanesecurity.Malware.21751.ZipHeur.UNOFFICIAL

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/b6e43bc6db8a1c08e57ed374eeb81886a0153a835dcf6ac6b87ee3a26a7401ef/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/6443aa47ebaa3f74ad452af3/reports/172c8d80-908e-428b-8b87-9d4cc1225c7f/overview

Verdict:

Malicious

Labled as:

Troj/MSIL

Link:

https://www.hybrid-analysis.com/sample/b6e43bc6db8a1c08e57ed374eeb81886a0153a835dcf6ac6b87ee3a26a7401ef

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/b6e43bc6db8a1c08e57ed374eeb81886a0153a835dcf6ac6b87ee3a26a7401ef

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b6e43bc6db8a1c08e57ed374eeb81886a0153a835dcf6ac6b87ee3a26a7401ef/

Threat name:

ByteCode-MSIL.Trojan.StealerLoader

Status:

Malicious

First seen:

2023-04-21 17:04:42 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

8 of 37 (21.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w3sdxrw3rioarzl62n2o5oayq2qbkoudlxhwvrvyp3r2e2tuahxq._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/b6e43bc6db8a1c08e57ed374eeb81886a0153a835dcf6ac6b87ee3a26a7401ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.