MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2de40c6b794f3fc02d265e7ffcdd5a9f0ef0c6eea2d9d12c3026b77e5996b1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	c2de40c6b794f3fc02d265e7ffcdd5a9f0ef0c6eea2d9d12c3026b77e5996b1a
SHA3-384 hash:	9e1f71695bb4b5d05c372617e4461b85ba69c4492ddb9a8f316a5a24d5df67c509cfa372539b84daebc0660ef197f185
SHA1 hash:	00edab0bc5aa1d13a8b33e0b275dd25530ef2e46
MD5 hash:	5be0a1f00aa2aa0243ff9d82e6e69f7e
humanhash:	queen-burger-double-spaghetti
File name:	ORDER 80470-4-6847584 2023.R01
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	496'184 bytes
First seen:	2023-06-27 10:16:02 UTC
Last seen:	Never
File type:	r01
MIME type:	application/x-rar
ssdeep	12288:pXRmhchnNHcJQ+hh5442BCfNkjl7N6/N3ArvYdYWXX:pX4hanY57fN02NQrvYdbXX
TLSH	T1D3B433918F8E0D94FBFB11B634B5AE931E523EEDF80183C82765988B9427258650D7B3
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	AgentTesla r01

cocaman

Malicious email (T1566.001)
From: ""Mr. Jayant S. Pingle <mkt.cabt@chaitanyagroupindia.com>"
<sales@hostwt.com>" (likely spoofed)
Received: "from whitfield.hostwt.com (whitfield.hostwt.com [88.209.205.96]) "
Date: "Tue, 27 Jun 2023 01:41:12 -0700"
Subject: "NEW ORDER AP-ALTECO 2023"
Attachment: "ORDER 80470-4-6847584 2023.R01"

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	ORDER 80470-4-6847584 2023.exe
File size:	587'264 bytes
SHA256 hash:	18b6a73808a0524c95b724475d46aca3e42874de551a0fcf7c8d56aff23f105b
MD5 hash:	1a6a8f045ec98881900ed47e19c9923d
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/649ab71f07c2007b16e6f848/reports/4e19faf8-b090-4641-ab90-5cd92faa5280/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c2de40c6b794f3fc02d265e7ffcdd5a9f0ef0c6eea2d9d12c3026b77e5996b1a

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c2de40c6b794f3fc02d265e7ffcdd5a9f0ef0c6eea2d9d12c3026b77e5996b1a/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-06-27 10:16:06 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ylpebrvxstz7yawsmxt77tovvhyo6ddo5iwz2ewdajvxpzmznmna._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c2de40c6b794f3fc02d265e7ffcdd5a9f0ef0c6eea2d9d12c3026b77e5996b1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.