MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4f184e98806dda4563ee694af4d3293a3a576672cbe71379a2e95bf01cadddf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4f184e98806dda4563ee694af4d3293a3a576672cbe71379a2e95bf01cadddf
SHA3-384 hash: 357e9e91c523bad60312b53172890ceccd7b89b0c3c0c75cf487d704395ab37a446c4865b5a516c5707468142d57e524
SHA1 hash: b85ac9819830c0099c31476cc2498c62634c6cb8
MD5 hash: 857cbd474e9fb0bc22bea7c819fe324a
humanhash: pip-happy-seventeen-grey
File name:HSBC Bank_Payment Copy_Pdf.exe
Download: download sample
File size:52'736 bytes
First seen:2022-04-14 05:46:43 UTC
Last seen:2022-04-14 06:54:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'813 x AgentTesla, 19'735 x Formbook, 12'282 x SnakeKeylogger)
ssdeep 768:jhOXpAX7jh07ML7FchM4LEkntkP+AoJuuGAR3DwCyKHfW2a:KpC0PX30uGmXyKeD
Threatray 481 similar samples on MalwareBazaar
TLSH T1C533B702F618D2B1C389573BE4CAE04CDBA6890E7217C74AF4857F5E1A633919CFA61D
File icon (PE):PE icon
dhash icon 64e4c8d0f0e8d4d4 (56 x AgentTesla, 7 x RemcosRAT, 5 x NanoCore)
Reporter abuse_ch
Tags:exe HSBC

Intelligence

File Origin
# of uploads :
2
# of downloads :
293
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HSBC Bank_Payment Copy_Pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-04-14 07:29:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/65016dca-c0f5-49e1-8812-99a2e0a4e124

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263569/
Detection(s):
SecuriteInfo.com.Trojan.Mardom.MN.9.30381.6088.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/6257b55affe27d5119ca9e9f/reports/ed8551a7-2146-4360-a553-cc90a9ba2d56/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6eb9ced8-29ce-4c24-8f85-02573fe71d9b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/976595
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4f184e98806dda4563ee694af4d3293a3a576672cbe71379a2e95bf01cadddf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 05:47:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytyyj2mia3o2ivr642kk6tjssor2k5thfs7hcn42f2k36aok3xpq._file
Verdict:
malicious
Similar samples:
5fc33b3fda224e85ca520da99c6caed5bcfef8e0e29636df90b2ff4ca16a9abd
7c8962ad0cf0487df0793c34b8bba9b9fbb83e88287afa9761083e3d7b4eda36
a152a9051f9029898732b666d6e96390263e4d0582bc93f0701aec383e5db3f6
bec324abe89a4466ea31b46a11270f69ee71fb01d6a640edaad566f589aa9ef9
c09a64df71db0720511fcbc521afd0023f121c2b015e57f8ddf773f0850c0f48
d3de0cc9a70052bbc7f3711c6b3564d8492a5fd96c9055507959940a38aa76a1
e7acb91c1fe721b5a2cb5dcae27e69d1ce575cf19a0d929fe6b6ff9b81ebdf9b
f3963b6874a703f393f21fdef33a11f3fd83b34a92a90b8bbe7cb7d93aa44ea9
f8a4be5923387077b32e65cfea383db1576e5dd068b926a1e9833ff24e48fd64
+ 471 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220414-ggxgqaggel/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
c4f184e98806dda4563ee694af4d3293a3a576672cbe71379a2e95bf01cadddf
MD5 hash:
857cbd474e9fb0bc22bea7c819fe324a
SHA1 hash:
b85ac9819830c0099c31476cc2498c62634c6cb8
Link:
https://www.unpac.me/results/a7cdb7ac-e824-4711-b001-5afd595c3c40/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c4f184e98806dda4563ee694af4d3293a3a576672cbe71379a2e95bf01cadddf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe c4f184e98806dda4563ee694af4d3293a3a576672cbe71379a2e95bf01cadddf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/263569/

Comments