MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 37 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2
SHA3-384 hash: ac0dcd52bae2badf5cb691c12812344d8e286e342d889e177563b5a44a50b2f4031d7adab189e19a9c52529f8316e350
SHA1 hash: 4618047e01c29c2b2fc9c7e217fdbfd290dba0d6
MD5 hash: a5afaac697fab2c766051607ae273134
humanhash: white-sad-solar-friend
File name:file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:8'881'664 bytes
First seen:2025-04-01 12:21:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba7ea63af7a7301d263e3a8b2813b978 (1 x AgentTesla)
ssdeep 196608:LVWcUXnQ6xnIswB3ys2uypSZ4JCaqcwB3ys2uypSZ4JC7q:LVWcUXnQ6xnIp9zyS4JCaqZ9zyS4JC7q
TLSH T16396DF013EA84654C8AE5639D4629536E673BD4F130CDADB12A0BD583F73BC0AD39F62
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 8165262633494db2 (1 x AgentTesla)
Reporter jstrosch
Tags:AgentTesla exe X64


Avatar
jstrosch
Found at hxxps://pub-df9b8adf344d43928bcf03e42ff0c130.r2[.]dev/AAservices.exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2025-03-30 08:39:45 UTC
Tags:
xred backdoor delphi dyndns github loader auto quasarrat njrat credentialflusher miner coinminer botnet phorpiex rat bladabindi hausbomber possible-phishing stealer dcrat redline remcos lumma
Link:
https://app.any.run/tasks/a56de67a-2599-4fb0-acfc-71c60b7f97ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Generic-9805849-0
Create hunting rule

Win.Packed.AsyncRAT-9938103-1
Create hunting rule

Win.Packed.Msilperseus-9956592-0
Create hunting rule

Win.Packed.Msilzilla-10026835-0
Create hunting rule

Win.Tool.Zusy-10033075-0
Create hunting rule

Win.Malware.Genkryptik-10034801-0
Create hunting rule

Win.Malware.Lazy-10038632-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ebdb72cfd0a37f830b776b
Tags:
infosteal orcus lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
agenttesla anti-debug anti-vm backdoor certutil cmd crypto evasive explorer findstr fingerprint hacktool infostealer keylogger krypt lolbin lolbin microsoft_visual_cc netsh orcusrat packed packed packer_detected rat reconnaissance regedit remote rundll32 stealer stealer
Link:
https://www.filescan.io/uploads/67ebda3c631830704a8d2d87/reports/0252d525-7583-43a3-96c6-3ccc548c3dda/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2
Malware family:
Orcus RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf3e4cb6-c574-4390-ba04-33f54446bb7a
Result
Threat name:
Destiny Stealer, Orcus, Phemedrone Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1653665
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Contains functionality to capture screen (.Net source)
Contains functionality to disable the Task Manager (.Net Source)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected Destiny Stealer
Yara detected Orcus RAT
Yara detected Phemedrone Stealer
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1653665 Sample: file.exe Startdate: 01/04/2025 Architecture: WINDOWS Score: 100 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 14 other signatures 2->32 7 file.exe 1 1 2->7         started        process3 signatures4 34 Found many strings related to Crypto-Wallets (likely being stolen) 7->34 10 cmd.exe 1 7->10         started        12 cmd.exe 1 7->12         started        14 conhost.exe 7->14         started        16 cmd.exe 1 7->16         started        process5 process6 18 certutil.exe 3 1 10->18         started        20 find.exe 1 10->20         started        22 find.exe 1 10->22         started        24 taskkill.exe 1 12->24         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2
Detection:
orcusrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-29 05:47:19 UTC
File Type:
PE+ (Exe)
Extracted files:
80
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=femxooio3hnipenchfkctrqebosdpxqqhrrblwaaklkygiq5xhja._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:orcus family:stormkitty
Link:
https://tria.ge/reports/250401-pjfwra1lv7/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Verdict:
Malicious
Tags:
rat orcus_rat stealer phemedronestealer phemedrone_stealer stormkitty agent_tesla redline trojan Win.Packed.Generic-9805849-0
YARA:
win_orcus_rat_simple_strings_dec_2023 detect_Redline_Stealer_V2 Agenttesla_type2 MALWARE_Win_Cyberstealer MALWARE_Win_Phemedronestealer MALWARE_Win_StormKitty JPCERTCC_Agenttesla_Type2 MALWARE_Win_PhemedroneStealer Windows_Generic_Threat_2bb6f41d
Link:
https://app.threat.zone/submission/402db981-fc3e-4913-a124-78f3e72c1196
Unpacked files
SH256 hash:
291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2
MD5 hash:
a5afaac697fab2c766051607ae273134
SHA1 hash:
4618047e01c29c2b2fc9c7e217fdbfd290dba0d6
Detections:
win_orcus_rat_a0
Create hunting rule
Link:
https://www.unpac.me/results/e9c6b328-e24a-4be3-9b7d-49833550de03/
SH256 hash:
1503206d59568c315daeadd8e2d4f72e98a54abf5a2276158cb7f17697d9b45c
MD5 hash:
e9eda10aeabbac16b46f8295c2d683ce
SHA1 hash:
a09a9cccf0a56c0fc02d40bcf035801bd62bf8e9
Detections:
win_orcus_rat_a0
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
Agenttesla_type2
Create hunting rule
win_orcus_rat_simple_strings_dec_2023
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_StormKitty
Create hunting rule
MALWARE_Win_CyberStealer
Create hunting rule
MALWARE_Win_PhemedroneStealer
Create hunting rule
Link:
https://www.unpac.me/results/e9c6b328-e24a-4be3-9b7d-49833550de03/
SH256 hash:
4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b
MD5 hash:
1898ceda3247213c084f43637ef163b3
SHA1 hash:
d04e5db5b6c848a29732bfd52029001f23c3da75
Detections:
PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429
Create hunting rule
Link:
https://www.unpac.me/results/e9c6b328-e24a-4be3-9b7d-49833550de03/
Parent samples :
d16e147eaf8a76ab283053889fff5074b75af230f52f7197765363b22fc82445
e4f0fa3c70a4c20e7f79ac8e0c0c7b3e58e97a8e9d42274d51a54ebf9e8da5e4
d678623c64c737fd9c8372c8e67b9fcc536845c358626065fa92e40f5fe6c6c8
04cbe1f69bcd1cb359b78e2a7029fe296e3a50020a044cd297b9cce59560b794
d0223dec05ad601e9f2f18b4a539a7e7734966835c5d36dbc9dfcdcb346a20c7
1d679b6434ca87e87c226ff908f19221a09a885d1c0a33f8c868e5d45a440e7f
2a9e2f0f019399b393354db70af0cfabda83f87251943db7d93e50e716c824fb
a1c2c3bdce253290795062ea0e45635b31b90ae4578bed99cfd2daac211784a9
dd571e92f0c0c4fce65805d39e7af60e1655a1130d29fe17de97ccac1a13f605
c650e238437e0f95b1c5b32f7188b8ade8cb73e26cf624446ef410c6cf61c069
e00dd7eb22f4c0edd534efd84e64dd0129826b4175697e925ebb551b5a33421f
62404758252b994da1b60c819fa8cbf1b6a884cd001939479a90ba4c52585363
b22a8e33c9ef66da4d9b2e087be276965340c8320bd4eb334ec1757c8df33ff7
d79de2edd86c1c07b39eb3d113adf40719fbf3b5d60f6ffd39aeb356c2d175aa
b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6
2d0a9d5ca563ffa82a974903bb43411b22c863311ec926449f08d16f483e4e70
9b2e6a46fde02906b7865bb6629cb5b25c53c5ff6a0c0cdf4ffdc7f7961582c2
a2a67ec1404b2fe5decf5ea86de316f8a2ca775480deab3eed28b8b0b2c34ab5
0c0233485fb1b4a83c8e73d889f2bd21c5b4271b63e8343625412d97cf6ddc81
dca8a2e66bfa8f85d89ca6885a68482a5e85028794a71a385819ae9d832adae4
196716eef9fca584f75ec1100956fc2d34edbe1f3e896003e2c19df32be6196a
0264425d27b1b4442f6a6d25c4634b9dca471f56bffb03bd450ec5c0bd93e7c2
b920dc19a2317f619a9d7af0935eb05b07442d2ae77f1482bd883a086a9c0513
f54d45ee37b7f40b3ae34ac11476c6d25f2a780cdc02472a3f247b7c9af9e143
27abe6f4dc371d7e7008dc5c4b079d85f6e2c5b583b2fd831674186e92d583fd
59f55834d9aec7059e957c376af57f71a8028d057b194a5567d1d95b4d7d4f6e
4a215059825f792fcb384de29a3301f3bb8422e5fa56a20e253b94ce754d6908
7d7f580de5a46d90941ed4c7db9ac24e0117a957614324647d6c528b7d2f1833
538657e0e69a3e37da94646672537f3c7764a81d0b0896c7305f06f799245d92
399fe041d19c3c4ce98036ee725529632aff01e9b0811c11104595589a05c7fa
d4f5c92d2602f114b7269eee1157c290d2f70efca5093f2b5d67cd526eb5f8e8
7b4ca5b780438bef6eca1d5241c5a5f9afbed7e9eacc62300c5ac64fe9e1030a
0e053da640e325971896b97f0993fbb17dd010bdc9625ca6fa4ee64c4a5f018a
5fe667b5af59c9e890f8af1049d74528ee5297c7c85036661b0cce4877ab31e5
06833640b01d9b8dcbc8001f0ff1cbc3aaa4ba1d45e08238c076b0d0d477c966
0071fd8f074a69e3145106a3a8607844e5bdafe96ad70e307d5b54c0094a0103
fc0b9e5219835acdeb8e214b62f7a77e5e55e301ae0ee78ab5e675db4a85a33b
127d87a19b7a864d8ae9b35d6d8bc81a045eb2bd43fde28d5e61d97a9f1474a6
02181904ce4b61dd19e156cc2526c36cfae46f71989c15bb3c702bd4a71adbf7
a94803828cc2bd2c4260988832d8f297b4e3eeb96f2e0a86162cc92e619159c3
48792c7901988e612893594b411a6fcb59bbff7120d63b56cbb6f9398289b057
45223efdb6920807e0a7e2e28f6b917a4a135066322df39d0af69b1a5901b49d
420e1fbd47a217f18c2729e90df4b85ac06eae21086f3af90aa38642330d5f2e
2117a22f49cc2ec80da587c770f589b16a9cbcae1a02f4758d7319535a2304d6
83b93149729486bc665fd9529751f10a0f8a46e38f06476513b2a4641e4dad33
4d7516db2c2d3fd58db5c64828949adabb51fdd418d4fc8463f4dfb63b481745
796ce4b47053840598f355fad26bd775c850a485110426656eb90607a9018b12
03445008471daab6eb3158ba4c315a89941c69e6f1714394035fcdd18472b00b
291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2
b443722fd7616de2c14017ab001952c4c3bde2abd880d6dd9c5910b630d2a8a3
52e8478bb2c7ee6ccbf05f9154ac4b7619b4d986aec5e41bbd8fa752f37040a2
f3849196b9947151a7c448c51009aca0ed466ed5f21cbe9da91f8e102f8cabb9
5b4b87990e0594222c90e5328acbcc64216d96bdcac3f8b0c1aeabe904c271ca
6212a4504cbcd03e7a716176a2ad61f5babd186ca43e253a6a9362b03f027881
128bb9210cdffc2ff7cc0b5514d9feaf5ad831b575ec9c90c602f29349ee5bbb
bbd51ae9353f96a2b4c1e8b8b69b60c3d0eada919b117f0de1116d9df19424f0
2cb584856d1f4a98264a9a41327b46823442fdf89e5b07efb9e4424549bcf7f1
eaf427092f4af72f583dad5fb56f43406dac9f9ba1a0f8324da83c504f19c652
4b16f3423431cfa440d320d6ff2dd591bfbcef6d13a31408db9af233ad8509cd
4ee3ad4e4e7e262f5dd917322ab8a04f8d0afcfc05b3093230bd9ff7cca1a56d
5e81a10955625aa89a20e04d88b83ff4ac03340bae44f4be0968020881965575
87ca3126a867be0597b75c338dd0324a5d4625fb54d34efc6082161b3dc2e744
15c0f6587e713de3cc2a87d01f4ef228ed6998b16ba6249b2238084f8a03ec32
404a9091fe42a3f8abae045fbb2a26e111a00d1af5103725e6199e2d5b8a5cb1
e5c60f1bd2f095b0d7add0b28abfb90ec9f4b89f3b1acf0844d7296241633f0f
40baa97b2e3c456d1597454d2e85715f5205033ad6998938ec3486695f5e1648
8cfb19c6297c02e5b02721980466f0a0af273767dea2de89a4d5b397782a8dc3
bdf853881bf56cac5d25fb6c2d1b0ff02fab450d57a66d39d4770c2117e7b9ae
1ee19ca2ed68e72acdb37d1c30bef464a330f66156830b61eca61f2dc432b274
bab174472415c490df238b18e14a22162daff026bbe828d2375f0107be662c4f
df66645cb25a87f72bdac4ee457e8b22aff036c2c6c2d3f1073088a96ecc1058
ba160a62755295ba6e21d3d4b0188ed8913497271b9af9891709a2d2840ad1e5
1d05c32d38227623d5fdd3a1d13a82e5a55b015573955de7fb3a4e6ada564031
5d53d190c150a8f0efb04cdfd9f607d0cd30452eb1c9e5b59a97d137dd47ecb5
fb7e616458509e23902258b7679d2c3959cee8ebf03f77d0a443828394f2057f
dffbd774b50dd2319bff54a998b59872b1a5a2b7dcab844e7e0e6d00bd428af3
d13a59eb615e8939ec8c815a6fae8c48ca14ee11aaddc1852701461f4a69d6f9
60f044a9155db76cb1da5d910e976654e4998828647e6ec0ff8e6b09776e94ac
00e0fcfaa4beae4ea437bead66cdbeebfcb4f4cf203901847d515c2579e8ec35
8822e22d3710e18e50c34361ecc837557f5fe22c5cdf24cfea2575e77309c36b
SH256 hash:
d5e8f755fb285b65406735fb8785bf9df283ffc7570bada7d7e02f286bda2d70
MD5 hash:
0cfc53f954300c1e4f1696cc8b02138d
SHA1 hash:
d49fc1f5cc973583a9a4cde21d39cc312082887d
Detections:
win_orcus_rat_a0
Create hunting rule
OrcusRAT
Create hunting rule
Agenttesla_type2
Create hunting rule
win_orcus_rat_simple_strings_dec_2023
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Link:
https://www.unpac.me/results/e9c6b328-e24a-4be3-9b7d-49833550de03/
SH256 hash:
26725bafdd0297dd23f0709b73483454f0d51b3209f882d12db253ae17000fdc
MD5 hash:
d011270ffb9d86fb2646f1f44a2c389c
SHA1 hash:
29eabb30d29f2cc094fe602f2d0226533d448a43
Detections:
StormKitty
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_StormKitty
Create hunting rule
MALWARE_Win_CyberStealer
Create hunting rule
MALWARE_Win_PhemedroneStealer
Create hunting rule
Link:
https://www.unpac.me/results/e9c6b328-e24a-4be3-9b7d-49833550de03/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:ByteCode_MSIL_Backdoor_OrcusRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects OrcusRAT backdoor.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_Redline_Stealer_V2
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many VPN software clients. Observed in infosteslers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
Author:ditekSHen
Description:Detects executables with interest in wireless interface using netsh
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:MALWARE_Win_CyberStealer
Create hunting rule
Author:ditekSHen
Description:Detects CyberStealer infostealer
Rule name:MALWARE_Win_PhemedroneStealer
Create hunting rule
Author:ditekSHen
Description:Detects Phemedrone Stealer infostealer
Rule name:MALWARE_Win_StormKitty
Create hunting rule
Author:ditekSHen
Description:Detects StormKitty infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RAT_win_Orcus
Create hunting rule
Author:KrknSec
Description:Detects Orcus RAT
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Generic_Threat_2bb6f41d
Create hunting rule
Author:Elastic Security
Rule name:win_orcus_rat_simple_strings_dec_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Strings observed in Orcus RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3494811/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidA
ADVAPI32.dll::CopySid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::IsValidSid
ADVAPI32.dll::SetSecurityInfo
ADVAPI32.dll::InitializeAcl
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAccessAllowedAce
ADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetConsoleTitleA
KERNEL32.dll::SetCurrentConsoleFontEx
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleScreenBufferInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::FindFirstFileW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptGenRandom
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CertAddCertificateContextToStore
CRYPT32.dll::CertCreateCertificateChainEngine
CRYPT32.dll::CertEnumCertificatesInStore
CRYPT32.dll::CertFindCertificateInStore
CRYPT32.dll::CertFindExtension
CRYPT32.dll::CertFreeCertificateChainEngine
CRYPT32.dll::CertFreeCertificateChain
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo
WS2_32.dll::WSACloseEvent
WS2_32.dll::WSACreateEvent
WS2_32.dll::WSAEnumNetworkEvents
WS2_32.dll::WSAEventSelect

Comments