MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0bc874f7ad8f7be9d4bf7627c49d72ec39148ab29a2803c2667dea45475028f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0bc874f7ad8f7be9d4bf7627c49d72ec39148ab29a2803c2667dea45475028f
SHA3-384 hash: 31a90baacae61450d92d747ccb77be3605a4224ffd3a4be1a6bf8decd4618fc684f33971f9d5b6729589d0db58208b9c
SHA1 hash: 18aafdd747cb817de5e0d21bbe970f6435e3052f
MD5 hash: 1d4d072f8acab45b2df2a002c6fba4c6
humanhash: kansas-mobile-massachusetts-nebraska
File name:proof of payment.r00
Download: download sample
Signature AgentTesla
Create hunting rule
File size:641'498 bytes
First seen:2023-06-05 14:50:22 UTC
Last seen:2023-06-05 14:54:57 UTC
File type: r00
MIME type:application/x-rar
ssdeep 12288:ewUalaYlmF2SiSIh8CXRJWzc27JNw9ar6agGixpnmJhEWj2a4qUdtELkVs8PE:ewUala0c2Sijh8uAcqNw9EgJjmQWjQE1
TLSH T12FD423B3A62E6531F9CC35500B983E94AC3B787D298F956A3540B5842DC33DDA1F78E2
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:AgentTesla payment r00


Avatar
cocaman
Malicious email (T1566.001)
From: "CRM CGRE <account@cgre.ae>" (likely spoofed)
Received: "from cgre.ae (unknown [185.222.57.154]) "
Date: "24 May 2023 23:41:42 +0200"
Subject: "Re: Fwd: Re: I am sending proof of payment "
Attachment: "proof of payment.r00"

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:8Bdwzkseq1DI4PR.exe
File size:710'656 bytes
SHA256 hash: a229b01fd4888c399c9310fdb53edbee125121f96cb7f6c710adcd616a4c3677
MD5 hash: c7b6c4db5687fa811a197be43f49b065
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/647df658366af19bcb3d52b5/reports/18547940-fff8-455e-8844-9920ae08ee60/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/f0bc874f7ad8f7be9d4bf7627c49d72ec39148ab29a2803c2667dea45475028f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0bc874f7ad8f7be9d4bf7627c49d72ec39148ab29a2803c2667dea45475028f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 12:12:55 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6c6iot323d335hkl65rhysoxf3bzcsflfgriapbgm7pkivdvakhq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/f0bc874f7ad8f7be9d4bf7627c49d72ec39148ab29a2803c2667dea45475028f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_d3ac2b2f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 f0bc874f7ad8f7be9d4bf7627c49d72ec39148ab29a2803c2667dea45475028f

(this sample)

AgentTesla

Executable exe a229b01fd4888c399c9310fdb53edbee125121f96cb7f6c710adcd616a4c3677

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a229b01fd4888c399c9310fdb53edbee125121f96cb7f6c710adcd616a4c3677
  
Dropping
AgentTesla
  
Dropping
MD5 c7b6c4db5687fa811a197be43f49b065

Comments