MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cafea0dfa8297f160ff26f290b64eb7d476c15472e52c4d13c324fc2c18281f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cafea0dfa8297f160ff26f290b64eb7d476c15472e52c4d13c324fc2c18281f9
SHA3-384 hash: 6db7de2a60ece90290616134cf77ed87eb5388f251ec85993be288ebe1a2465495e5d5fefa7c7f6d5dfd9eb8979b9c86
SHA1 hash: eff02e0b7cae6bef80cade0fa50ff8e830359d58
MD5 hash: 8649a5248812491cf5d512194361caee
humanhash: oklahoma-fanta-bacon-red
File name:Bank slip rar.7z
Download: download sample
Signature AgentTesla
Create hunting rule
File size:672'960 bytes
First seen:2023-11-16 15:37:43 UTC
Last seen:Never
File type: 7z
MIME type:application/x-7z-compressed
ssdeep 12288:0BKNzQ2YWQadMJmdDRJXFFmjnYQaFtWfA/lCVeJI3AbPTFJvBwQU9qLllbDK9s:bNQfWQeImhRJXFEjnYQaFt+yUV7QNpO6
TLSH T12CE42344ECEED7FBA49C051B7A570EADC03B773A9E98581050B229D801F1A0FC9B176C
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter cocaman
Tags:7z AgentTesla payment


Avatar
cocaman
Malicious email (T1566.001)
From: "ops@esmaritime.com" (likely spoofed)
Received: "from esmaritime.com (unknown [185.222.57.136]) "
Date: "15 Nov 2023 18:14:43 +0100"
Subject: "MV FORTUNA // EPDA PAYMENT ARRANGMENT/Bank slip rar"
Attachment: "Bank slip rar.7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Bank slip rar.exe
File size:974'848 bytes
SHA256 hash: 0f6154350e73fcd971f98f7bf3fd43773edd1cca24c16d259a4c755958970332
MD5 hash: a3886ffd539120ead48a0663fa7619e2
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.7z_rar.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.2532.543.22717.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/cafea0dfa8297f160ff26f290b64eb7d476c15472e52c4d13c324fc2c18281f9/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cryptojoker packed
Link:
https://www.filescan.io/uploads/6556375dd8596cbe6b3d2010/reports/4f3145f3-4b7c-4f72-86b8-c270041f4658/overview
Verdict:
Malicious
Labled as:
Mal/Drod7zip
Link:
https://www.hybrid-analysis.com/sample/cafea0dfa8297f160ff26f290b64eb7d476c15472e52c4d13c324fc2c18281f9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
Archive
Link:
https://malprob.io/report/cafea0dfa8297f160ff26f290b64eb7d476c15472e52c4d13c324fc2c18281f9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cafea0dfa8297f160ff26f290b64eb7d476c15472e52c4d13c324fc2c18281f9/
Threat name:
ByteCode-MSIL.Ransomware.CryptoJoker
Create hunting rule
Status:
Malicious
First seen:
2023-11-15 09:42:31 UTC
File Type:
Binary (Archive)
Extracted files:
61
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zl7kbx5iff7rmd7sn4uqwzhlpvdwyfkhfzjmjuj4gjh4fqmcqh4q._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cafea0dfa8297f160ff26f290b64eb7d476c15472e52c4d13c324fc2c18281f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z cafea0dfa8297f160ff26f290b64eb7d476c15472e52c4d13c324fc2c18281f9

(this sample)

AgentTesla

Executable exe 0f6154350e73fcd971f98f7bf3fd43773edd1cca24c16d259a4c755958970332

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0f6154350e73fcd971f98f7bf3fd43773edd1cca24c16d259a4c755958970332

Comments