MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebd9f3523a8929f8965ddb318c4f23612bd1bce99e878c8f9c2a4167d2585527. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebd9f3523a8929f8965ddb318c4f23612bd1bce99e878c8f9c2a4167d2585527
SHA3-384 hash: 4a6436c7650c592796a46b04f2916d3998a19523cf39d55c04c8ab042e19c146b8ab6be48d1581c4c0333b9180eb5ce2
SHA1 hash: 5af5111854b62c16a85a4c76b06d362167ac3ff7
MD5 hash: cfb582fdc167d9004a5324714eb49aa3
humanhash: washington-nuts-quebec-item
File name:PAYMENTSLIP.z
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'013'464 bytes
First seen:2023-08-30 19:50:22 UTC
Last seen:Never
File type: z
MIME type:application/x-7z-compressed
ssdeep 24576:tirn0R65x3SsOunZ34GhgB7V7IWIz677Gwd8Lp:tWn0uxlOuFkV2WIJ
TLSH T18425330DA2BC790D7B6E0EB1DDC82283C51625C43E0CCB89D9D51969DDEB8B9B364398
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Reporter cocaman
Tags:AgentTesla payment z


Avatar
cocaman
Malicious email (T1566.001)
From: ""Wieser" <gradestin@d8.mysynology.net>" (likely spoofed)
Received: "from mta0.d8.mysynology.net (mta0.d8.mysynology.net [213.142.149.154]) "
Date: "29 Aug 2023 16:37:52 +0200"
Subject: "PAYMENT COPY"
Attachment: "PAYMENTSLIP.z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
CH CH
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:32512
File size:188 bytes
SHA256 hash: 50754318d26dba3f88614de1876671de7b6da4221d50886070da0b620045c36e
MD5 hash: 2b813330dc0a2164eb1fa23549e3828d
MIME type:application/octet-stream
Signature AgentTesla
File name:QUOTATION_AUG7FIBA00541·PDF.scr
File size:1'981'480 bytes
SHA256 hash: 11fcaa1c5cd20fe48028e5300bbfa406a8d5dcb0424aeef008df7a0a1742aae2
MD5 hash: 5abe3be42423d6e10f3a8675758586fb
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.KeyloggerX-gen.6156.11951.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed packed
Link:
https://www.filescan.io/uploads/64ef9da9e52937d43d9fd91a/reports/6215867e-b622-4341-9f4f-ff01376f2cb3/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/ebd9f3523a8929f8965ddb318c4f23612bd1bce99e878c8f9c2a4167d2585527
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebd9f3523a8929f8965ddb318c4f23612bd1bce99e878c8f9c2a4167d2585527/
Threat name:
ByteCode-MSIL.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-08-29 10:39:24 UTC
File Type:
Binary (Archive)
Extracted files:
38
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pm7gur2reu7rfs53myyytzdmev5dphjt2dyzd44fjawpusykutq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/ebd9f3523a8929f8965ddb318c4f23612bd1bce99e878c8f9c2a4167d2585527

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z ebd9f3523a8929f8965ddb318c4f23612bd1bce99e878c8f9c2a4167d2585527

(this sample)

AgentTesla

Executable exe 11fcaa1c5cd20fe48028e5300bbfa406a8d5dcb0424aeef008df7a0a1742aae2

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 11fcaa1c5cd20fe48028e5300bbfa406a8d5dcb0424aeef008df7a0a1742aae2
  
Dropping
AgentTesla

Comments