MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e876f95d34250af8555dc7d71431faa35cd2a0951bba8e5740b2b3f813f5d428. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e876f95d34250af8555dc7d71431faa35cd2a0951bba8e5740b2b3f813f5d428
SHA3-384 hash: 916c8ae2c5d1491d564de5c366d1238cbd78c3ab1f154fc76dbe437d43874529e7428eecaa5f3307cdea7ad57a9a6ce3
SHA1 hash: 46414f8f962750034022739457989c99798b7492
MD5 hash: 57a3107f1b46914bf7c97ecd86c3093b
humanhash: tango-indigo-seventeen-oklahoma
File name:Opened Orders And Overdue Amount As At 10th september 2023.rar
Download: download sample
Signature AgentTesla
Create hunting rule
File size:616'678 bytes
First seen:2023-10-02 11:58:36 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:TXZeZyCRmttRa1UgjWUlShppQ1Yh10pRO9EbqYBhty1mUIN/lm/lZlI1:zsIHa1UgyUS7u2huOOzt2Cdqe1
TLSH T1E1D423EBDF15F25225DE52B84A0F86B4BB930109A58E8E76B473CC24C5785D48B7B0B2
TrID 58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1)
41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:AgentTesla rar


Avatar
cocaman
Malicious email (T1566.001)
From: "Joe <jaidev@aabqatar.com>" (likely spoofed)
Received: "from aabqatar.com (unknown [45.137.22.123]) "
Date: "2 Oct 2023 13:57:48 +0200"
Subject: "Re: Opened Orders And Overdue Amount As At 10th september 2023"
Attachment: "Opened Orders And Overdue Amount As At 10th september 2023.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Opened Orders And Overdue Amount As At 10th september 2023.exe
File size:672'768 bytes
SHA256 hash: 457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b
MD5 hash: 1ed5ad3e9e507982677854ddffae0bfc
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/e876f95d34250af8555dc7d71431faa35cd2a0951bba8e5740b2b3f813f5d428/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/651ab0870870810f018aea2d/reports/190bff80-bf26-41b6-b8fb-cd2a3451736a/overview
Verdict:
Malicious
Labled as:
Mal/DrodRar
Link:
https://www.hybrid-analysis.com/sample/e876f95d34250af8555dc7d71431faa35cd2a0951bba8e5740b2b3f813f5d428
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e876f95d34250af8555dc7d71431faa35cd2a0951bba8e5740b2b3f813f5d428/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 05:46:32 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5b3psxjueufpqvk5y7lrimp2unonfievdo5i4v2awkz7qe7v2qua._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/231002-p2cl2sce43/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e876f95d34250af8555dc7d71431faa35cd2a0951bba8e5740b2b3f813f5d428

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar e876f95d34250af8555dc7d71431faa35cd2a0951bba8e5740b2b3f813f5d428

(this sample)

AgentTesla

Executable exe 457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b
  
Dropping
AgentTesla
  
Dropping
MD5 1ed5ad3e9e507982677854ddffae0bfc

Comments