MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4ed07f70b08074adc0b1ca4901a277fe226703a5fec16b990729b83459d1339. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4ed07f70b08074adc0b1ca4901a277fe226703a5fec16b990729b83459d1339
SHA3-384 hash: 9ebfc9e8f98a0c09fadb1b36559687c5d0c81115ceee060de50cdc159af90d89973c9a5c384bf9bd5b7bb29fe67371fc
SHA1 hash: 3469a90fada490e88d09d0ea513d9fd8d6b5ee80
MD5 hash: fa7768af423cdad3e70b5f4d6ea48dad
humanhash: nebraska-rugby-montana-arizona
File name:Payment copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:797'184 bytes
First seen:2023-02-07 16:48:36 UTC
Last seen:2023-02-09 03:07:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:aVawxO5dWpx5O501WW7UUirvmi814dEyBEcZ:yTs8px/7x2J4c
Threatray 6'315 similar samples on MalwareBazaar
TLSH T18C05222C67FDCB10C5AF5AFCD8712660477664206A22F31E0DDB72DA3D66B908B40B5B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JaffaCakes118
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
193
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Payment copy.exe
Verdict:
Malicious activity
Analysis date:
2023-02-07 16:55:49 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/ba3a1955-f3f0-450c-878c-a991c33fb19d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361459/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1822.30028.29498.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63e281011c9cbf7d625672e0/reports/b3a4729c-e533-4ba9-be63-2b41351bf2ea/overview
Verdict:
Malicious
Labled as:
TrojanS.C5A2F73F
Link:
https://www.hybrid-analysis.com/sample/c4ed07f70b08074adc0b1ca4901a277fe226703a5fec16b990729b83459d1339
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c89e0f5-d6d0-4709-9c46-35738eb2d1a0
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1168383
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 801165 Sample: Payment copy.exe Startdate: 08/02/2023 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Sigma detected: Scheduled temp file as task from temp location 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 8 other signatures 2->51 7 Payment copy.exe 7 2->7         started        11 qaBSuKQKn.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\qaBSuKQKn.exe, PE32 7->31 dropped 33 C:\Users\...\qaBSuKQKn.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp3160.tmp, XML 7->35 dropped 37 C:\Users\user\...\Payment copy.exe.log, ASCII 7->37 dropped 53 Writes to foreign memory regions 7->53 55 Adds a directory exclusion to Windows Defender 7->55 57 Injects a PE file into a foreign processes 7->57 13 RegSvcs.exe 3 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        59 Multi AV Scanner detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 21 RegSvcs.exe 3 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 us2.smtp.mailhostbox.com 208.91.199.225, 49697, 587 PUBLIC-DOMAIN-REGISTRYUS United States 13->39 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->63 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->65 67 Tries to steal Mail credentials (via file / registry access) 13->67 69 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->69 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        41 208.91.198.143, 49698, 587 PUBLIC-DOMAIN-REGISTRYUS United States 21->41 43 192.168.2.1 unknown unknown 21->43 71 Tries to harvest and steal ftp login credentials 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4ed07f70b08074adc0b1ca4901a277fe226703a5fec16b990729b83459d1339/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-02-07 12:04:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytwqp5ylbaduvxaldssjagrhp7rcm4b2l7wbnomqoknygrm5cm4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4033d9c9ef268cf2bdf04bb0e1c549e5461ba27026797edf70121468abbd1203
AgentTesla
5ef2e70b47c26de37bcd3e806ea7c791876b1ebda407045e3a81f3bd8ea7c3ac
AgentTesla
6d73e767959ba770dc38fa6cfc31459903cefb11c08058c03c378fe79b409982
AgentTesla
6e684555c5cc0b3e36348e9bf1c5c23cf8ae19790741344295ca741233c9b846
AgentTesla
7b59507d5b9f3c30fc095fabfc7e88ff59977767cc39477ca75f20577a750989
AgentTesla
7f490d0ca36f65c1a3e08dbfb095c6b9bf26b7db071c624675635013a5c34cde
AgentTesla
8b084a5b70a6572aa23ed19deb7007a91ea8ea740a36b801b6c98fccd7a2b3ec
AgentTesla
dc0e4f762dfa9989cee78a01c3186d710365695141ec8ea246e5bee245d2944b
AgentTesla
ddf0772c851138bd086ac7f40fb3737fe3d5293ba7123bdc6639489eb4d5829e
AgentTesla
ddf42d793f113c479e0b15862da47cf6ea2ad954b94232d580cb84f65e318005
AgentTesla
+ 6'305 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230207-vbnvaacf98/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
f98e961200e7b978180d3f16b2dc0e3b588d707f8b6d643af1dab30543ca197b
MD5 hash:
b2f38f47c616ce11f0e3e71acaf38ac1
SHA1 hash:
f1872371ddf7536482da5ac09c6d5ab7606439b3
Link:
https://www.unpac.me/results/4043b6d6-0db3-46f2-969b-19702bfc85a0/
SH256 hash:
6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef
MD5 hash:
f759d70f3bbee3865d9ba45b70c59bea
SHA1 hash:
f07ca29866cf8b0d92f18904860c40a284a5f550
Link:
https://www.unpac.me/results/4043b6d6-0db3-46f2-969b-19702bfc85a0/
SH256 hash:
08bad68fdbf897c0cea31466523f47c6c5d7efab505413933e456cfc4fa3a876
MD5 hash:
b51fe340ce85914011f3fee50128d684
SHA1 hash:
d54a20fb387cbee8c246d32bc24e7d6a2095316b
Link:
https://www.unpac.me/results/4043b6d6-0db3-46f2-969b-19702bfc85a0/
SH256 hash:
dabebbba1452864430d23a5be6436553445fa534d3432b65f860c506ab39e0b7
MD5 hash:
a87e4e454ac85da0f454e3db5a580b31
SHA1 hash:
d0d2a37e227520d709dd82421c058048227621f4
Link:
https://www.unpac.me/results/4043b6d6-0db3-46f2-969b-19702bfc85a0/
SH256 hash:
8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7
MD5 hash:
7f225c69df031bf0560aed3847a1221a
SHA1 hash:
4d5f3ccdb2c6015d2b2a73326c0f32b173af2819
Link:
https://www.unpac.me/results/4043b6d6-0db3-46f2-969b-19702bfc85a0/
SH256 hash:
c4ed07f70b08074adc0b1ca4901a277fe226703a5fec16b990729b83459d1339
MD5 hash:
fa7768af423cdad3e70b5f4d6ea48dad
SHA1 hash:
3469a90fada490e88d09d0ea513d9fd8d6b5ee80
Link:
https://www.unpac.me/results/4043b6d6-0db3-46f2-969b-19702bfc85a0/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c4ed07f70b08/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/c4ed07f70b08074adc0b1ca4901a277fe226703a5fec16b990729b83459d1339

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe c4ed07f70b08074adc0b1ca4901a277fe226703a5fec16b990729b83459d1339

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/361459/

Comments