MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8224735cb2ed3953be56afd3687bc2956178f7e6403d2a1b0720ae710c166b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	c8224735cb2ed3953be56afd3687bc2956178f7e6403d2a1b0720ae710c166b4
SHA3-384 hash:	8c791f8edeaf55a7f28412af8436f9ad4be9166dd14ba8ab715e31eff67e0e2dfcd31c941b800b39611775c99ee80b1e
SHA1 hash:	79c89b181a9545cb3fe4e14fede765f335403be6
MD5 hash:	aeeb06170ab936680c615adf702a751a
humanhash:	eight-july-one-connecticut
File name:	Shipping Documents.pdf.005.z
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	696'904 bytes
First seen:	2023-06-14 09:18:20 UTC
Last seen:	2023-06-15 05:57:41 UTC
File type:	z
MIME type:	application/x-rar
ssdeep	12288:Hbg4mtXNLOmncczLfyCrbcMLgplGetDWhyYRZ11SojdREvh0:7gDNzRzzyVlGSDWbVSojdivh0
TLSH	T16EE42384C72F7A49B30C14FCFF9C148B9E16C15AD4E9A03D352AA75A0B8FDE56C17A11
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	AgentTesla DHL Shipping z

cocaman

Malicious email (T1566.001)
From: ""DHL Express" <auhgateway@dhl.com>" (likely spoofed)
Received: "from dhl.com (unknown [185.225.74.181]) "
Date: "14 Jun 2023 13:05:05 +0200"
Subject: "Shipping Documents"
Attachment: "Shipping Documents.pdf.005.z"

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Shipping Documents.exe
File size:	781'312 bytes
SHA256 hash:	8668cd0f536fc0fb2d750d9d4ed492ac9435a32b7ade9f3e427af470bab09bf9
MD5 hash:	b9518acc697162f3d4fcff6ee699509a
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin packed

Link:

https://www.filescan.io/uploads/6489860842386ee977f42836/reports/e1f77bf5-e991-4832-a5c2-6e7b8ff9fd91/overview

Verdict:

Malicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/c8224735cb2ed3953be56afd3687bc2956178f7e6403d2a1b0720ae710c166b4

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c8224735cb2ed3953be56afd3687bc2956178f7e6403d2a1b0720ae710c166b4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-06-14 09:18:23 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

15 of 37 (40.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zareonolf3jzko7fnl6tnb54fflbpd36mqb5finqoifooegbm22a._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c8224735cb2ed3953be56afd3687bc2956178f7e6403d2a1b0720ae710c166b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.