MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 238525043acd0e92e92f6317fdadcb469dd26ef5cd7460e0188a673165ebef84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 238525043acd0e92e92f6317fdadcb469dd26ef5cd7460e0188a673165ebef84
SHA3-384 hash: fcb0a71ba3697d9bfb546b7d2a791951dc8067211a922199cf1bfbed9aa0292a97f29b93a35277b29c4e859201e24225
SHA1 hash: 30fd26f9c6368e24763e9b3f8be87cd19446292c
MD5 hash: 0b84f4bdbcf896cd8159455957a76b07
humanhash: vermont-kansas-victor-carolina
File name:PO47320666.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:758'272 bytes
First seen:2025-01-21 12:47:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:sShIIO8DfjigXxXdxx74EdG1bntMtM/xNKQ41:sw7fZXNd34EoiMHy
TLSH T1E7F49DC03B3A7711DEB8A7B49526ECB463682D287014F5E66DDE3BDB75A83025908F07
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
448
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Purchases Order PO47320666 (691 KB).msg
Verdict:
Malicious activity
Analysis date:
2025-01-21 07:23:49 UTC
Tags:
arch-exec attachments attc-arch spf-fail stealer agenttesla exfiltration smtp
Link:
https://app.any.run/tasks/496a0161-4c9d-4bd2-baa4-bb318db2de06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.24614.6622.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678f9b1bb5602ee8cdae780a
Tags:
shell virus lien msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected phishing vbnet
Link:
https://www.filescan.io/uploads/678f979319eb0cdd077aff71/reports/850aa7e1-ffdf-45f3-ae51-e004f7989bd8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/238525043acd0e92e92f6317fdadcb469dd26ef5cd7460e0188a673165ebef84
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a35920fb-09a1-4460-95c9-447350dfab3e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1595919
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/238525043acd0e92e92f6317fdadcb469dd26ef5cd7460e0188a673165ebef84
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/238525043acd0e92e92f6317fdadcb469dd26ef5cd7460e0188a673165ebef84/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-01-21 06:52:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eocskbb2zuhjf2jpmml73loli2o5e3xvzv2gbyayrjttczpl56ca._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250121-p1rpkstph1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4095ead2-014b-4575-811d-72fa439724db
Unpacked files
SH256 hash:
2df08e3fcc7d363c6c3d4836f420088903c2853f8a6243e2d035c40899aecf54
MD5 hash:
fe9b94bc0027a4cb1c82a55191159292
SHA1 hash:
f28fce2bbff4aef4fcafdbe538eb7d26f0b3f061
Detections:
AgentTeslaXorStringsNet
Create hunting rule
MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
Link:
https://www.unpac.me/results/07f8f4b3-2d82-4903-954d-5bd56120d71d/
Parent samples :
c30918e678ef92471a950450fd052eb49cbf066fa37a42bcf9c70b4a7522f86e
c88c132a285ea816d2804c27249cc2c935865507f094c8e73c27f4bfe8a87cf3
40f520059151169261544437b55034ba75964151f2fb4e931b9c5f648672d70c
5f60065f39cfb14defcad05927bd60aad0f5dbca0977a88cf0afe78ff31d5c63
e15f9f1f3757325a4af0c327a602598d1f52fbaee85a0a1e370b7437ac3e9ebf
edc7431f81049c3df92735f6834e59da7a2b7fb3f1c9c7838d0ae4ebbdf86cd0
8c87e92f4606b57b1292de938a18cc24e181b521092b17800f8909eb9e135c13
e08afe506a39a4bb08a3e299b56382cf4c1ef488b723fb45525dfaac2451d2b9
21ea63d0aac1cb7fe26cc9693ba53b931f227bd26c333a622355ab218059fc58
8f4c439db759beb01af1ec4d073406792073028abf8fbca33867396a499ca70a
13e36dd78efbec69aab73c92a926ee54f892499fbe5174442ef912731352a839
4d2b3332bac8fc3295fb6941f27014b6655c4f854ee6efab83b33652cfb463ec
46247eae2879b89ccae5e98acabb802062b6f21dfe86eb604ef136c2bcaf4958
484794d12f8acdb2894d9009c17421bf0b5be491eb43273f35bdf56295b26ff0
96ab76c69460cc8d8a255ff6ba2fa73091856c0730aeab47cdffa43ab8249c12
2df08e3fcc7d363c6c3d4836f420088903c2853f8a6243e2d035c40899aecf54
2e258ed170965c8d26e5e284e9b6f0204b7be36b68dc0221d11f1a446e46e153
342761981c08642199e312e11dfb8584c39c36dcf0d9829398b5de8de6302155
f59249e0421edc3799b01d06dfdfd1877edb5bdf70d777e9aafbcf5570f641c5
2e1d8dd0bf1511be6665ac5739ae946357fd033b2e8bbac18ab1b9495c2eebfc
e30c2f0a1b9801273948018c318bee81a6a202f4c2411682186cd8abd1ac387c
9c5c25534452390522f00bd000ccef1275b398f83e60edd5c1243cd0666e8406
cf3190bc9c7c3db75b48b4e180a511bdfb62942591540f88ddae24f2fa3d049c
4072d54cdf2a168636a24c4063e56694d071dd91d4337f2413d762841d5ed1ea
71150325320f5fcc0563996a9cdf89217e8a743fe3a75e754fca5fda5c86cf67
e47231e1941487788c99975572fc9fdeb6a4948ce8cebde1e3def61ce628fce5
a159bd480f79fa31be7221debd26ef015e4ad69efed117d9b2892554c73f57f0
6819d0ef008f17b3bffc407cbc8e37c43eabfdc39bdb10029afb535f542e4d86
ee4ae0633d4f95d3611693174a516e4a4c20dddaafa737245fd8a7100a49b9e8
21a19482c7a1a678d0797850431815d7778aaf3c76218e154cd36f13062e378a
f8eb4a77eb29f42fb4ea1c255a1aa67fa622a9e5a8f7440cdf8ea8b5eb1d0ca9
169ad5c33acf7a4aae70046eb2ac4e8f60c62c236065c616277b827ea4ec00f9
e1a098790e575bfbdde1957b2287912df823590042759fdf8e5e2adc26857137
9dcffe8f3437c5c785db60eec5594c3b22ebbec969f02de1ba545b3a70a648e6
f84f0208e1ccce6876611ab8d7e4c92f4e02427e9a72283f5346f98bf6539160
4e10c6fe5d0f656aab6d41c6a359bdbf658cafad4866583c8872ed60ed3018ed
a942a5f750e75de35ee750458c6849bf62af8867469873c1ae097a3f6cfd2ff6
5e1482b083ef98d77ee7c436a9b074e942d605a9b4a6f6c93c0eb65c8b82e359
ddcacd894280453eff2a06fed2994e57b701477c7af50d538f43f5c40c37cfdf
b17e991349d87089f0a98094f780531ff8ee0b89a2446aeeecd61eb77b2c5423
f7e3d289131a067c332064bd6f6cb7d336f0fb0476af14eea1d1b1a7127493a9
5ca87353c4d37e66f76875a46235208796dd620ad3cb7cebc6b5e66be55b2913
2581c92f9d54cdec17c02ff7b814ee3f7411c4f7c5e6bd1e4ea95431a1217a37
4af0ad255ce753c34b265d5714681b436ef635cbfc8dab10349ea913547be805
4ac227785c3f1cdd4b05a9d2ebb94e88a4af65303833c4dbfc35113dc21c97aa
24565cd1781c0378bf33859bddd21713cf1b624d2ab697921341ffb2c995e456
9a71fbe977c8db9b96f804494901b49117db817bce171818140629a345b7eeaf
4d62deb9e012ee45a9b2d5c90a15955965957d3c8065b24efdde65a9c8a33b66
d7068c23337a266991d88993f5b73c093a8b864f8f90359aba2026c02a1d027f
56b1b13bbe42015f512de69de47af0abda07316f4edef30f2c1ebc4c5bde5bf2
5c08922622153fcfa1cf05af7f0bdf474c6f9990c4f529742516a03362675cc0
37109eb42fff729d1786ca4b676167f7acaa918a4abaf3bb465cfed6efa2b134
25a1241fa5efb1cedca9c984dce1f39ff7452b18e33b2368cdc830b7abbe3ea6
75d0f8641ab2d7d47457fa1f1eeb338b2aacb9e356a539d18780c273d5a37a0f
78fe38ba9a5ee5fc0156e1d2a7598597f0fdeb85bba64c86bcc36ed9d1d24bd4
fe2ae83c4440daa77bdb1c5951efe680fe1a2e41209ebeba1ae72792d9c9ae06
a07df7d83e05047ef95a78bd47023a60c53414cbf1d6cdb2bbba7ad762675a28
2363d23876a13f38f92ae169c04f2d12bb3ab6a027b4f46f144aef5a02ee0105
68729fae59820aa23f3229fcb7dd8a438d31e3635bf621a1f53a8086ffadbbf8
115fc6621dd995b238916ac8629521d718fb941f0b455f019c85b1a4174f47d2
05d703bba8967b2bbf708b1c91e364b99e6b2b8f18f59fa07c47d4da47e0272a
ffd7d83a9e5fae75ed025a5e148013b4d3e7da5817bc715e4e0451a535d5e507
e967eb5ff57e890dc8aa2bfc44a97c5016fd2c514590be458e21cfff334df6fb
8c7a2e6b92c3db88ad183a2a6da6f523be61e4268782fa03c7bd4143f614ece7
859ce543eead04b946a2d77d7d2a9342cfdfad1698fef1d442cb51fe6429eef2
ba38c374f40119a4acbdab2bc171043b87bae2d299b2628f2a02da87e851c97f
3bd2b14f49671769cc1b82ab8e12b1dfbfcd126a440a58e75feec717f036e10b
dc87604f1d5dc29d3aab245b6384d1886819e53b48118bbcf8df9fdb1b58dcaa
8ad4cfc5910c7367a8d9e92d4a1ebbb02b659abef458d8ee765ac09e3e46a484
493b28fea1ea39199b503c952ab4efaa8fd3ba5a5d5a2d9df0af21d031f3ea4c
348a670a96b8de07cb4c376807d33bd7badb5f747917dfec6f3fbccf7c966bd0
546569a42f00553d7fda79e6961779afadd95ea8e6a8738ef344275f2b642244
9388d14c8bf0df5eb6607f66666d959017e45e01ce0a22b32dc7796b10cd080b
4d25a079e5c17965e6f79e9f47e122aec5b86b5a963525e6c1886d8c7d532e9c
d90ae55888f77f6914a142f25a20a441f6947cc4074f17cf8ecde99d41273525
7fbb218c97b61a5da84737c2b149277bc2d2c06601d891704d16924005379a2f
3372a33e02069a1a01adaf93b869ed66bdc06cb5b886e57c6f81e0243d6ec3a4
b27978ed194861aefac16772c229ff70288f71cc59611679eae88035a6c0191a
269e25fc0e57a2a1cbb6e3f01936142b4c6e8807d7e33960e5e8baf38ef3b631
420e0d791c2e5de27eb45cddb00321f7ba3fb3c2a735bd98d440345d01a7bec8
cf0640554fe636e6ad2983b7c61a4a62e3d368080bef6084024e23e7dbfe9715
7f24d1a1ac882a4e9da16afa9f05464cc7b4a59aa42edd8855543a10319f5be4
03d70e61c415e7a0e2ec76c31cdaa056d05ba4a0c5424611df5b5b69c1415ff9
963574e90ebf7786aaf6a17966441068baeadbce658ddd2f19af9a9f3f34c7cc
42db38678ebdd31dbcab40014ff3b96a8b263f77e8484901226defbdfbb8eba6
ca43a036727274823265311a9995eb0c70e288bd44c5655a0d231ebf108a30a4
836e1a1a93d29eeef8a26fd8001cb5efe017c899bea5c4d404db74cc7e6ea563
165005cb8423f38beba5461a10f3cf5fb69304013b5033463265c5457e48b76d
99da41b6e12ed59550b34c28d2a84eae0a31c5395bd589230a368891d9053159
9ee9ae311878a9fc88d891aeb7282d9633a90bb4f3a8688216fa3e12e4f33bbd
c015ba3cf24ba3b9a60b53b0f36fcf3368296c4951967ce63b3e6a6cfb3e7472
7a67d110bc1f15c95d420969b5ac6a78ae1d3c6d0f7d4e913af4a7db142a461e
4c325803ce0762bebcec3327635377a360e221480c99e1a95b708ed224b22cea
c071e52c0f19cbedbad1c026a30b9a2d5f6268c8e9a742c802f322bff7fcf372
62c012d00a605e319f4b61150151a4d811b80472e91ebc4bdebd5d98035250d2
efad3269d3bd9b9dfea3c1553dde89ad411d4dc850ad2cc9268e291ed3af1c6c
76ee39157442dc28e64f089260ca42ec5374ae2fccb99d0940b9717e48e6dc86
11013cdd71339c3aac7041ef80912c8c03786f5967d58c539af0d560687089e8
2791c4da37ccfaabed34d36c65d373650dcfa6db4cc8f2990d671e1c01cd74df
3420372e13d30995161a73ca1b87f59273f2e9986e6763b87527d91ed53df8ce
137e0a944efefef514d0595cdfade088a59eb12404a1469e76cd024ebdb2d1f1
aa31c3c2ad5f799d3b7d964c05c4a066921ef60aee8b3f96b4c95ba38518c692
8d8331f4dc08f7610760e59020a52423569dbbc5e7b03efe8026917f4905d19b
b612dbe8660225d074563250626237783bfdeedf5bb38d5af1e2789690787fc8
3591cadebdbbaee9e75158d085435cf81ba8cdfc5c92b050275f9b490ee60998
2abceffc33aa61d03182eeed898d402dcbfb1ddca4d1e6ee4b0b0482aa4f3b8a
e834cc0db159080a88d07c5e1c843905f7eb1f3b0b48ad1c5377f159fcb5e5f0
5b2d21f50ea195e247b45b8330c18acfd0f71e146fe40489ee8301c7045daf04
238525043acd0e92e92f6317fdadcb469dd26ef5cd7460e0188a673165ebef84
a43a6421f9f5f7ac6ce878ceff99e594fadc983275f4f2f464341e5564784c70
e2fed3e4dc387c2c5ed61ad006a9c346eca49f388636d31e48e19e81469d365b
4b669a9882308c41461e55b5c429cad387b139f10c73bf23bf4181a6b42544f9
5bf7b4330d2d77e12de0b43fbf876300a792e27fcd01021f02215a918781f61b
128eff6584a219a06cf80b831dcda899a96695f279e039dee81ea862aaadebed
e25b37773835f8846b990e84b23d62fba6130042452a4f43d4a8b3a6ed0c25ad
6a3d938b7100e9c39f7090db739cdf40f4f8e951bc39ead4d7b96c59c387df4f
e9b903a7b8f21807cb8025db679ffda1a2d8aeaa8de550259a7dd287493c8bcd
7dd6e7353eaa5327ca69dff1d7e598b3f36240aeab1efcbda34b295d9418ed15
cece3161c3a7ca97caaa49e774c6811e1f378cdbfe9fb37e17f953da7f8ebd08
36dc014cdc1ee051b88eab111948730fdaaa261506d32e2013a34a2aaea0e647
4bb06d5adcee687a9935287829f07670fc03579b1761163926f8f92c72173295
dd8dde439f81fa4a6c927468424e86bd039b0e7d20ce6bd0b64aace0a4ac17cf
fcf8187bb21250eb6f8bb655b18684b374c6135a2696c0f026da4dd65ea82e5e
ae818fd422d1eba54edfdbb1043f749b9931038157e3db1675d7c17fff3d1169
f532b6d77041027a94bfbc117759218899faad1441e4f60b57197d0a687b9240
2218994e51c15b1b3b403073b062c895bae9704a3255347fcd07d5a0dc4f217a
ef0d48f4ab28cc338fc29affea2e019f1aa34a54c4220b19a13f57f73f9f81a3
a21e5885c3e892eb1f2adec7d093935fa7746ea10ca638b3a00a73d67caddf7c
767aa72294b73ffbe525ee35fccfd5939a9cf6d1128717ac159ee9b9f9adc759
34df432fffd0dff5f4a974f12dd75d405816892e113100f34ed1b3bac7358ffe
fd21ad1a514c00f3cdadb7b6cb1a0414ae3ba4ff3a822a6a1d44857fd65bb998
SH256 hash:
a0b876454eb8996f38e899fdee703fc1e1b7e349e6cf68936f985a9b743ac9aa
MD5 hash:
c27c17445e34129e27325b91441dd70b
SHA1 hash:
a838ec4717e19c61dc6871761679512914b52800
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/07f8f4b3-2d82-4903-954d-5bd56120d71d/
SH256 hash:
52623f7f653468852363e6eecd312eacb8c07d24f3e4d06a736ee88d5945d6b6
MD5 hash:
bc67ec4fbc8d26fa2992db28c17d1bd1
SHA1 hash:
09de04d8f8eaa2f5509b632e26e0d66053e6a3d3
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/07f8f4b3-2d82-4903-954d-5bd56120d71d/
Parent samples :
701cc76315954f7e5e8b0fb36db44cdb6e6e40384be529670490523be1429d8f
84e892d4627a3a3aa053b30200788bd6942c046d2dadcf5121017a32e10142f2
6f094aa75a8322555241fae3063c17075a6ed5166bfb41c9055c390278178d6b
339c521fe6235de8b0b912c9fffcad6cc2eab721902ac095bafa510d68868c97
06c6a4f57f8b8d5b12406b5b2c8960362c0c2ef3cf74c4dcb49481ebb942230e
c470eab16e537bf777506e63bbedd58114c0403965e9a01965507ffd731dde4d
845304505e2c101665da5f7c34cff35f470b7a02d7c0218d7bd0d25664cc9cfc
e69d37275cc3b52a9d3a26f76073191ab8f59901781b5ef2859f33dee2252ddc
00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d
3cad0fb9280972f24f68c74e7b9c93dbd446c22f704f3b66cc7f1effc54d7a09
8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305
5d4dc700ab772bfb4ac1fa290c0dfeae62058d31c42b48b5072a2c13b4c419bb
1de6c06cde011693219b05444f8e18cf1fe97373d0557a083a6e6e7d836e3153
db86c56e2f1c33504e4bd47d1490709bc5afe4ec1d95a0fbf22510bc3c542a8b
202efe071db5f07fc1570f9f296799dafd1bdcd29085e0b9c8c5c9e2ce1199d5
07abbe06a2d17f142846d33bda215df5b05355148c781cb9ff1c8f233f534cbc
f89d5db1d93b61d6e6346fa86e914a5b02e927c8eee905e658b0818f76a545ca
784f9e5d1eedc785401f6397aab1d9fbfff7593262f8db591e50ae06d37cba02
1c80bf8e780ae58203e7f816c8fe04f66df434a3fbd981ba7c6e52e588622c03
efd65e32b20afe5bd0541a097bb5f4e7f741875b2c65cab7f08c04a645ccdf6f
eda2bf8423a8046d884b20532a74bed0ce7219a2ee5f9fe829a72624d081e3df
8fe18e6c77d0b63ad58b669472c8247a8771c82ce4edc65814bb4c53fe5ab51c
cb45d6a207ad4218619ad1b7e1001b55201894ef21f717588e5f3df5122c0583
7abd614a718eae6e0544e6828c834f275248093b5d807b7cc5c4de975dc7abc9
91a04734fb1bfa93391d961ff94dfdfffc3021d6cf56cb31f9d696aa3251c6e2
51d5fbecdf7459fc37ab296b97245a020f31cfd4ac1073f3fb2947a3710a8523
0198cc6636a1c05da00eb7457f498c6e1743fe0a9e3d50fc106621f862bf04dd
0ec77a2b6843ab87887929ed395775aa2280cb4d8d16454827bde96fcb3a100a
4fc7cb2b1080330179c0164b3cbd8b5906375fcadaad566896a5b6468917a21a
7a4b80b6d3ea4ca73224197f7d85d763dd953826978cdc30c6e75fb298cfb5ab
1b758fdf653d34cd62c7fecd1e3023ca5d3537360097676b5cc83b7915c2ac90
489d60af14c516d7b4f712272b1a2803988385e197a5883431d58f7694f22f20
f9075b95c77272f8c8f1b8fa996374c9c8e6bc0e2a6f1cbb6cc2fab34b9b589c
d122657bf2b391fb9fe392a711526b7ea4163bc606d629144c0e7b72700872d5
60541941074f0d0772bfd1b307f3ac777ed84f776bdd89aef505960bc97c1404
5e0237bb820fdcd2bafcaee8be22bb60004ef0f644c9eabaebcad2c423f4d4d4
1f468ba035928b41550cd68056a3e2ba8b4ef5e98b61b45c4562f110ddaba29a
24ce2be70ffbceba0067972a154cba571866cbeca67e2132bc01352f46acd9b6
8078b743d8a317718f8fa77d12caa85019cce7dfeab9da4e268fb4836a7f9e74
d4f10c758df8ca5f3bd16209cf5b82a27b218719453ad29e7f5073d08c376676
13aef47049b6f723e3b24e8f794b9c09e18ed477f62436d1a8250951b4fe253e
42c52ed2af4708289cb182a0fd83026691eabc7c4916a3ef0cf8a01b5f890856
9bf5d73a9924bd9e616336e200767e575569869d7d0ab959de9c7ebb37914dfc
7f10867f8a37f96369cf305b122fa7f5fb3f61e0a98dc35d66a7206530557c1d
422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf
2e7fac97bc9785e461473c2776be1da2d9dfe7916753d4a3148c5055edeb9bd6
e16ed69e1d337d88539ff98cda8d36aabc495db375d68e4f9b86a1843ad8c679
799332983f0739446bd4e37db4163529d016947426bdc4ee519dc2e5976445f7
fea0db3026f3e075b240d97b0ff93ac157c8dc69a7d56a32e3595ed261a9ea55
2bc219aa0c642b6064f467a9abe85ccf81dfd0191377fa4453863384f22b5fa5
5d4360996a1f89361dda1818a51dcdd2a551698c6c4d887b5ba67fd86b946e3b
79a83acd6e34d187228950510e8bdcb36f0d3cc6dd9d6d35d40d37651454c1a3
2040a0fdd0eddf11176cddce8489b0906e9bb6ed39b2c825f883e26a3309db57
da8f006e36cc66990a1a1f43539bebc73fc9531413ba2960180db55927552014
52588fe73383ccdb5d715ecff941d1ae169a57d49deddcc8e3c06536f2c56795
7300535ef26158bdb916366b717390fc36eb570473ed7805c18b101367c68af5
23b7eb252bc2a67247c1a93f3f810acb46664d21fbb029051297c016e2991bcc
fd3164057ef5cfebb668b25b93a0638edf8d032f7a1e0c13249334bd913a1ad3
d07f3d05d91790637901f276b2b2a13ae4006768c22d9e6576a283a916530e38
eeae24981abf36649d9eeeedaee30acb50374d5567c8543e66b9c337688a7794
887f393b62c6c4b69e81cfc772397619082d936dd38cbcbc0f54b623ef871af6
12156a70576773f3aea3bb59bcb042ddc4033a7e0c1ec5dadaa8df2470a53664
a932a1ece48c319e2ea472193afc00132644c7540b4d0156b1c9b518c54869dd
a91e52d4bedcc2c8114e3f2ddb80908c4abb92b0838689a14818494009088b95
7ea98bae6d7f0176c1ae6cecc9bfbc8611304fe007899d8d989425c7b13f3339
238525043acd0e92e92f6317fdadcb469dd26ef5cd7460e0188a673165ebef84
9410ad58ad07e9b3ed28bc9be7a567ed733e14ca0de9faa470cc7c200ddd917a
2ded7ae6526b0a58dbeb50d575c13c84f76751f15a81ffb81d4a4d7f9d8539ce
232a7e46e445365072b4a136330efec9284ce63b7b1525442a10f68a8ef02ee4
1fa03ffa990685dcc676b8706fd5ef7246de2c18b97c14d882ee25b0d130955e
9529683e6579dc09cc61d5f2e5909d922f2bb589586d9c2350642d525924c1c4
8bcb1766e1f236382b36fab2fc6a8ee385275c0acbf3067471cd9b35703f2875
9fd0ede72e03f6a4897daaa809a4dafa9b9e0eeac52c5244b11df40e9a4af2f2
ece49e828c96a3cbc96535f04ef66109c997cb13a87850c4b66b3de0fd2818f7
320daf03f7f2b9e697955ebc5c479c51fa3fb32caf789187c54b52749550305a
01e140fe679c25634196075a34eb5c8594ec3631571023282955962b3dc1f609
0d222d3b5efc99f87cab1fd26440f65f531c1058dad5d9153e45331bbcf5e856
f7fbfc0649a348b742faf012fd443a55ee310f475a9b58d7b07ede4e0428f494
b5bc975891963c29a16fe8ac7dd612f15afe937fd14ba95707a6ab30224bfc7a
f6093a0d468e3cd2df9b2563336ccbd3b5783e8c06c52e296770fc31fe5257f4
99430e62ab4f67847bae708e0414b25e6df4a3631c7477231ef4bb3c214d37c3
25f9a9731702553929452710d25a8587ca7e7e7ef9494b7f82c6682a2cecf024
9d206d3991c8549fb048a2aac2bf5aa7d25c0958713fc8f3aa2bfec18d47dbe7
e07298c237f7f69d83c9760409b8c38dc311581008c751c3f6ddd37bb408cc87
e3ce6cb3e592837181c06c157cd1afd190afbedca9c66da7f4dbaf58c51afcd8
143a58287706e26be705b3756cf1810922cb28e92954ec6e669131178bf196fa
089e95b16d5f1acc07ddaf59d1edf60fd52ce6cd29f4bfa17377f4a68c383d12
662c96f27f4533d72e97b4cffe31be71d810dae4e6c1ac981060c38d3f627142
a5d951ea30a7079b09113a1f7d98abfe809f8030be45de8f8f9e96a51778867c
24d731e94d2250181a75707739b145da491194c5a6bfd29fd93ab276bb106601
SH256 hash:
238525043acd0e92e92f6317fdadcb469dd26ef5cd7460e0188a673165ebef84
MD5 hash:
0b84f4bdbcf896cd8159455957a76b07
SHA1 hash:
30fd26f9c6368e24763e9b3f8be87cd19446292c
Link:
https://www.unpac.me/results/07f8f4b3-2d82-4903-954d-5bd56120d71d/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/238525043acd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV4
Create hunting rule
Author:kevoreilly
Description:AgentTesla Payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_AgentTesla_a2d69e48
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 238525043acd0e92e92f6317fdadcb469dd26ef5cd7460e0188a673165ebef84

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments