MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed0aa1d5f77fbcd828db372a4a5683beca0fcb468aef709f5611ebc744023c53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed0aa1d5f77fbcd828db372a4a5683beca0fcb468aef709f5611ebc744023c53
SHA3-384 hash: f9a3acec2510d52dac51b0e8f29634e27ae1cb841eb8c34957e118e0a3e6ad12a0821e52250dd34f2c23b2615caf7767
SHA1 hash: a5f1f0d2621092e79775e6975bdf8e53cb00763b
MD5 hash: 978784d3e8f5a38e0d6e4834cf869a6c
humanhash: magazine-south-seven-fanta
File name:Fabric WW-1580 (DPEBO1-2SDC September Buy.pdf.tar
Download: download sample
Signature AgentTesla
Create hunting rule
File size:843'264 bytes
First seen:2024-09-07 18:35:03 UTC
Last seen:Never
File type: tar
MIME type:application/x-tar
ssdeep 24576:EfT2Hd8Vr98Fl0Yu/d4NOuhPpkBfJXAv:EfTUd8VJ8Fl0YZpCBfJXA
TLSH T1E00523291354C812E1F9477988624394233DA4ABA253FF8E3FD6756E3F72B480A5F781
TrID 62.9% (.TAR/GTAR) TAR - Tape ARchive (GNU) (17/3)
37.0% (.TAR) TAR - Tape ARchive (file) (10/3)
Magika tar
Reporter cocaman
Tags:AgentTesla tar


Avatar
cocaman
Malicious email (T1566.001)
From: "GeorgeChan-KM <georgechan@kaming.com.hk>" (likely spoofed)
Received: "from kaming.com.hk (216-131-73-250.iad.as62651.net [216.131.73.250]) "
Date: "04 Sep 2024 21:31:31 -0700"
Subject: "PO. WW-1580(DPEB01-2SDC) September Buy"
Attachment: "Fabric WW-1580 (DPEBO1-2SDC September Buy.pdf.tar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Fabric WW-1580 (DPEBO1-2SDC September Buy.pdf.exe
File size:841'360 bytes
SHA256 hash: 3ab5cfa98e47af08a289ebfb6bfcdb40b109ac077c1b655b47798cb559931724
MD5 hash: 87113dcc0719f80633c986c184c7e29f
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Tar_fs3230.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.3046.7702.24223.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d93fc28e12b8124ac94374
Tags:
Encryption Execution Infostealer Network Stealth Agent Tesla
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated overlay packed
Link:
https://www.filescan.io/uploads/66dc9d136ee1a45cacf22cb4/reports/210f8611-a504-45cb-9023-b8bd2f8438f9/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ed0aa1d5f77fbcd828db372a4a5683beca0fcb468aef709f5611ebc744023c53
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/ed0aa1d5f77fbcd828db372a4a5683beca0fcb468aef709f5611ebc744023c53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed0aa1d5f77fbcd828db372a4a5683beca0fcb468aef709f5611ebc744023c53/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-09-05 04:40:26 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ufkdvpxp66nqkg3g4veuvudx3fa7s2grlxxbh2wchv4orachrjq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed0aa1d5f77fbcd828db372a4a5683beca0fcb468aef709f5611ebc744023c53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

tar ed0aa1d5f77fbcd828db372a4a5683beca0fcb468aef709f5611ebc744023c53

(this sample)

AgentTesla

Executable exe 3ab5cfa98e47af08a289ebfb6bfcdb40b109ac077c1b655b47798cb559931724

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 3ab5cfa98e47af08a289ebfb6bfcdb40b109ac077c1b655b47798cb559931724
  
Dropping
AgentTesla

Comments