MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d
SHA3-384 hash: 43a38e6c396abae2221c176a4c7b73ec3360ab3fbb967b7bf8892e3e255606055c5541af5635b8f27b48767d91ce38aa
SHA1 hash: 0a3a451242065756664b675283c479c7d1dee554
MD5 hash: 336e07c5ea82b63bd69990c5a869358c
humanhash: north-beryllium-beryllium-diet
File name:Order Specifications for Materials.docx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:832'512 bytes
First seen:2024-10-10 08:29:54 UTC
Last seen:2025-01-10 14:07:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:dDOEDAbO8fwCKw6g8uJesHTbI434pSSn:lOEDWzVKwgUobn
TLSH T18705016E7AA2ED51C3282F37C0231608A17BD816D56AF77A55ED6CF40FB1A44C94FC82
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
528
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
OrderSpecificationsforMaterials.docx.exe
Verdict:
Malicious activity
Analysis date:
2024-10-10 08:35:46 UTC
Tags:
evasion ftp stealer agenttesla exfiltration
Link:
https://app.any.run/tasks/0efff5b9-324a-452b-aeaf-9b612edd8fd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.8145.31606.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6707908fab31793a7b2142d2
Tags:
Powershell Underscore Lien
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer lolbin masquerade obfuscated packed stealer tracker
Link:
https://www.filescan.io/uploads/6707908d0880c679115eeb59/reports/9ddf2993-de26-4ecf-aa02-881254484e42/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a5ce8e3-d418-4322-980e-fdb75d0f5288
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1530660
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530660 Sample: Order Specifications for Ma... Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 65 ftp.haliza.com.my 2->65 67 api.ipify.org 2->67 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 19 other signatures 2->79 8 Order Specifications for Materials.docx.exe 7 2->8         started        12 pBiJrwHWa.exe 5 2->12         started        14 sgxIb.exe 2->14         started        16 sgxIb.exe 2->16         started        signatures3 process4 file5 57 C:\Users\user\AppData\Roaming\pBiJrwHWa.exe, PE32 8->57 dropped 59 C:\Users\...\pBiJrwHWa.exe:Zone.Identifier, ASCII 8->59 dropped 61 C:\Users\user\AppData\Local\...\tmp12E0.tmp, XML 8->61 dropped 63 Order Specificatio...erials.docx.exe.log, ASCII 8->63 dropped 95 Adds a directory exclusion to Windows Defender 8->95 97 Injects a PE file into a foreign processes 8->97 18 Order Specifications for Materials.docx.exe 16 5 8->18         started        23 powershell.exe 23 8->23         started        33 2 other processes 8->33 99 Antivirus detection for dropped file 12->99 101 Multi AV Scanner detection for dropped file 12->101 103 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->103 25 pBiJrwHWa.exe 12->25         started        35 2 other processes 12->35 105 Machine Learning detection for dropped file 14->105 27 sgxIb.exe 14->27         started        29 schtasks.exe 14->29         started        31 sgxIb.exe 16->31         started        37 5 other processes 16->37 signatures6 process7 dnsIp8 69 ftp.haliza.com.my 110.4.45.197, 21, 49704, 49705 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 18->69 71 api.ipify.org 172.67.74.152, 443, 49702, 49709 CLOUDFLARENETUS United States 18->71 53 C:\Users\user\AppData\Roaming\...\sgxIb.exe, PE32 18->53 dropped 55 C:\Users\user\...\sgxIb.exe:Zone.Identifier, ASCII 18->55 dropped 81 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->81 83 Tries to steal Mail credentials (via file / registry access) 18->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->85 87 Loading BitLocker PowerShell Module 23->87 39 conhost.exe 23->39         started        41 WmiPrvSE.exe 23->41         started        43 conhost.exe 29->43         started        89 Tries to harvest and steal ftp login credentials 31->89 91 Tries to harvest and steal browser information (history, passwords, etc) 31->91 93 Installs a global keyboard hook 31->93 45 conhost.exe 33->45         started        47 conhost.exe 33->47         started        49 conhost.exe 35->49         started        51 conhost.exe 37->51         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d/
Threat name:
Win32.Infostealer.Limitail
Create hunting rule
Status:
Malicious
First seen:
2024-10-09 22:09:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=epgykrwtnmuses2hjnp7623h72tkclalzsclbtoh5bgkep27v46q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
agenttesla_v4
Create hunting rule
unknown_loader_037
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/241010-kd5wgasbpf/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Verdict:
Malicious
Tags:
agent_tesla
YARA:
n/a
Link:
https://app.threat.zone/submission/83a068bd-f873-40ad-93ca-7e21c622afd6
Unpacked files
SH256 hash:
4a620451d68e8774bd46d75d018e06c8fd629b4a94771df5a19eb7ce0bd439d7
MD5 hash:
2eb74c96838503d5cd467adea43b8abf
SHA1 hash:
b324ca13ed5183027996f52770f6ef2c9c3de3ee
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c99eeb23-093b-4a18-b970-a8d7a718523f/
SH256 hash:
a193ca3b85a39c67ce59b28223ff573d3979387253380571d7382a341adbbaff
MD5 hash:
8d3bceb4f351d16d8c19a1c3553ec70c
SHA1 hash:
adf070a8f4f475800c619b4d88ccb17a488f38cd
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/c99eeb23-093b-4a18-b970-a8d7a718523f/
Parent samples :
abf6f6f8527a650cbc514945d036330694d9febe77fdae82e8a2d207789faa51
06d709cf438f3fefe0ed7858278e77e1188422e2b4d59706f6c4759df1a5aafd
9266e7c60ee4abd1b415a2ca3273d0a9d83547807f610565ca964065fa0aac14
4d5fc3f460988b553111d1272933b57a7b98deb12ca477e16f89f95126c92613
23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d
eb825b11d00bc3ec41e7856a59ebe1027e3f9c9128a177e182f688535f22bfb6
08fc3b1fd5055344609064d31139e4a8e1c26d8c5d353b1ca97b4148f03d8823
142873db547e46701d0630bf254b6e4d7570a37e62194e89264b53410682d9a8
3c6442f58e0a1c358a1175dc5510899c7f5a753e9615abefbbfec7cb1bcb7bf4
a5c97f8e1ff612fbfcc18f1a1852db11099e58bb241f5b825c74715c60dd0fef
9bed7abc83b78434c8423a380739d28aefdb7dd445f4cf8d3894991de7c79c16
cef7d88f9ddb7a30478aa00624340d206b0d84553d8ee969178d8ed59cea3033
470733344bb4e563a0b482efd18cf1f643808164c1093b9eea60e6eb0f40127c
b1520b6a3358bbcad7d55344f3d7bd2e75a9075ef4afd3f7c23de5def92daad0
175b56f2026e4e7b12259dca5a6181cc8b8dc85f88f6e24561246fc71ac9624c
9ca515b794477e792d95386fb74f8efe7fba769a2a082c5ebb3cc2b7d2460a95
732336eccda1e0e01a9474a968eb6ac9725fec8e8e03ad950472df75ba470693
f972a54ca5d86ea9ced7ddc4621a816f1ae22b6fe0a24e40fbef01ce07283e1b
fef8a3967f5c6164745be39c6911671f07e6fb7c690df94bbad259fb550a7abb
834d4e9657f33ca5bea5956050e5188ecd53b8a2fcad2b6136dc60f83619691a
e7372cd29537f5e27f70f6b9969cf16b2b2bcaf655406722f87efb7a74f2be38
c56b0068b210b206f7c93062eb115654919ea50fcb21a35391b25e33fcf92af2
4c862b599a4c9a2e709ab39c52f577a99685c5a2fd2683ff58ef67bef169438e
88fd2273dba726f8e93082eef548564c84ee1f3be9f69a7d02ef9a3ed7f8ea18
febb5bdd2ccb5a6421696cff51519112f8eef6abe873b37e24e6b1b78fa942ba
0309aa8889daca83b4cf97ab99bc9921bb549c9187736a69c76185dfe68cd325
94f98b239d0b82e134302c53455418fdcc7ed9ff19b9d8e9b079a7961c03068a
d1c69953a06498fe205f2b9feeeaff6258ed120ce94790d3a7107b521e09bc6d
399b9d5f1658e0050f4861e992ce7648ed78f8da0b9c7789da902550e7513884
4b7fd648f2be722b797647d77097c9245f2d61d9898913544f3f1702ced2a3d7
0868d29bf99ab1267ab55c306ecba0d147e12c1e8c6cec05acd76ded3e4edd1b
c9f9cac249b944a81dcaf942997c774b267cd4b27d64318dd5d91583274098f1
44223862b1ca9060ca97e5f36246dc1efd66a68745380ac1a6a221f0bc485b35
cff5f0bb2c9dc0d52591745ea43e9c7cd8dc46ea14c5a9996c72f76e7cdf7011
b37b37330f9c4970ca450212d0e3e902fb44110b4570bb07574621354509d045
cc080dac2e57cd7ce34efc7e9cfe8d14ed9dffda5f95006f2d010557b08220f3
3b233c5cc8b85a8020975ed736b93644fdae180f1d6f5190d91a3512e813ba8a
ea0d7f34cfddec8c57ddf23bfc5eab2c1692f1b3f5e8fdd6f4f7f8596e478d9d
dc4adc8ac3a46bc4cf987c81c9bdb338994bb77ffaf9ee803bb3987600ea7a12
d8df8ae0a2b685d4a9e0e2bc5c624c2b8b9be74d8a0ce6d00ba982e9077398e4
fe32cd498b7f031639961bfb962d1289896a3667f38f06f801b2c5d97d0b5906
836e1a1a93d29eeef8a26fd8001cb5efe017c899bea5c4d404db74cc7e6ea563
171b961f6ef845235612fb2685e94832c38dba1143dc02970bdcab7389fa3383
31a702cd5ff00baefbeb5f301ca3015587a099b0046939cc3d1e8cd553eb3147
40472fbefd08c24147afbf941b4504ee7a4658409e0077ec98c1e7dfb4c507fa
d360ba3b74cc01e2352a4070922b2dca3d46c7bfe5e4cde8ac474274f8522455
47e643f3f3a8fcb062b8e83acf86adc8b6f5256714d88aed3c95e48693c937c6
e46f2d7b2f17430fbf6670db5f785f22a38cec22cf879259032b1edb1d074c41
c12ecca79747db3f47b548b79fe0efc40e048fd1f430ec2e2fd9eccd6bcc8ec3
d72e2b372f10ca73099c02fedf3506ba76ba2aae1719f5bce7c7781454d1eace
68e83b9aefb2c1899294a6a9da8a3c2e34380d3e3af51c68d6c706d383ae61ce
4c11a38a17a285f3c95774f535fa79e2596bf5723b2cc7b870a29f06e85727c3
1546c45496290063818a4e24b240aa8cd88c8023dccb2876706a569a0359be9e
194f2fcea5e7a2056112f479911bf768c494f8dd04702471f643dca95bae46fa
51bad1b993f7599689fdf576e1f79383f6aa47e6ff1ba4775a7e4412a51ebd1b
e23a32c4d68cbf04b1206bd1459678a749482d44ef5ed825e507d124d34f8bc9
b4b6159351045ef04f9ba6321722c1c1fd920eac7a3799665d2663775edfa84d
6f4bbb5aee6549053ab218b1d564cdcb6b07144dcab1dd3e92683d640f3a8b60
57c7933d769882ce3fe88605d7796c2137e8ae2ff2084469478af084740cb721
8f7124624844c97145faad6f265f2a15b5f1fa67f107168b61fd777d987d9f35
f228af74ecf7302bb5e8d9ce8060a9aa3fc2bd583bd477e23543452cf1cebad6
cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048
bfb4b96460ce25a3a585f3780f8ab6c0db4d31dccfe614491876332c028d4328
c82b82cf444e4a02ffe7091ef5ea7bea733c2127c38366c88775cade7d234681
b612dbe8660225d074563250626237783bfdeedf5bb38d5af1e2789690787fc8
5d021ca8e798f9713c4778b806fa00c207dbe34f4efec22ec5d1b65dd59c68a7
03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6
1e3104a64ac3e19163d22210b2f4df66dbccfe1731177ba1022ff9044b421c84
868444860f70d7825d5801e3ebdc8e9f0c5ffe72c3f42a938b7df98d50e10758
1dc4c4881f138a6f1ffae6b406e696a46a89f3a0d1265a5ec6ed3d80dc40ea32
86983eeb3231d8cc4eddbdec4b8b19194410f6adbee3265bbe68cd4a1ddcd161
d25aa55294fe6a2e98ba3c985c3182d745c511754c03ae7b4080133a8bb2e3bd
20648ff1d02266ebeece4bd2cc799c0b2be339887a45593c43cc851116820d4d
545f70314c72e3b34893811f991d96aa1cee2049f346419264e10f0ae44400bb
f86f20a799e10fb4906d426906e30734636a4c2743b8dd1b781adb307f4d5576
a6d2a47171f9630a8db62eb4001e196dfbad94cf40638e108cc649883d1bc069
8ed60c6c3516465b2918af6a467e3b38c3b64fa39a32ee79d1337b15e1c3ac0d
ac56ec5a81bca833585ad1c052dc5614936523763c87ade64f519b23a4f0b24a
de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7
ebb5ff83ff02d5cc378fdcb1730736e22535ea3b945df2f80c992fdf09d21344
0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719
ec40bd9352347399d79a1393ee4478d945b81a0c5555a8d30bf043afb1e70e93
2d1500188097d6bc8f6bcd1690db485ea07e82470b2a631246a4ff5c4b64fa42
067d0a32b11208193e232f3b4d05b24f0d730ffb23049a1611be068738b9d11c
2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0
8c3b7bab6d9c32f813aa49cc65578049f516dd8607f6b2b43fd1e696d5b86988
SH256 hash:
a4ea280f8614b914a14799ef2c29779bc5b6152b0ef9d4f721385648da0db212
MD5 hash:
f636f2454dbdadec5a1936a8455db489
SHA1 hash:
657d86842a83eac4829596129fab2ae5862f487d
Detections:
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/c99eeb23-093b-4a18-b970-a8d7a718523f/
Parent samples :
b7f92bbf59df7cfb571012b7aefa91bdc9f25b9cbced01e91dec5b0fc1380f7e
ae7c268e9b988e9fa86380095f0a5cbb7d04024505c01dab09feed5ab8551b8d
338bd51d53c8c482447321ad6d1ec585faedfc3b9d5429f3b33bd805eadbaf92
0a58b574ccfb2898c4ee47a8dab29174c2193731573d4578b7b5ff83ad1196d6
fda83ecb5bd6a07dedaf6be0fce7c626e21e9df94d82ddb905460e9d6a25a162
0dfe79bf85e9cfcbcd5ffa2cb21370eaf78d80d27ae4b4b0c5087afad5c6ebb8
60712b6d9bb023934b8d27fc6f54b3543a5ebfcd229cd1c4cb8f8dbaec08dc99
9952c53705dfc353eeaf4262192cc740a066cb2e401ae3ec9e2ba11706f429e2
23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d
be5f3e984fc55b64b4aafb52c1390a52ab94c92a345ba3008df931d2eb5452b5
c68ac751c2b84e31bd64a9d318fd5cde9c1fa7f9f9090940808fef7989b3ade9
a674d532150b92874dc954bb8349b6e66a006f1f7dd9381f751237cc98d38dc2
30f53c188f4ca288bab139778eb5426ee3db92ddc779c8df149b501334dd8dbb
59cbe4e681c4371b18a5f6d457369560ce9e4f0eda5a39de1acab8b5bdf73bda
7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99
af1c4d4509e271497c9eac4c96c1fc5c4e419c6d73b69a5141380589e479c16a
a621353d9ba0b680e8f65d1951b47a74a08c1dc903eb071a64680a7a46793197
123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d
130c869f7ce90b4dd45a1192c8cb13aa8e3f986ab29fb9f446475e2030a2d2ec
e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474
10fd2d2e6c357bcffff543914c648b64fc672861551b5b098ed84a6db04126a3
2d5f57ef41272fafdd56ac619de62e86bf57938c96032cfa90eaa3c48930f012
10559de6aa9d0859f9a8b46c69a4edb950297610a98121a1fb8a3c94de06ed05
43c802763ad10188bf10a16b5bbf7840447d46ec04d1bfc2ef60c58dab38d951
b1d51bc9c016f36486682366f537633a12b95e16e68d7fc184f7a9bf9a48a811
5a673c2139bee9e5deec79e98e0baf1026af44a5a02487d474de76d16b7eddc8
e5ee0f86a7365463f8a0bdd3591624c214c8db88abf861d06d1fbd342a6fbfd1
a641f727fa4566ec19a3a04edcbe7e177aad8fb5f2381907e6c38adfa01f8a7a
6d98593e2de051c5ab3d36ddf4107ab2a0680bdb6bc73bdf9a75c62bb05b124a
cd47f0c08702e38c1ec62ae345136fb824e0ae0db0a8294b97ca9a474edec2f9
a4ce664077c1707b407385c08eb0f4e9299229717ee02b1b1b2f9745ad82613b
819f0be98d577e7949915dfd234c0ac0e0d12088eacab58f83a4418ad3675b4e
0b22914998a25304fe8e6dc1db692f037aa9b2066b43a53f0b24da35e629e6b1
470b09e386f5cd8befb4796af1aec03895b755d4219d6b9fc14e41ae5a400e23
f0c545e288910de036c58dd733fb4202b7cb45daa4e5f0e72e418544c4b1528c
b6f18002487b80c6378f7021d10cf6a6ccad659bb9e4a2c4aa9d016c48b8bfbf
aedfae05284600f51e6fe18a6f47ac68c7971e365d827bed7bc2205f27063c8d
30d5fcd7da81bc0b8d77d5b3547a227bac06bc781990f528c0bd78d696235779
357b3313f39b40d4b9acc1181d3eca642418b945e0b35cc0f3c436b9598fd8a5
353630ee79a8d39505ae091c60cb8352182cccdb9b861d1cf6ff2e19f2cc5b1e
af1593748a93b90fe69835554739c92bc7147611b405e8e93bbbffd65ec0c958
ab713363a32fee4abae9d10b1c18fd58454529f80947c5dc221379545b1c86a4
7a560acc97e0be33258afce759c4c215a91103e7b7447e487d540eca65959f4e
7c9d0d539bd2ffef3dfee864f3f7078937f7c9fe392df2f9511ad2a21be9446e
6c863b2dd3f9e7a690f4ab3a1ec9c7da83d2f20e7b82d58dae4bfae34218a878
156ffbc1adf860198501bf76e6428debdfa847e13e73796ee9bad6e982bf94d4
b7ca5eee2c0af78525e33094a2c1d38f639824b8f051a50216dc47417f426bba
cb627325f51d6abcc61a922937e0d66beb75a7c52f28341178dcfbcb01794790
dfb8ecbf4f52efbf20605c2be946d62bb062edf1dce896a9b45516c7aa90e422
b1f950d68fb3e445f741d2bb7fefbcfe1b1a756548dcc6f88b173cae77495b57
5abfe96f31b8b8e4013501cbd3e7bb332e03b37e96f04cb75f05c04f15bb66ac
e89363fb758ac1d01dffca3212cd980aa3fe199efda522052fc8c3e041b31f70
b456078d0dff3c375378480fb133a340d88ae4b59d6598ead4249d66523f3428
0707da3b9e454ee6ed7fe3bbc1e61811fa9907263ed843c98ef408f5f741690c
c368072750d355e8b4139efdc6c9007ce31c2989067248ab9312a4d7479015ff
efb452117b9b073d0200fb4ab2407615a33e2149fdebfba2881e711d187ed514
57752262d1f2b530fa014b31fe3d836f47d0b8ebcc81e275a9bf173b42f808a3
f9c3b78cce61d4ef1c118287edc5d5d3324bd64df1d2c704c087e7b073d7eb33
0f99bf966f34d5152ee51fd8510a37b3fc0792334c9b8f2475e896bc2ec72a6e
2f835a2d633b2fb81fb9375cefc17313e59a283de5869b7d7f04b42e9134cf25
3a8d95ebd1a116107405f1cb2a7d42e954643a9a0244ceef22a70b656b8525a3
6fa16359905843e294d5f805986bda12aa603775ea7db1eaf10beff3493c3b93
bf166be918695404ec2724b62671d7eac13fd67e39433894439d70a2ce534861
99d1f6ce99a8c07c33ee2dafe789299e0a51c2860882a2548c6e612606b1c1c1
ddb4d0771b710a59722707002a175602f29c6d1aeab70c61e0e9dc3eeeade55e
ed27568e72ac6bf7edfb74b5a35ea694d11ca0859753ec5816bf0d84c5803958
54368441d4ed3cdc5b14f8de606c9c0ef111838b10072a6ac68cd58d8b47bedf
c9a5fff84aef8b46605c9414b3d20e1f190e902454757c1f89179c5436422109
44ae98fe4b0b4bd2000ed7ec88e9b7458e04c1abbe64102142c1686ac4ac494b
80e7e263927b11a7f93f188d4e1e4ee34a4751187672e5298c03e6ceaf43d104
dad46ac711be7ee69322bea3f3069bcd644ba55cbbe635a232b1e76fdb08da23
73d81ccb9a09fc6ce1789df05b4fec440ba9aa3c0998da3a843e577a111def96
7b75b7d9e892e63a9fd39ccb87222d7311b6a3e9cba68cd34dc650e15e295796
3249cbb032d6aaf66c01aaddc48eab91417b1f22b97ddb659f2f5a5a5683bfb3
SH256 hash:
23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d
MD5 hash:
336e07c5ea82b63bd69990c5a869358c
SHA1 hash:
0a3a451242065756664b675283c479c7d1dee554
Link:
https://www.unpac.me/results/c99eeb23-093b-4a18-b970-a8d7a718523f/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/23cd8546d36b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MoleBoxv20
Create hunting rule
Author:malware-lu
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments