MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c958efb900951d953a9870e712ae6036802fc765fc9afa319a847e304f3c2d08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	c958efb900951d953a9870e712ae6036802fc765fc9afa319a847e304f3c2d08
SHA3-384 hash:	bd93e4483e8a69b9652cbf4424c484bc96eacd3f928c07390a4bc141092ca4240ae2b2cee8c6ffa728ebbb52f1359850
SHA1 hash:	58caeb2e6b27908fd4ec3209c177b532a16dbce5
MD5 hash:	aa3433b42e97e34fa9af57219caf6928
humanhash:	ten-three-nuts-apart
File name:	US$ 54,042.07.pdf.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	550'189 bytes
First seen:	2023-07-13 10:24:05 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:KAzZnkZLwXcsumI/x0q3bXNdPMnnXCvmyrX7K8RbSew4ect+Sn1hBzar1VYie:ZkZmEB5NbXNdPMnXWXe8RI4echbeBfe
TLSH	T11EC4238E989D8BB2323537864813EBFD6883C85C9D7E0C47B9E125F40659FB6E803795
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	AgentTesla payment zip

cocaman

Malicious email (T1566.001)
From: "flora@johanship.com <flora@johanship.com>" (likely spoofed)
Received: "from johanship.com (unknown [185.225.74.18]) "
Date: "13 Jul 2023 12:23:07 +0200"
Subject: "Re: PAYMENT 2023 & Updated SOA"
Attachment: "US$ 54,042.07.pdf.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	US$ 54,042.07.pdf.exe
File size:	587'776 bytes
SHA256 hash:	f8105fdfa774017614ec9aa30084a2a6645456c05704896fc972dd5d0c99ec76
MD5 hash:	a1d8b9e0aa1079365ebf5af342a4ca61
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL

Sanesecurity.Malware.25518.ZipHeur.Ext.UNOFFICIAL

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/c958efb900951d953a9870e712ae6036802fc765fc9afa319a847e304f3c2d08/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64afd0ffb1d2dc145c1cd3cf/reports/54399aed-ceb0-444c-8006-7621ad9bd9d9/overview

Verdict:

Malicious

Labled as:

HIDDENEXT/Worm.Generic

Link:

https://www.hybrid-analysis.com/sample/c958efb900951d953a9870e712ae6036802fc765fc9afa319a847e304f3c2d08

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/c958efb900951d953a9870e712ae6036802fc765fc9afa319a847e304f3c2d08

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c958efb900951d953a9870e712ae6036802fc765fc9afa319a847e304f3c2d08/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-12 13:21:07 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

22 of 38 (57.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zfmo7oiasuozkouyodtrfltag2ac7r3f7snpumm2qr7datz4fuea._file

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.