MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c0216850dbb0c54ac0530096791d93e6b2309a72171c933c2f633d49a5eabc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c0216850dbb0c54ac0530096791d93e6b2309a72171c933c2f633d49a5eabc4
SHA3-384 hash: 7d37ec9c9115541c3d427495a1b547a7c9d76ad93fd86c2b218907f69df583486d52c308abf712b461b024219f6fc5ab
SHA1 hash: 5548243b9f3dcfa1e58f30ae6eac74093e969096
MD5 hash: 2bca97438ef4da3d9dc19ba8305fdfe1
humanhash: india-maine-four-leopard
File name:Pago transferencias-20230404.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:784'384 bytes
First seen:2023-05-07 16:15:48 UTC
Last seen:2023-05-13 22:54:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:Owi911KxyiwDIWyfnY6bO1YbFsjIjR+4F2aHT00VE3MTDYSeN9e4rEB:ONPKz4yfnYkOWbF3laaqMY5
Threatray 3'067 similar samples on MalwareBazaar
TLSH T19EF4E1262379B7A1ECF283FC7614A4016FB06D6153B6D6D84CCAF0C95594B09FB20BA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
288
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pago transferencias-20230404.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-07 16:17:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/78697d6d-b818-46be-9387-114c8436f56c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387335/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66860677.31573.30821.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo jigsaw packed
Link:
https://www.filescan.io/uploads/6457cec66bfa3326714e0c5a/reports/33e4148a-67c3-4883-a339-76a6d79cc4f6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1c0216850dbb0c54ac0530096791d93e6b2309a72171c933c2f633d49a5eabc4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd91f2cc-7a07-45fc-9b5d-2a1b03357c72
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1227842
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c0216850dbb0c54ac0530096791d93e6b2309a72171c933c2f633d49a5eabc4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-04 18:47:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dqbbnbinxmgfjlafgaewpeozhzvsgcnhefy4sm6c6yz5jgs6vpca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2602293f954bbbcf9d3d6000c3bd7cc76cec8b29ae9aca6261afe4a3ba7bfe19
AgentTesla
333b4a89730feb420bc1a76bed5c75943e663abd60eaf91c1bafd8417ccab76d
AgentTesla
784074560889770845788ca5875ff3660a30fb85d27823c017b209b101be3499
AgentTesla
88725bfd871070e2e66b0b37295aff45eca79d8063dedf85973f8774210f2e71
AgentTesla
96d19b0d965d8afeb87bd82f3922f80b44224b8eb6b373bafcaeecfba7ea27d9
AgentTesla
9b4befa92d48b40b7c9e687e84769fa291f310bedf9a4f5cd5aa56ca09ebf208
AgentTesla
b56529131600b58462657106380f4ec863397c8a51f52dba1ea33ec0cfccefdc
AgentTesla
c5b618054d855fffed65dc372080cdc5de39ca31edd513e7765a02c64f9b9e1b
AgentTesla
ca4369c92b99c4410a13c6b8f18724c46d24145c851fd744c5a3e29c7e90ab9f
AgentTesla
f4987dacf72e39e82c79a98402f44f83e364f4e1a96c808dbdcfd232c276fa09
AgentTesla
+ 3'057 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230507-tqslcagh6t/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/a03caf78-8102-4479-aa41-9572301b4818/
SH256 hash:
407ed616f7ad0065ae722be9bb1e73a05c6cc3ae896cfff2891717edaead7642
MD5 hash:
70d7ca862bbbb12833c572bfed059d46
SHA1 hash:
da1c4e5fc163c065a7700619536efb4ea6ff64f8
Link:
https://www.unpac.me/results/a03caf78-8102-4479-aa41-9572301b4818/
SH256 hash:
280001013946838a651abbdee890fa4a4d49c382b7b5e78b7805caef036304e2
MD5 hash:
d4b6893a5512534104c6c7403be60897
SHA1 hash:
d4b51c3e4cafb3b146435a4e2e21bb5ddf15956d
Link:
https://www.unpac.me/results/a03caf78-8102-4479-aa41-9572301b4818/
SH256 hash:
364a40438e19f61ec05ed7ea23f631918347d93c19a039e0858a7522cc2beae5
MD5 hash:
af84141ed49af33b12b4666384619afb
SHA1 hash:
6bcf011dcd945123df7319e60e9e5f79b618a81b
Link:
https://www.unpac.me/results/a03caf78-8102-4479-aa41-9572301b4818/
SH256 hash:
bdfd3a90007f6305a48bf0297b5e0f9015cda1d82b1cb90ce6627bd9e7bc16cd
MD5 hash:
52c7540741d5e17d69e652ae8313bff4
SHA1 hash:
686cb503c1c90414566dbd1796b46ef0acfb231a
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/a03caf78-8102-4479-aa41-9572301b4818/
Parent samples :
784074560889770845788ca5875ff3660a30fb85d27823c017b209b101be3499
f4987dacf72e39e82c79a98402f44f83e364f4e1a96c808dbdcfd232c276fa09
1c0216850dbb0c54ac0530096791d93e6b2309a72171c933c2f633d49a5eabc4
bdfd3a90007f6305a48bf0297b5e0f9015cda1d82b1cb90ce6627bd9e7bc16cd
f1d17b3eaebacbc4bb2bbbd958910c39391ba63cf9ff0bc7ecbc8875dded84b7
32606aec367ff7a71d0af223af5d22075a6cebc9fb967e4f2b5903fdee682bf6
34ecca4a7e5a01eb8382e6695c9478b1906e1874d3922aad852c32716fa05902
6603e18a8253f8d08941d0c458c8fc3baf185b5f2bdf9cd6854d83761f4267dc
ca6a6aecce39ebda2e107fbe004eabd01987ef49bc04078d42a566cc517be270
48fbad14bfadc210fb83d8281d7001bf056f5b96698ae2b3b27f4845045c02a8
4eff9b9fcfb59f8402b524565f92e905dbec8c610ec6dadaf9c3cb1fd5c3e5e0
a9cdb9cfeb1c1056c0db558d54cfa61d9f3dac179e934d2869f4bd829fe20819
b4e06eb03f2595cab0b744c37290c3641f8ceff3970fc4ebefae073e0b1fa780
5241d93369ff133d1aa4381a074806b10d37f414261f89f2198ef76d238b5ec1
9748fc497d427eb41191ea495d907cd5d2dd9455ed20bf08df947bdb15d84baf
SH256 hash:
1c0216850dbb0c54ac0530096791d93e6b2309a72171c933c2f633d49a5eabc4
MD5 hash:
2bca97438ef4da3d9dc19ba8305fdfe1
SHA1 hash:
5548243b9f3dcfa1e58f30ae6eac74093e969096
Link:
https://www.unpac.me/results/a03caf78-8102-4479-aa41-9572301b4818/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1c0216850dbb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/1c0216850dbb0c54ac0530096791d93e6b2309a72171c933c2f633d49a5eabc4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/387335/

Comments