MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e452c2bb98bf77d963ffa7c0e12d21e7db4795417d1fbd8d5b84e2c8fa8044d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash: e452c2bb98bf77d963ffa7c0e12d21e7db4795417d1fbd8d5b84e2c8fa8044d2
SHA3-384 hash: 554a99cb90cfb33f64d3bd1d25ce3cbf0a454982e78290dbf0e7d0dd716064be24ab3cd83c73fd396a6c772b7e2234bc
SHA1 hash: 3a46702f71aedc5810f87914efb3f0cadd1991e5
MD5 hash: c359ae05a71a5a2969ef2ccafeac6de7
humanhash: fish-washington-bravo-bluebird
File name:PO.zip
Download: download sample
Signature AgentTesla
File size:767 bytes
First seen:2023-10-19 07:53:45 UTC
Last seen:2023-10-22 18:26:39 UTC
File type: zip
MIME type:application/zip
ssdeep 12:5j4/1v3ymOIJ63fc5viMThAFJSP8LJ73mdJMdS8g0IQvnI/DjH7tGV+8+4lHeqNl:94/1viGJBviLuLm69Qvmn7tk1dlH7Hjx
TLSH T11D011574EBBA9204FF4E4479F355F0CFB9C4956712E8C71760596C5168CD7984C82035
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:AgentTesla payment zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Rebecca Cowie <1falcon@mtaonline.net>" (likely spoofed)
Received: "from mtaonline.net (unknown [38.133.106.153]) "
Date: "10 Oct 2023 16:53:39 +0000"
Subject: "Re: FW: Po_Payment"
Attachment: "PO.zip"

Intelligence


File Origin
# of uploads :
7
# of downloads :
108
Origin country :
SE SE
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:PO.hta
File size:1'040 bytes
SHA256 hash: f4520c25bbdd71349abdb776f19215294cb470dd692b0cace52fcd3a69df64db
MD5 hash: 700b6a975495e125104439b4fb83e34e
MIME type:text/html
Signature AgentTesla
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Payload URLs
URL
File name
https://cdn.discordapp.com/attachments/1130892959336906764/1161056088590921859/PO.exe?ex=6536e8be&is=652473be&hm=db0d4ec319d61939550bbad769e047186ee43c18db1997babacf432f1285283b&
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bitsadmin lolbin qakbot
Threat name:
Script-WScript.Backdoor.Quakbot
Status:
Malicious
First seen:
2023-10-10 02:29:09 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
9 of 23 (39.13%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Author:Aaron DeVera
Description:Discord domains
Rule name:MalScript_Tricks
Author:@bartblaze
Description:Identifies tricks often seen in malicious scripts such as moving the window off-screen or resizing it to zero.
Rule name:QbotStuff
Author:anonymous
Rule name:SUSP_Websites
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e452c2bb98bf77d963ffa7c0e12d21e7db4795417d1fbd8d5b84e2c8fa8044d2

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropping
AgentTesla

Comments