MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e52d5414536fce593aada88c26086af95af6b44d700b70315f4fdd9feb0b093. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e52d5414536fce593aada88c26086af95af6b44d700b70315f4fdd9feb0b093
SHA3-384 hash: cb5ef2ca9c8e242c10c547dc70ecf3b9149c32db1f530350ab57f7b1aabcc68aef36e806328432bb385707a89db46da5
SHA1 hash: b48ca67d478bccbe215b954c48d7ead7a981c534
MD5 hash: ed29361a67a1c5bb58ce114c4de4f7f2
humanhash: ohio-timing-lamp-oscar
File name:MV RUN LONG VSL's DETAILS.pdf.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:777'216 bytes
First seen:2025-03-11 03:14:53 UTC
Last seen:2025-03-11 03:19:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:/JPYuc154p7lJrEn0ZJno+8f8n6xbTDDkvGJ2bvO0hc6h7g1vJmOXjUADA1:hPYub7lJrZZJ6f8n6xrDkvGIC6O1/
TLSH T1EBF4F1167524FD9FCA7A4CB04517E93043F16E7A910AE3824CEBEDEB744C796AA04393
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
516
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
MVRUNLONGVSLsDETAILS.pdf.bat.exe
Verdict:
Malicious activity
Analysis date:
2025-03-11 03:24:35 UTC
Tags:
evasion stealer ultravnc rmm-tool agenttesla ftp exfiltration
Link:
https://app.any.run/tasks/46602c80-3eb6-4766-bb09-64773f7c4d55

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cfacf21f777fe30608d1e6
Tags:
backdoor micro shell lien
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67cfaac14a3011c802ccd023/reports/0ba3400a-dff4-48f2-9ee9-73825d77cc63/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0e52d5414536fce593aada88c26086af95af6b44d700b70315f4fdd9feb0b093
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b804c23-50e9-47f2-83ab-80f68a4d482b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1634808
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634808 Sample: MV RUN LONG VSL's DETAILS.p... Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 48 beirutrest.com 2->48 50 api.ipify.org 2->50 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 13 other signatures 2->62 8 tgjeTVo.exe 5 2->8         started        11 MV RUN LONG VSL's DETAILS.pdf.bat.exe 7 2->11         started        signatures3 process4 file5 64 Antivirus detection for dropped file 8->64 66 Multi AV Scanner detection for dropped file 8->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->68 70 Injects a PE file into a foreign processes 8->70 14 tgjeTVo.exe 8->14         started        17 schtasks.exe 8->17         started        19 tgjeTVo.exe 8->19         started        40 C:\Users\user\AppData\Roaming\tgjeTVo.exe, PE32 11->40 dropped 42 C:\Users\user\...\tgjeTVo.exe:Zone.Identifier, ASCII 11->42 dropped 44 C:\Users\user\AppData\Local\...\tmp6849.tmp, XML 11->44 dropped 46 MV RUN LONG VSL's ...ILS.pdf.bat.exe.log, ASCII 11->46 dropped 72 Adds a directory exclusion to Windows Defender 11->72 21 MV RUN LONG VSL's DETAILS.pdf.bat.exe 15 2 11->21         started        24 powershell.exe 23 11->24         started        26 powershell.exe 7 11->26         started        28 schtasks.exe 1 11->28         started        signatures6 process7 dnsIp8 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->74 76 Tries to steal Mail credentials (via file / registry access) 14->76 78 Tries to harvest and steal ftp login credentials 14->78 80 Tries to harvest and steal browser information (history, passwords, etc) 14->80 30 conhost.exe 17->30         started        52 beirutrest.com 50.87.144.157, 21, 48600, 49721 UNIFIEDLAYER-AS-1US United States 21->52 54 api.ipify.org 104.26.12.205, 443, 49718, 49722 CLOUDFLARENETUS United States 21->54 82 Loading BitLocker PowerShell Module 24->82 32 conhost.exe 24->32         started        34 WmiPrvSE.exe 24->34         started        36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0e52d5414536fce593aada88c26086af95af6b44d700b70315f4fdd9feb0b093
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0e52d5414536fce593aada88c26086af95af6b44d700b70315f4fdd9feb0b093/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2025-03-11 02:50:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzjnkqkfg36ole5k3kemeyegv6k2622e24aloayv6t65t7vqwcjq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
error
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250311-drz4taynz4/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/9544bdf0-d232-40f4-aeef-273afe6925d7
Unpacked files
SH256 hash:
0e52d5414536fce593aada88c26086af95af6b44d700b70315f4fdd9feb0b093
MD5 hash:
ed29361a67a1c5bb58ce114c4de4f7f2
SHA1 hash:
b48ca67d478bccbe215b954c48d7ead7a981c534
Link:
https://www.unpac.me/results/2aff72fb-b917-43a0-a459-0d84d3a7deb3/
SH256 hash:
5508705fe6919ae567b97f62edade3c4349d523beb5c9d5b937cbeb85ffa16e4
MD5 hash:
0213cb9120bff152ed71f1cea81791cd
SHA1 hash:
3beb51c7087cb468946c0ae7796917c4c721cec7
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/2aff72fb-b917-43a0-a459-0d84d3a7deb3/
Parent samples :
0d0c947d97036bcc46f7527e5a3953889c2ff2de32d503e463fbfa19d035716d
29d5ec780d5e5c02484ba41f291e35d29910e0ea2221c48f2ba19c9be746b8a7
7948d6bc00bb389e09c76ae4428fea70cbca1a58eacdf98295faba9d1b1b34be
602c89f6771cab55f5ec65aeaff614585d4cde2ff38f5751ca52fd062e871d19
36e416de11f263d66e35f83dbdd65d90655ab28b0aa8ea02b668d1935057bc6f
0ffd61040c88e3beb1cd998b777cbbe118f52daa4eb2759cd9329de5d7f2adc4
e8fa06add1e83397ada8e5d1816a8e9ae2b3f6e86ec3d4a1264436cee4a26e25
f6e4833668ca8d61f06a531d2dbaa1ec38f0905c7a3d4523c1cb142df066d74e
0bcc9139f97f4f59ca400cd44f8012cf9a66fa3cb803f6fd35fc780df3e562af
365a64d31e1b6981e3be8d9bae05ee95e3d0dd46e0329e1bff35c74c810111b0
70f93b60537a4520135818ff850c19575d848f0024c1bf787fe25cbafcf4524d
fcaced686feba6d013cb3ba8b56992c3c16279b0eab884a15422848e46fccfc3
ba95be63efbc9cccf7d38c3a714640760df3419f5578f7da287717d3342af115
f18d276ce3ec088f6d446e409489bad5c9b613d6c1f10a6538724749c7cf2af6
185f2a5bba8a703412e82d5fd9e5864291a6317c63c6ab4fd65dd62f5afe453f
272b1e13f8fe5c1e0893d98bae35caae57cacd20baeec78da5a2ea7c8a65d4bb
730dcaa50239c82c3d920f812bcad23a638a09c783479097291f8a6d9bca07a7
6771cb2cd76d2ce3cf81ee1defd8a2649fbd029c22a2d41412d3747211549724
59ca67046d065f0fd86ed3ccc7b41aa3168e5557523644fcba23d1ac65ce69d8
e45b701a7306aa4a47751b8166e369a719ac19648f37efb1a6d949de36a3d1af
4db7507380d62465271df29775dd284e6421a2f6848bc9f5eb17188d399e9edf
218ea3221f1a07f6654e098dc86bd1a001790573d76cc8016dc9c69b93bc2cb9
cb3a38b5b53f478a2a83ea040885ccb2bea9d29e3d9db4af38914bcd21bf89db
5e9e96b9e53a7d849b545872cec08f3ec4dc1b2ce51c841f647a2212ecff5b3a
0b7891b2cd2c16bac66ec4f815af883da8733e91349faa58a0f6e3a76b10a2b6
ea0c32eb1b07b604286393d15aae41903485f8b1d4f2ab0d77f151323ec41b14
5983574025dcd5b8f185e68bf5314c2a4b59179ccc70df2e869c2c7807609223
cd7cd7f1cca233eab23d5fc8b50d0025dda42cefe89edecf38a6324eb3dd334b
cea7de59cf54019d818a1a1622e0dd0a28693a61f03b8a5d5d9f21b8ef0d451f
0231d2d9b4bc4935dd4eed396ec39b0a6ed73bf239ccb2a049424175e42b42ce
6405b747fde1c1d6236310d9f20c27b1e41c8c794fa5e7105c42e35be7429567
32e7f235e8984eb5c256274003623b080eff219af52c266d1e87c5247f1c13ca
0a928c91d233aaf06fdb99b830b6876c237f625fcbd07ec7dc1667db9b261f7c
84b02f74e5f96e8f49ba7ebfea96a3c73ce1389b5882706fe6b627f55bb9fc41
4aa20addbb057c7444978c737438b5fbc743759d3e2e9f1de1a22dee3dc53399
90fe21ee61a76ea781edd59a24eedf10d10e342f2ca82756be3ac25f279181cb
040bfd0e41d42919f6ee318708ddae1ea268a8de899fd74df5ea218710fe2a53
2b4b87faf461d7fc3d1ca3344b9a5d0b52c98a63ef59ff5d53d9d9620cae98d4
9525ab40a71a0892815a416b4a10faea2594349b0f61c3ac16d53c17883d75a4
67b0a84140f5090a7660f4b6f88162a4b060b7f0db79cf2cad8aee0133feffc2
b33e4f92a06359dbcc7a616f128d3d6dae61994434347abb2991770565dc7aa6
80742a25d1550dd0f7ccb299672a5d9de889f57c0e53e3e8eea0e50d6b7ae33b
738551ac18e19c1b51d1136be1fa97b5ced0008b8d3d4c2bfc238387989f51ac
970791d129721273f0d53c1b4c352c689d3992ec3a236bfa5b4c39804821f64d
786f963d1274cbbd163bbc25e9f2fc2ee600b6b84bf98f80e138a1487e4ee4d2
319fff87d2654e260489db6ed6065d73aef9b0ae8435b2f9b79ececb32a77fb9
db4c571ccb811d2158c447987c56f24e7b3598b822ced017ed1d08386d05c8f3
9f7c0c15d4f74e79b67ed9b0fb9f773089cab534cb89cafeb5bc45abc9bfdbbb
4d379bd1c249d9f0e75915be63dc4290e1854ce9f90f70feff9a983205a649e7
d489cef2aa2d00dadb98bc10e6dc58dd4d2f43e33d089839a43eca2527b67fd1
ce0656d79699a86c7a59333646e0248408e03e9b8e157289fb8e04e520a251c3
cc40ff4d1e988abfed4e517c8505aad995cb8a3315ff1baa7ec6c352bc44983c
35ec397eea9d33a1ad18da5f55087a53a47771a8c74a85894eec1c133c085923
73e9f4260bee7a5085a8ea170c7b46cb43b634c245b236fb42043bba6dafa13f
04530d109a0db9259be39ff14a996ed7422b01a9769cbc5e3be8a9be7c1fcd29
3aa6510b5cd734042afde77fce92ce73aac28de0928a37b651a915df342b1c10
0e52d5414536fce593aada88c26086af95af6b44d700b70315f4fdd9feb0b093
79c1989be0f722072b944cd12a158aa3c4cc59e482846bb3fbdbf5b6667840a9
9b282e72835c39f458f208a4ad3d8304d2c44f559a9f3e3ee261498141a3b180
9ffc425d5cff838fe149b405905d44f9d33a04ede0231816d903c2db6b24bca1
1252570986e55437d081f64bdced5002dfcd9d77f6986cc3c08fb62ee5d4fce6
a945a37f2f17704d943bbea6e52c91a63a840d89d95e7aa01db3a5f76f3880b5
ea2fff04ae61a836c06aa0309096c94439590cf83f12d8ed9a9e6f6edf2f9f34
864bd24c791d20a86b11595632dc2d80c914c29d5d7b2893899a0e9626c5bfa2
aa653ad0d107b2d7ab98d4ede0eef147b73fbd7eb2f522f0bf608f833daebe34
d0387872c43a63fc0a157c84edc3a99abde2af204ba4f25969209ce38d7ed15f
e9e69503f6db09e9ba9dcfc74ac4288b7135785d9f6aabe0af823a34812e9b2d
0bc4589749f91661e58192bb1200809244d27248e8ee1935baeaaaefd60aa7f6
f38a008406f2bca311aa8014976f27669d52d494286f3dbc1dd10259f8382324
7403170739b3dde1b83caf1f16c78b7eb27e1819df13647ffe08014d652fb3ad
f5bf548a92e16ade13e22e9def6ba5bc424c9ff797570e5992b615d9adce311c
0d173d647ff21c983845365edb6cfaab515479dd8eb6cb47f3c2295afffe1004
3c7f61519b46af007450df7ef19b49df3a8b60d0b7c4fd82112068994262be6e
6f8e85f3704f0179d0854b1c278784441b0e555f6cbbd7af19a677afaefef004
6d2cb72f8519ea6716edf231ddf36015328196b5e3add66e90a7bf75e100bcda
1b5cd72684917ce49995daafa3a6f98ff082b0f2d05807c746ee04a94c8ecaf4
1827dfee3f5db9c0924437ebc91434d916f36f7ed1be8b643d2df2fb9d7e07db
7cab67f3270d22af388a715bc460f69be5f200da4576be5940c190a008a2e765
d2de2cdacd6417cc261b2c1f95026b47e14af21e097efd1d4ab15a5fab6d72c4
f2d754008958e2c90dbac5f60958e0add5403563e51f5414599d35f88cd0db2b
f044b5d05d7ba6db1b4145a880af916645f2c3e1c28341cee79021ffedb4d1a9
f687ef7cfbf2fefbfb85644f57319e28c04f9feed590a317056fef8c130c092f
9b8178881c7c7d18b45fe179d604a23748349cf7e19250edad32072039d683b1
abbf3ca6ba1cfc464fec6b4b7e448218d424747c1ed35af22972efe9a32a984c
0b60052aa9546ed87efc290486a10497e80c98fe11ff92ccf8e489e6dc6d0927
SH256 hash:
2bfde305793352cc0da1adb8ed99447ad59f25f03c67d5756905cce802618749
MD5 hash:
90cebe77febe3d68f79fb7e03876149d
SHA1 hash:
a665a04102d72778358e1b045fe3dd46996d2fca
Detections:
win_agent_tesla_g2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
Agenttesla_type2
Create hunting rule
Link:
https://www.unpac.me/results/2aff72fb-b917-43a0-a459-0d84d3a7deb3/
Parent samples :
bbe3fb7e0f0ddf898c7f5055707dcd5847cf14801f02563f384b75ffd06ece4b
8647436d5b5e93de1fbaf9571e584ceaee4a620cd39b60472da87e694239c317
c09cba9da1f8a6c8fbda87ce1c29455118eb13876286388a7d768ba98585aa78
d9af97e029e98b7502110beee9913df5132c5e1ad620e6b8124bd395c72131d9
fcb4c6602aeea8229338eab9ed2deb97c27e07601791ef19c7e43a830079e416
053c940f835b1c6624b6b0421b680da5c984b056734db107a7d6c8dfbe1837fd
8e3db35284b6e1ea560c14a69ea4dfd6ef8e27fe9974a609116d00f2d764bfeb
c9f0c595e62ee31b17e1b62cc7be551a1cd46c3395a282fead293a5033674328
793683a76efa38f5ad0608e7a7419af3802b4a7cd5d3d428f2f1a7e6f0e6ad0e
db20bf3295f1aae23ce386ffb850622a77a474a8a1ddaf240965082ee03055bf
faf287257529efa93234ce96fd47d0d43a4884deb7ec54e337bb8ba49b1d12d8
90bca1aee1c83d0c4efc1d89a1c57b991be078a6fcff421495fb9cdbed974c70
b3339675855dc36ef85d78208f43924b6eb62a978caa41971115b13a8c9cd951
03438d007dd69f9021f8c37eb21cd9f817189c99f86e94136b0f6223e07a7366
20aa510e22a6e0abf81a9cdb4491977cc7035ef0f62bf4e97e880688594707a8
ff487e2ea6195cc78c6c3f1d9d23aae0902eec37964143cf85cd425252a0072b
eec4404be651d77865707efa282ec7899a97550ad25351a70a926679f6b34bdf
430ca931fb30ead2352f1f6cc4c832d5e83d0586818e47febd3d9d2dd83950de
e0e7d67763efac156e039e3b9b8e4cf0e269109164788c4901f338f1399699ee
a2e0b264504e6338c455b6227e85273903c8f1f901809eeaaaec9e917ffb09dc
5565d238feb8a0e52f4185f696eac6e4d817d878ca99aab4ab16a341b3c828ed
7a52724e8dd312054edb1fe92f4661be8a4696efe209edfec3f43b7fb8fac3c8
97a1e4bfc76eeec8faa59bd7de85088d2e42cf9562ea66c2305d0309080712ac
68f8a928d8c7b9b1da3ed341ad581da0fadd5bdddf781e0d8831c94553d8d5b3
10eed1464345d7548cbbe6e76ece440f249d9daf5bf13f973f68136d986c7fe5
99e2fcc17330e0e1d8e31c814d659c4a00110a6da389102e22a25eedae3933b2
cb9c62c96c1409b6151ec4cdcda1b0750a13dd61352ca9ed91382a978cc8bba0
7f7219150a44e397a72f82fe9c4232887e991f0b3f0469c29d5cd2b8e3f3d0a7
1f73dccfdf8ee9cb8fb841e40c88a7b124cd28c0b06688eaf2bb81ef4f4ac0aa
c75134c43e97b75bca4ced11b721253c5774cb0a78184acdc5c55580aa07df85
ad3517d5640b93e40bc1e839f6616222801d06dd83ed5887462a71f3858f5b40
941559a78b6e1caf39212048e7f62723e5f283d1942858cc07a339d6d6b24362
59e8919a70ecf74746e7bac52469b520a8a4fa929e8fa8171e22342d8dc4e1d6
b3c12cee79f27bba7b9d58c690083d38170fac66c70ab18dd5897bf0268fc114
e9be7f50bd810d3b8a459a54c2310b567dd7065cb52803306cc5e6132eb9e12f
2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d
20b88c89c50d71a77a0f2e1007a39cdb0b78f44c8507d3b492e8875a44861279
25cc6ca776e3d36b9aa29c331b522f23f1b309398372089d51297ff179a51bb6
853b91e9b020663d17ecc679445126b293adf51dab2791e846c31adf4fbb232a
2f7226f97fc49d8e893e80ff5e3e1127d0ae76650045dbf30c36ddd0535c0af1
8c511dab54355d76edfda60811e62b832f7593919b5c8f683b53bf6690bc808b
2ed7941c78a8b93373502b3b638392b1981785718e31bbbcca4f251d6b21f535
fb98e235d9cd58d96ab4d3389fdacfff82beda19357f313fabd95729bc984ee1
2fc60266d45774d861a84e932cb572f683a5c140406a6709adb10a08e5391b9b
2843e5be520970bc04d4c2d1d64749c730cd115037cd11b10a5c4073f001ad7a
ea245dfb5adebf5c9635d41f7e92c9194f6a20f900d9bcb14b8931501f0bd411
4da351698b0432b56b06b8bdd26fb7103b973a7c70bf666cc1a26e13fd2585bb
29d5ec780d5e5c02484ba41f291e35d29910e0ea2221c48f2ba19c9be746b8a7
602c89f6771cab55f5ec65aeaff614585d4cde2ff38f5751ca52fd062e871d19
0e52d5414536fce593aada88c26086af95af6b44d700b70315f4fdd9feb0b093
b21d51c3a5519c6e41de9ef4e4bbdb821f2d76f6cc1e2b01d0a0fae37723f25b
f687ef7cfbf2fefbfb85644f57319e28c04f9feed590a317056fef8c130c092f
d16be68a77facd56c4553aff3be893308c986f726619cd0785b5cf8cd5993f88
2c94e0937726b8c53f46350c17b50abb816f720708055e92a097c796a9970f01
265047bb3b17c31db8680e5dc97255cfc147e02f730db48a6852cf403033ea69
933e3e0bf29c5545bb4ea400f0ad62be69b957475e82a6bc8ce3c2a44622d4b0
71e061da69a80307913e97800c500938e1aa6eadde0fd25758b9b394ed1532e9
ff67a4429b3cd257a8ef58dbbc90450eda82271ef4256ba1dc5fa6eb215fedec
2f0ae3872ddb72b9c17060aa7608559a5cd92d376dfc88441ff8c54e6f1a65dc
9bb11533ca7287474f25da8cd5ad24afacc6b66175798298c6924035b9b3f92d
ee0176357d58650cedb8212e95249b9ac0e17145587e398a344c03ad95334618
4c17a091bd4bc5abea728c7245ec9c15fb98693e661bc6ec20239b91db33faa8
8024fb977a8ce280bd9bbe8984c2a1eb02a39c82222940de7b8951fc1493cd80
8b83d463c4ddfc873ac4954f326d473cd6aa3443617fdba8860680188500def6
69b4c8361199937a0cb7e28c689e3dfa2967af5dc5ed0c1fccd770273cc3c71a
0f22c8a761d26fc6db2f20b2c3070269bf8248eebc03743250da0805ee9a8511
183c72638416f3649f30da841ff7a88d29f6cf22f393db7a96407e939b9c6647
SH256 hash:
253b386d210a3c7b05e4e66f61c4430448981896c585e855600d48f52a133ce1
MD5 hash:
ebe38a31835d0d02aa0a4eea542453fa
SHA1 hash:
d1d5b6150e73ff1cbf8b5b9a52f87abad633acf1
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2aff72fb-b917-43a0-a459-0d84d3a7deb3/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e52d5414536/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e52d5414536fce593aada88c26086af95af6b44d700b70315f4fdd9feb0b093

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 0e52d5414536fce593aada88c26086af95af6b44d700b70315f4fdd9feb0b093

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments