MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee3a572e112de74f902d02a88dced1a209634edaffaae6e153fc4fba4a3868ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee3a572e112de74f902d02a88dced1a209634edaffaae6e153fc4fba4a3868ff
SHA3-384 hash: c6b0afc48e93dd55b1af8c645984207d6b92eb54e458f7eb17667eba231b19162f2a583a0f23a26bb2a11b66adf591b4
SHA1 hash: f30f01b8895d4d242dc357513a3a26c27e7f4e50
MD5 hash: 0339213b5bdb9441a5e81d7c7adf6be9
humanhash: echo-coffee-paris-salami
File name:New order2023-11-08T073601.6882906Z.csv.7z
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'331'901 bytes
First seen:2025-07-03 14:40:14 UTC
Last seen:Never
File type: 7z
MIME type:application/x-7z-compressed
ssdeep 24576:ml2CZ6Bibs9KLtR9dfcTjfU7/e5LcfNSbeX2k7TCkBCxG/wJE:GPZW59Kxdfs4q5LKkbQ7O7xQwO
TLSH T1D155337E565E30E63C246475CED4F28A7D0B67989DB62CC030EB1AE7E0D29B8476D813
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Magika sevenzip
Reporter cocaman
Tags:7z AgentTesla


Avatar
cocaman
Malicious email (T1566.001)
From: "Eve Lv <Eve.Lv@cat.com>" (likely spoofed)
Received: "from cat.com (192-200-158-132.phx.as13926.net [192.200.158.132]) "
Date: "03 Jul 2025 07:39:44 -0700"
Subject: "New order from CCMC OSF-CHANGZHOU TAIRUN PLASTIC INDUSTRY"
Attachment: "New order2023-11-08T073601.6882906Z.csv.7z"

Intelligence

File Origin
# of uploads :
1
# of downloads :
24
Origin country :
CH CH
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:New order2023-11-08T073601.6882906Z.csv.exe
File size:1'854'464 bytes
SHA256 hash: 765fa5903f87bf9191dfd89f886327ed6a001c6ddd169b0f8f4e117376bb30eb
MD5 hash: 932fc6fd1153978c234b821121029803
MIME type:application/x-dosexec
Signature AgentTesla
File name:New order2023-11-08T073601.6882906Z.csv.com
File size:20'904 bytes
SHA256 hash: 64a4ed78fc56538472798f2cce28208098a38225c27103752e9ae150e7c44dd7
MD5 hash: 9ce1d51f3a820cb47a6e2970e191c02a
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.7z_csv.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.Expiro-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.Expiro-2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68669661c9eb97473765e315
Tags:
injection autorun micro sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature masquerade obfuscated overlay phishing signed
Link:
https://www.filescan.io/uploads/6866966d714e106cecbaeead/reports/ce5e44cd-4a77-4279-a323-39e4486ddcbd/overview
Verdict:
Suspicious
Labled as:
Ransom.Sabsik
Link:
https://www.hybrid-analysis.com/sample/ee3a572e112de74f902d02a88dced1a209634edaffaae6e153fc4fba4a3868ff
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/ee3a572e112de74f902d02a88dced1a209634edaffaae6e153fc4fba4a3868ff
Verdict:
Malware
YARA:
3 match(es)
Tags:
.Net 7z Archive AutoIt Decompiled Executable PE (Portable Executable) SFX 7z Suspect
Link:
https://app.malva.re/file/0339213b5bdb9441a5e81d7c7adf6be9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee3a572e112de74f902d02a88dced1a209634edaffaae6e153fc4fba4a3868ff/
Verdict:
Malicious
Threat:
Win32.Virus.Expiro
Link:
https://tip.neiki.dev/file/ee3a572e112de74f902d02a88dced1a209634edaffaae6e153fc4fba4a3868ff
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2025-07-03 07:31:43 UTC
File Type:
Binary (Archive)
Extracted files:
28
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5y5folqrfxtu7ebnakui3twruiewgtw276vonykt7rh3usrynd7q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250703-te3beaztgs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ee3a572e112de74f902d02a88dced1a209634edaffaae6e153fc4fba4a3868ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win32_dotnet_form_obfuscate
Create hunting rule
Author:Reedus0
Description:Rule for detecting .NET form obfuscate malware
Rule name:Windows_Virus_Expiro_84e99ff0
Create hunting rule
Author:Elastic Security
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z ee3a572e112de74f902d02a88dced1a209634edaffaae6e153fc4fba4a3868ff

(this sample)

AgentTesla

Executable exe 64a4ed78fc56538472798f2cce28208098a38225c27103752e9ae150e7c44dd7

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 64a4ed78fc56538472798f2cce28208098a38225c27103752e9ae150e7c44dd7
  
Dropping
SHA256 765fa5903f87bf9191dfd89f886327ed6a001c6ddd169b0f8f4e117376bb30eb
  
Dropping
MD5 9ce1d51f3a820cb47a6e2970e191c02a
  
Dropping
MD5 932fc6fd1153978c234b821121029803

Comments