MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e452c2bb98bf77d963ffa7c0e12d21e7db4795417d1fbd8d5b84e2c8fa8044d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e452c2bb98bf77d963ffa7c0e12d21e7db4795417d1fbd8d5b84e2c8fa8044d2
SHA3-384 hash: 554a99cb90cfb33f64d3bd1d25ce3cbf0a454982e78290dbf0e7d0dd716064be24ab3cd83c73fd396a6c772b7e2234bc
SHA1 hash: 3a46702f71aedc5810f87914efb3f0cadd1991e5
MD5 hash: c359ae05a71a5a2969ef2ccafeac6de7
humanhash: fish-washington-bravo-bluebird
File name:PO.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:767 bytes
First seen:2023-10-19 07:53:45 UTC
Last seen:2023-10-22 18:26:39 UTC
File type: zip
MIME type:application/zip
ssdeep 12:5j4/1v3ymOIJ63fc5viMThAFJSP8LJ73mdJMdS8g0IQvnI/DjH7tGV+8+4lHeqNl:94/1viGJBviLuLm69Qvmn7tk1dlH7Hjx
TLSH T11D011574EBBA9204FF4E4479F355F0CFB9C4956712E8C71760596C5168CD7984C82035
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:AgentTesla payment zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Rebecca Cowie <1falcon@mtaonline.net>" (likely spoofed)
Received: "from mtaonline.net (unknown [38.133.106.153]) "
Date: "10 Oct 2023 16:53:39 +0000"
Subject: "Re: FW: Po_Payment"
Attachment: "PO.zip"

Intelligence

File Origin
# of uploads :
7
# of downloads :
108
Origin country :
SE SE
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:PO.hta
File size:1'040 bytes
SHA256 hash: f4520c25bbdd71349abdb776f19215294cb470dd692b0cace52fcd3a69df64db
MD5 hash: 700b6a975495e125104439b4fb83e34e
MIME type:text/html
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Hta_Zip_2.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/e452c2bb98bf77d963ffa7c0e12d21e7db4795417d1fbd8d5b84e2c8fa8044d2/results/dashboard
Payload URLs
URL
File name
https://cdn.discordapp.com/attachments/1130892959336906764/1161056088590921859/PO.exe?ex=6536e8be&is=652473be&hm=db0d4ec319d61939550bbad769e047186ee43c18db1997babacf432f1285283b&
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bitsadmin lolbin qakbot
Link:
https://www.filescan.io/uploads/6530e09c10dbe5fb92cec024/reports/bfec321f-1a36-43e4-a64f-75773e4b30db/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e452c2bb98bf77d963ffa7c0e12d21e7db4795417d1fbd8d5b84e2c8fa8044d2
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e452c2bb98bf77d963ffa7c0e12d21e7db4795417d1fbd8d5b84e2c8fa8044d2
Score:
1%
Verdict:
Benign
File Type:
Archive
Link:
https://malprob.io/report/e452c2bb98bf77d963ffa7c0e12d21e7db4795417d1fbd8d5b84e2c8fa8044d2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e452c2bb98bf77d963ffa7c0e12d21e7db4795417d1fbd8d5b84e2c8fa8044d2/
Threat name:
Script-WScript.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2023-10-10 02:29:09 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
9 of 23 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rjmfo4yx535sy77u7aocljb47nupfkbpup33dk3qtrmr6uaitja._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/231019-kq132sgd53/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:MalScript_Tricks
Create hunting rule
Author:@bartblaze
Description:Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e452c2bb98bf77d963ffa7c0e12d21e7db4795417d1fbd8d5b84e2c8fa8044d2

(this sample)

AgentTesla

HTML Application (hta) hta f4520c25bbdd71349abdb776f19215294cb470dd692b0cace52fcd3a69df64db

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 f4520c25bbdd71349abdb776f19215294cb470dd692b0cace52fcd3a69df64db
  
Dropping
AgentTesla
  
Dropping
MD5 700b6a975495e125104439b4fb83e34e

Comments