MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 118ff430ed49bfce3309f6cd178c9b588929459f66614b4ce4f9b63d33b5a49e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 118ff430ed49bfce3309f6cd178c9b588929459f66614b4ce4f9b63d33b5a49e
SHA3-384 hash: 64ede8d181430f6a2b8dd7d374ab8a5be9f15bb5e2bd8508ea9afc449b6058ef96367c83079251ece9a1afd5e3361b0a
SHA1 hash: 5fcac0b74fc2ccf4b3c82cc577e1bc401b000773
MD5 hash: 9ece32c0fc8b0ae708e78a44e8fd3e87
humanhash: mobile-happy-lion-colorado
File name:Transfer Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:716'288 bytes
First seen:2023-09-11 07:25:43 UTC
Last seen:2023-09-11 07:26:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:03u2iNHkDwMD8UaYUj84U1WYnSfVvy+EogoaWWZl/BS4KFtFLKKXQI8REcvncuAu:03u1RkDV8nrTUAYn8yo0lpiFXVIcuY
Threatray 881 similar samples on MalwareBazaar
TLSH T1ADE4125AF7BC4F47D23A6BF148911080137B6E15E172FA194DD320EB25B2B610B92FA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Transfer Copy.exe
Verdict:
Malicious activity
Analysis date:
2023-09-11 07:26:16 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/5131f9c8-7adb-4d39-a63c-cae930e05fd4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447838/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/118ff430ed49bfce3309f6cd178c9b588929459f66614b4ce4f9b63d33b5a49e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e77abbcf-6d5c-4472-88d1-191c1734617d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307080
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1307080 Sample: Transfer_Copy.exe Startdate: 11/09/2023 Architecture: WINDOWS Score: 100 39 mail.suncil-intenational.com 2->39 53 Found malware configuration 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected AgentTesla 2->57 59 4 other signatures 2->59 9 Transfer_Copy.exe 3 2->9         started        12 yPPclX.exe 2 2->12         started        14 yPPclX.exe 1 2->14         started        signatures3 process4 signatures5 61 Writes to foreign memory regions 9->61 63 Allocates memory in foreign processes 9->63 65 Injects a PE file into a foreign processes 9->65 16 RegSvcs.exe 17 4 9->16         started        21 RegSvcs.exe 9->21         started        23 conhost.exe 12->23         started        25 conhost.exe 14->25         started        process6 dnsIp7 33 mail.suncil-intenational.com 16->33 35 api4.ipify.org 104.237.62.212, 443, 49702 WEBNXUS United States 16->35 37 api.ipify.org 16->37 31 C:\Users\user\AppData\Roaming\...\yPPclX.exe, PE32 16->31 dropped 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->41 43 Tries to steal Mail credentials (via file / registry access) 16->43 45 Tries to harvest and steal browser information (history, passwords, etc) 16->45 51 2 other signatures 16->51 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->47 49 May check the online IP address of the machine 21->49 27 MpCmdRun.exe 1 23->27         started        file8 signatures9 process10 process11 29 conhost.exe 27->29         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/118ff430ed49bfce3309f6cd178c9b588929459f66614b4ce4f9b63d33b5a49e/
Threat name:
Win32.Trojan.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-09-06 12:36:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cgh7imhnjg744myj63grpde3lcessrm7mzquwthe7g3d2m5vuspa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1d764be70840124eb68ad9bbdccb996bc56ccea2d4bd804ebf99141629dd0b0b
AgentTesla
24c957cdb333eb129fa5cde3ab365273ec1fb07e4a03e7bb92e7d8ae41301e8c
AgentTesla
3df4a60f664b3a105d0562b885a6ec1a63956917b7c2325357e09e81e6d50899
AgentTesla
69d31a62dc0f4c9faffbe33f0c65dfa6240ef17dff57cc5ccc1a15f1219c5eb9
AgentTesla
7d4f7981db8db1cd2ace8fb209ff9c5e73315bd1ded3157f3ad9bc085052d2e8
AgentTesla
9031046e4ced137007aef2a35a80ab5e4a66dfcc47505d7c7832283ec1ae2c5a
AgentTesla
ab335b9636205ee0f2260e18b7c546b6a110015b3a1b759bac656f17ce9e93b2
AgentTesla
f6ceb475c843b5339bdd85afc176eba77bf0d7a133afa4e092e3cd9e93889a7a
AgentTesla
+ 871 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230911-h9h1gaec3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
5700539893bdcdb8cd4d37317a2b9d5cef4fc96ec92aee310009c2d2f5cf62fa
MD5 hash:
b05585c62c6e980263d644b256728b99
SHA1 hash:
eb45c8ac0d32fb9ce9ff6d00967e019e4c6109ca
Link:
https://www.unpac.me/results/b8371dd8-a923-4371-a2ab-1a746b304a72/
SH256 hash:
32c8589b272f5e76459442108d1f8aba881414fbe91f638723345556757608f1
MD5 hash:
b2e93d4a9e64d1d8e2a032c914c1bdac
SHA1 hash:
e40c5316797d0487aeda3aa33bdd516758f8c7f3
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/b8371dd8-a923-4371-a2ab-1a746b304a72/
Parent samples :
601ca85fa385ee74827fc023fc91c88964e8bc7dd8724305cddf1e089c7d372a
6ae4be0b156132af2c8150ca4e286a95053ac17792d295cfd21a03aa4938bf52
118ff430ed49bfce3309f6cd178c9b588929459f66614b4ce4f9b63d33b5a49e
8418ebee87a14a2ecbf14dcab28b5b311efee6d4a66cf95ff6c748e35320485a
dfa4ed974c1b0752099c6d765b388b6ec2847c383fa115d000791f34c175aa55
SH256 hash:
55ea20faf9b0c8c00f3d3ea16ff5bfd836fa99f1941946885d45240d2f681f4c
MD5 hash:
eec54763c3b2e33ba860048ffe88f910
SHA1 hash:
8034038ca99a91c8fdf69b1bc745e9dcdaac02e4
Link:
https://www.unpac.me/results/b8371dd8-a923-4371-a2ab-1a746b304a72/
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/b8371dd8-a923-4371-a2ab-1a746b304a72/
SH256 hash:
118ff430ed49bfce3309f6cd178c9b588929459f66614b4ce4f9b63d33b5a49e
MD5 hash:
9ece32c0fc8b0ae708e78a44e8fd3e87
SHA1 hash:
5fcac0b74fc2ccf4b3c82cc577e1bc401b000773
Link:
https://www.unpac.me/results/b8371dd8-a923-4371-a2ab-1a746b304a72/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/118ff430ed49/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/118ff430ed49bfce3309f6cd178c9b588929459f66614b4ce4f9b63d33b5a49e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar f6c834aacc322afa8507f56d7b5883c96f1f220b6a10c6d2f656e49dc0e83e18

AgentTesla

Executable exe 118ff430ed49bfce3309f6cd178c9b588929459f66614b4ce4f9b63d33b5a49e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 f6c834aacc322afa8507f56d7b5883c96f1f220b6a10c6d2f656e49dc0e83e18
  
Dropped by
SHA256 b848f864d15426bbb923cd36c954b86c6f159465f8ed21527757edeba7a415b4
Cape
Cape
https://www.capesandbox.com/analysis/447838/
  
Dropped by
MD5 8d5ecbb69bdddc98c77de1ea3fb4efab
  
Dropped by
MD5 2d9871a155f3a3fcd5612af69dbe7b81

Comments