MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cada5fc5359b0f9ccf0315e7e5da3592517b324b41e0dd57311831618c5d1a84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cada5fc5359b0f9ccf0315e7e5da3592517b324b41e0dd57311831618c5d1a84
SHA3-384 hash: ebc96b54056d81d3fc8196b32cfd2a828424250ec76329e90aaff02cac63b7c0f91fad5f2649b1d4198385873e70ff89
SHA1 hash: bdbc28b5114251ac9f44bafb4a22eac96ed312f2
MD5 hash: d617f32e05741ed8ac3ce85517ff7fae
humanhash: quiet-oranges-leopard-early
File name:PO2.xll
Download: download sample
File size:652'293 bytes
First seen:2022-04-15 07:02:59 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
imphash be710ba34b048ab0098050ccf62e369c (18 x Formbook, 14 x Dridex, 9 x AgentTesla)
ssdeep 12288:D0Ws7IMtR4yVld8bzbBSrebPMgFK/UqW1:D0bdkX1ecL
Threatray 46 similar samples on MalwareBazaar
TLSH T1D9D46C55BECA6EA1EFBF47BB8361D62D0226735D03A1A6CF360305993951FC2453EA03
TrID 58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
34.3% (.OCX) Windows ActiveX control (116521/4/18)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:xll

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO2.xll
Verdict:
No threats detected
Analysis date:
2022-04-15 07:08:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/242b65d0-8786-4833-bb50-53390b9a96b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.312.27193.19952.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/cada5fc5359b0f9ccf0315e7e5da3592517b324b41e0dd57311831618c5d1a84/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed packed
Link:
https://www.filescan.io/uploads/625918aaeab80a7a6c19ee31/reports/ce876e75-bb85-4542-b80d-1a7a21c1e9de/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cada5fc5359b0f9ccf0315e7e5da3592517b324b41e0dd57311831618c5d1a84/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-15 07:03:09 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
4 of 42 (9.52%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0c2a4483319382571e9b470d292d0b4bdd4e7e700ff5722a979e4498c147693f
0d39c74b9b2d8f9f6986b5ca4bba3f47e75e3ec3ee14c6ecf9beb350fb08d56f
4a9683f3b6658f4895cd3d44c4920d77db5dfd410cf0dc188e4f4d2740c24539
5687795956025667a92af458adfc60b32e82df2449a70740c9137609a52726f6
61fe696f1f01753b90b6054fc390025f644a69a8c85a89dc83ac76cae19f79fb
727f124333294aaba156840955cbfc6ac7470768c65c1582c5e0dbfcb6f8722f
b208a4a53f2622d6c62ecf258987a2038dad2255739f089e8994acc8f6ea0026
c939ce949377b0bda7de743d59d8495fe403f35dac0bce0cf4972bf1c42484a3
ce5c54ac577153e15fb793c022b54fb473752b876525111d6aac97369e72e85e
df22b02f086ac431a0d5687e0b4e96bf57f854bc0f006abb0e8fc67a8d7a7107
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220415-hvk7aaagbr/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Process spawned suspicious child process
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cada5fc5359b0f9ccf0315e7e5da3592517b324b41e0dd57311831618c5d1a84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:t0_1
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments