MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14bd4f95bb503d8706eef510d1e028cf88d99a6903a585d72d441007c6fb44f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash:	14bd4f95bb503d8706eef510d1e028cf88d99a6903a585d72d441007c6fb44f7
SHA3-384 hash:	bfaeda3f39c44b569960ff0d42f79bfb6bcc95293c50b7a08158525af35848582beddabbd46361b1a253d9bb4a05909d
SHA1 hash:	52c086b963cc71368cbdc0a22a48024ebda75c3f
MD5 hash:	473dcdde668b44ac917601f5af97a598
humanhash:	carpet-tennessee-green-virginia
File name:	SGP191001-000045.pdf.z
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	533'155 bytes
First seen:	2023-07-10 07:40:51 UTC
Last seen:	Never
File type:	z
MIME type:	application/x-rar
ssdeep	12288:4X6110iNLDTfok5gf05SEzSeYP9bdZMkc4/3Mcx1HZplo:4q0itDsNsRe/5dZMkc4P3ZZpC
TLSH	T1D9B4232CAA7CF5D7804865AF1435B0A0640477CEA2F89E9C078F1D64BC49EF7836EE58
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	AgentTesla payment z

cocaman

Malicious email (T1566.001)
From: "Jagath Sai <Straight2bank.sg@sc.com>" (likely spoofed)
Received: "from sc.com (unknown [185.222.58.246]) "
Date: "10 Jul 2023 03:50:58 +0200"
Subject: "Payment Editing Copy// SGP191001-000045"
Attachment: "SGP191001-000045.pdf.z"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	SGP191001-000045.pdf.exe
File size:	579'584 bytes
SHA256 hash:	0caa683c9f3f6bcad952386397eb6a3e70d5c0f4b2b3d8b144f03a620e81ef0f
MD5 hash:	4624df1a5b317d440c5cc23eb50148b3
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.28929.RarHeur.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64abb60f4b573cca625dbb04/reports/12eeb4d8-d403-4814-8e36-af1a4143364a/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/14bd4f95bb503d8706eef510d1e028cf88d99a6903a585d72d441007c6fb44f7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/14bd4f95bb503d8706eef510d1e028cf88d99a6903a585d72d441007c6fb44f7/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-07-10 01:44:38 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cs6u7fn3ka6yobxo6uindybiz6entgtjaosylvzniqiaprx3it3q._file

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_RAR_with_PDF_Script_Obfuscation Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:	Internal Research

Rule name:	SUSP_RAR_with_PDF_Script_Obfuscation_RID34A4 Create hunting rule
Author:	Florian Roth
Description:	Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:	Internal Research