MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1f221ad6c877318de9fe4f750c6b6c8290043d2fc29be0b3014ea407048be58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 4 File information Comments

SHA256 hash:	c1f221ad6c877318de9fe4f750c6b6c8290043d2fc29be0b3014ea407048be58
SHA3-384 hash:	724c6b1608a6a426c1d5655cdbd4ff993c4b74791c5ab6bcc15d1809dd4b1964f72d8868bcd03eb9ef36f4f8ab9fb878
SHA1 hash:	6ce8733c53b7a92f0b47ff754e0494fcca37fe22
MD5 hash:	691e99a6aac6fbb7e3c81bd93eeb7e90
humanhash:	enemy-robert-table-friend
File name:	Invoices Paid,pdf.img
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	63'488 bytes
First seen:	2022-11-02 08:34:02 UTC
Last seen:	Never
File type:	img
MIME type:	application/x-iso9660-image
ssdeep	384:FPCNbsCvJMySqZsPYvLfptYcFmVc03Kb:FPsb/vLRtYcFmVc6Kb
TLSH	T17453F949D3C01272DAB3477629B3A7469777B2A758F78BAA308C040E7F6774017A33A0
TrID	99.6% (.NULL) null bytes (2048000/1) 0.2% (.ATN) Photoshop Action (5007/6/1) 0.0% (.BIN/MACBIN) MacBinary 1 (1033/5) 0.0% (.ABR) Adobe PhotoShop Brush (1002/3) 0.0% (.SMT) Memo File Apollo Database Engine (88/84)
Reporter	cocaman
Tags:	AgentTesla img INVOICE payment

cocaman

Malicious email (T1566.001)
From: "accountpayables@alnahdhagroup.com" (likely spoofed)
Received: "from [45.139.105.131] (unknown [45.139.105.131]) "
Date: "1 Nov 2022 20:14:26 +0100"
Subject: "Balance Payments Transfer"
Attachment: "Invoices Paid,pdf.img"

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Invoices Paid,pdf.exe
File size:	10'752 bytes
SHA256 hash:	87f00818b5a9eb55e6cc6a7a5f4b8e3b887d8b0fb743cb5ecf3eabbe76738a5f
MD5 hash:	4de011ecf9142c0a21da2d7964ae34bd
MIME type:	application/x-dosexec
Signature	AgentTesla

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Iso_fs1493.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

context-iso obfuscated packed

Link:

https://www.filescan.io/uploads/63622b7cb8952e91d3d2565f/reports/eefb5302-8202-49f2-891f-193c2b51eb66/overview

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c1f221ad6c877318de9fe4f750c6b6c8290043d2fc29be0b3014ea407048be58/

Threat name:

ByteCode-MSIL.Trojan.Zmutzy

Status:

Malicious

First seen:

2022-11-01 18:00:46 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

16 of 40 (40.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yhzcdllmq5zrrxu74t3vbrvwzauqaq6s7qu34czqctvea4cixzma._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c1f221ad6c877318de9fe4f750c6b6c8290043d2fc29be0b3014ea407048be58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_VBS_in_ISO Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects ISO files that contain VBS functions
Reference:	Internal Research