MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce791f710410ac66921dacd2e85c678fc19c6566013c4b5848ec13cae671fd32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce791f710410ac66921dacd2e85c678fc19c6566013c4b5848ec13cae671fd32
SHA3-384 hash: d45eb0b09cd7664cba844df0213f7009500178674ea01af36307e833b0d3595a5cdf4be17d5a74a28793815494b677df
SHA1 hash: c28805986ada6f9fc87631a17f3795cd266c0a4c
MD5 hash: cb27aa2a3d9a6eb79309fc42d5dfd224
humanhash: april-pasta-kentucky-charlie
File name:QUOTATION PR1700212495.r00
Download: download sample
Signature AgentTesla
Create hunting rule
File size:603'255 bytes
First seen:2023-11-20 07:08:27 UTC
Last seen:Never
File type: r00
MIME type:application/x-rar
ssdeep 12288:gCaZkTYeFPQgvd0nJKHNToHP7pQCDNudDWXEIwAAAOfPNmjGe:2JeF4gvd0JKtToHl/DNuL8UmSe
TLSH T1ACD423CE95F498B3C9C953E6A81AC9B421A4FDC9DEA41FC14B1CC3D116109CA607ADFB
TrID 58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1)
41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:AgentTesla QUOTATION r00


Avatar
cocaman
Malicious email (T1566.001)
From: ""Accounts (Destec)" <Accounts@destec-me.com>" (likely spoofed)
Received: "from destec-me.com (unknown [45.137.22.230]) "
Date: "20 Nov 2023 05:20:45 +0100"
Subject: "REQUEST FOR SAMPLES AND QUOTATION ALONG WITH AIR FRIEGHT COST / PR-1700212495"
Attachment: "QUOTATION PR1700212495.r00"

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:QUOTATION PR1700212495.exe
File size:659'456 bytes
SHA256 hash: d5bee1b408958ac6304491317c08dbce37299575d911136a5cdad1d9ca5ad793
MD5 hash: c9385145b9a3dd98c6c4a7595cfc15f7
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Gathering data
Verdict:
Malicious
Labled as:
Mal/DrodRar
Link:
https://www.hybrid-analysis.com/sample/ce791f710410ac66921dacd2e85c678fc19c6566013c4b5848ec13cae671fd32
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce791f710410ac66921dacd2e85c678fc19c6566013c4b5848ec13cae671fd32/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-20 07:08:30 UTC
File Type:
Binary (Archive)
Extracted files:
14
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zz4r64ieccwgneq5vtjoqxdhr7azyzlgae6ewwci5qj4vztr7uza._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce791f710410ac66921dacd2e85c678fc19c6566013c4b5848ec13cae671fd32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 ce791f710410ac66921dacd2e85c678fc19c6566013c4b5848ec13cae671fd32

(this sample)

AgentTesla

Executable exe d5bee1b408958ac6304491317c08dbce37299575d911136a5cdad1d9ca5ad793

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 d5bee1b408958ac6304491317c08dbce37299575d911136a5cdad1d9ca5ad793

Comments