MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd4a73afc9b8ce70b8998af7d2ca93565a96ccda2e7b07b536af4438ca040282. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	cd4a73afc9b8ce70b8998af7d2ca93565a96ccda2e7b07b536af4438ca040282
SHA3-384 hash:	57359449490538da28208724d2aa03dc7605e47323f659aa002ea22dc22eeb225cb40064d49045e98b340f96da37854f
SHA1 hash:	5eaf59ca02c5a44671ad87c37ea4ece141baa727
MD5 hash:	4adcd98540998231823c658567d87330
humanhash:	mountain-maine-eleven-papa
File name:	PO-91402278.r00
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	491'315 bytes
First seen:	2023-03-14 00:59:32 UTC
Last seen:	2023-03-14 01:01:23 UTC
File type:	r00
MIME type:	application/x-rar
ssdeep	12288:feKsPulueSCbutrmW8x2AS7rQlfoabsbijpvydtyPQWWTdDm:W7UueVCmFxY3b/bz1ddDm
TLSH	T112A423C14F94BB45D1CDF372A1A66526A98DE92100C25C96A60F8A213B1B7DC7DCD0FF
TrID	58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1) 41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	AgentTesla r00

cocaman

Malicious email (T1566.001)
From: "Karen.ng@wuerth-industry.my" (likely spoofed)
Received: "from wuerth-industry.my (unknown [103.161.174.164]) "
Date: "14 Mar 2023 02:36:51 +0700"
Subject: "RE: Purchase Order 91402278 dated 11_03_2023"
Attachment: "PO-91402278.r00"

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

n/a

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	PO-91402278.exe
File size:	619'520 bytes
SHA256 hash:	0f3591120f2f986f136cc78f39ee44b66e002dd5dec008f814acc8b54de2a962
MD5 hash:	763772a6e8321fa148605aa253ed45d4
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27572.Rar5Heur.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/640fc71508b02b266d167f8e/reports/581caadf-da3d-4312-84ae-62f6fb8cfb40/overview

Verdict:

Malicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/cd4a73afc9b8ce70b8998af7d2ca93565a96ccda2e7b07b536af4438ca040282

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cd4a73afc9b8ce70b8998af7d2ca93565a96ccda2e7b07b536af4438ca040282/

Threat name:

Win32.Trojan.Zmutzy

Status:

Malicious

First seen:

2023-03-13 19:48:38 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

14 of 39 (35.90%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zvfhhl6jxdhhboezrl35fsutkznjntg2fz5qpnjwv5cdrsqeakba._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/cd4a73afc9b8ce70b8998af7d2ca93565a96ccda2e7b07b536af4438ca040282

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing URLs to raw contents of a Github gist