MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dab5001799d227ed5eb0103b5250a24821e9da5e1893e2cd69cf60090314001d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dab5001799d227ed5eb0103b5250a24821e9da5e1893e2cd69cf60090314001d
SHA3-384 hash: 2397e9c54cda9fa581eb85e6697b4f825fa8a6f04ae7ac40b59fed54c140d83465f5294bcebcf0cfea935dfaf4158fef
SHA1 hash: 6a8f9c7e45037f9001a8590b1eb39a11f7b8c4fd
MD5 hash: 456b09df4857047b37307e573fcee778
humanhash: wolfram-crazy-uranus-sierra
File name:proforma invoice.r00
Download: download sample
File size:740'435 bytes
First seen:2023-11-23 08:45:49 UTC
Last seen:2023-11-23 15:46:35 UTC
File type: r00
MIME type:application/x-rar
ssdeep 12288:oRxPc9LjcFnrDTAxZvUX2XXTBFKXqSeubXeBR8B2eRTD/fTq70srz:oQ/oDwZvDzgqSe6XeBuBRl/Gbz
TLSH T162F42304CDD10DA207570A17B6BA314299BDD425FF81B8CAED7872DA2634F8C5BBE1E1
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:INVOICE payment r00


Avatar
cocaman
Malicious email (T1566.001)
From: "tagazo@hotmail.com" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [185.222.58.245]) "
Date: "23 Nov 2023 01:55:55 +0100"
Subject: "RE: USD Payment Confirmation"
Attachment: "proforma invoice.r00"

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:5WCPtYHfbr7UXQf.exe
File size:1'175'040 bytes
SHA256 hash: b67abceaad8827d5b7758e2351c16fbe50e80d71e371bcac2a1bbd95857a7bf8
MD5 hash: 2ffbb98b649470642aa18631c40836f5
MIME type:application/x-dosexec
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Rogue.0hr.20231123-0735.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/655f114f92fc3dea6397d9e8/reports/94c2966f-c0ad-4eaf-b8e2-5994d41a89fb/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/dab5001799d227ed5eb0103b5250a24821e9da5e1893e2cd69cf60090314001d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dab5001799d227ed5eb0103b5250a24821e9da5e1893e2cd69cf60090314001d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-23 00:51:34 UTC
File Type:
Binary (Archive)
Extracted files:
79
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3k2qaf4z2it62xvqca5veufcjaq6tws6dcj6ftljz5qasayuaaoq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dab5001799d227ed5eb0103b5250a24821e9da5e1893e2cd69cf60090314001d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

r00 dab5001799d227ed5eb0103b5250a24821e9da5e1893e2cd69cf60090314001d

(this sample)

AgentTesla

Executable exe b67abceaad8827d5b7758e2351c16fbe50e80d71e371bcac2a1bbd95857a7bf8

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b67abceaad8827d5b7758e2351c16fbe50e80d71e371bcac2a1bbd95857a7bf8

Comments