MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5998fe4f7015745ff808980f3c004ac4dc715bb1f7ac2ec9f1bfdef0bfba219. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 1 File information Comments

SHA256 hash:	c5998fe4f7015745ff808980f3c004ac4dc715bb1f7ac2ec9f1bfdef0bfba219
SHA3-384 hash:	6e76200efe7a4cdd9021c8989c0b3ea1a9eb606a0f20ebfb254d15d9baa6b67a0bef2b1d04c0e2e9466537ceedf80d56
SHA1 hash:	9125308711212a2ec233aa1d7480ad038517a133
MD5 hash:	5b1124e43853364b49031a46925421ec
humanhash:	stairway-victor-kansas-texas
File name:	P O.r15
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	8'413 bytes
First seen:	2023-02-01 11:21:04 UTC
Last seen:	2023-02-01 11:22:04 UTC
File type:	rar
MIME type:	application/x-rar
ssdeep	192:QegNo5vx002wtJk9E3BHINo74NlKPfNGfXRJMxkf:0NWZ003JkiBHI44NlyfKJyI
TLSH	T159029E79A21D790A796DE72D34AEC0F8F40E0C4D575883AA3400887A4E627605AB7FED
TrID	58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1) 41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	AgentTesla r15 rar

cocaman

Malicious email (T1566.001)
From: "sales@ghanchigroup.com" (likely spoofed)
Received: "from ghanchigroup.com (unknown [45.137.22.250]) "
Date: "01 Feb 2023 08:32:09 +0100"
Subject: "RE: Request for quote"
Attachment: "P O.r15"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	P O.exe
File size:	18'432 bytes
SHA256 hash:	98b086595cf2d76a5aa7677c6e66fa49972630ad9adc81eb73079744d550e175
MD5 hash:	cb24258d302a8aa186f84291d248c123
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/c5998fe4f7015745ff808980f3c004ac4dc715bb1f7ac2ec9f1bfdef0bfba219/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

kryptocibule

Link:

https://www.filescan.io/uploads/63da4b5b1c9cbf7d62551ae8/reports/5d584571-0b47-492b-8570-a3aeb5ace3dc/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c5998fe4f7015745ff808980f3c004ac4dc715bb1f7ac2ec9f1bfdef0bfba219/

Threat name:

Win64.Trojan.Injuke

Status:

Malicious

First seen:

2023-02-01 08:55:16 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

11 of 26 (42.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ywmy7zhxaflul74argaphqaevrg4ofn3d55mf3e7dp666c73uimq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

collection

Link:

https://tria.ge/reports/230201-n7e4pafa3z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Uses the VBS compiler for execution

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/c5998fe4f7015745ff808980f3c004ac4dc715bb1f7ac2ec9f1bfdef0bfba219

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.