MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 614c1412e2498b66ecb074f26059b8de8625738000bb908ebec78953b47ca5e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 18 File information Comments

SHA256 hash:	614c1412e2498b66ecb074f26059b8de8625738000bb908ebec78953b47ca5e8
SHA3-384 hash:	5c795304df2f8f71819e9f2b7d36b20cd0ea72cbf0f7444c41a2e4bbaed39f6a9fc1919298d89453eaa91de9a18084a8
SHA1 hash:	6e250d85324b7cc0392c6e44ef9434fffd241845
MD5 hash:	3198e9e562a7dfa0125154c2aaa8c611
humanhash:	july-maryland-william-chicken
File name:	Wire slip account payable.zip
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	735'704 bytes
First seen:	2024-11-21 10:00:40 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:txJ3niPcAgnZp4K+X6BVKXShIvwF+Nyi1WmB9ZM4WWmtCkkcU9c1pszgBr:jJ8cASZqKlBkXShia+NZ1trJWWmHUip7
TLSH	T1E3F433F15CC46F50B52BBAF42A8E06DC84615631D35C807EC5499DF02F968EC8D9B98F
Magika	zip
Reporter	cocaman
Tags:	AgentTesla payment zip

cocaman

Malicious email (T1566.001)
From: "MARINA RIVERA <cop29@rentacarbaku.az>" (likely spoofed)
Received: "from rentacarbaku.az (unknown [69.174.100.78]) "
Date: "19 Nov 2024 23:08:12 -0800"
Subject: "Re: Overdue Notice For Payment"
Attachment: "Wire slip account payable.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

307

Origin country :

File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:	32512
File size:	20 bytes
SHA256 hash:	cbe60aa851995a0695a64da263868300ddfb5d274c962dc28630f657dec9074d
MD5 hash:	77c52c0426745338d6e591fa2836b54c
MIME type:	application/octet-stream
Signature	AgentTesla

File name:	Wire slip account payable.pif
File size:	776'200 bytes
SHA256 hash:	a36c66fb7fdfb2639cc0ccdeaeef4e6c1a1cd103ba76309ed32777b3f2ab069d
MD5 hash:	f3c67cd1bbb9c8a8bcb56ee97c5a7b27
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.3120.12398.24829.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=673f06491ff0153667479ff7

Tags:

agenttesla lien

Result

Verdict:

Unknown

File Type:

ZIP File

Link:

https://app.docguard.net/614c1412e2498b66ecb074f26059b8de8625738000bb908ebec78953b47ca5e8/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/673f04e4b35ce1e5c768245f/reports/714761d9-5b4a-43dc-96d9-df6c052de360/overview

Verdict:

Malicious

Labled as:

Trojan.Autoruns.GenericS

Link:

https://www.hybrid-analysis.com/sample/614c1412e2498b66ecb074f26059b8de8625738000bb908ebec78953b47ca5e8

Score:

99%

Verdict:

Malware

File Type:

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery execution keylogger spyware stealer trojan

Link:

https://tria.ge/reports/241121-phx4msskdy/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

AgentTesla

Agenttesla family

Malware Config

C2 Extraction:

https://api.telegram.org/bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/614c1412e2498b66ecb074f26059b8de8625738000bb908ebec78953b47ca5e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)