MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2518788f855f3dd62be94e01361e96373b1a6d7b86f48e72d3bb899589200f09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 19

Intelligence 19 IOCs YARA 5 File information Comments

SHA256 hash:	2518788f855f3dd62be94e01361e96373b1a6d7b86f48e72d3bb899589200f09
SHA3-384 hash:	5b907dd215cb719245091854583759f3c50641d77f7a4b193593eff87bb2807e19e02d1864c882fc9a72d71f0f15e4d2
SHA1 hash:	12b9c57576e5b2ca7c3d070e68bada4f59a659ab
MD5 hash:	adf34c05adf9629f38d6388bceaad6fd
humanhash:	xray-alpha-river-tennessee
File name:	New Cmr JV2410180005.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	964'096 bytes
First seen:	2024-10-24 23:59:48 UTC
Last seen:	2024-12-05 15:50:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	24576:OYJW0Qy7IvDjljdCc4P7wCwnFMg+Y1ahxyhwU:zqj1opcGjYq8wU
TLSH	T17425F0045746C952C9E81B308871E3F84B991EB9BC35C70FEEDABDEF3E729692494190
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
File icon (PE):
dhash icon	f0f0dcd4d4f0b28c (5 x AgentTesla, 1 x DarkTortilla)
Reporter	threatcat_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

432

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

New Cmr JV2410180005.exe

Verdict:

Malicious activity

Analysis date:

2024-10-25 00:01:32 UTC

Tags:

netreactor agenttesla stealer

Link:

https://app.any.run/tasks/5c575969-e9bf-4279-8bc6-c82b0986e772

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.Cyzd-9755507-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=671adf84890cf5f0e88caf52

Tags:

Powershell Lien

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Connection attempt

Stealing user critical data

Enabling autorun by creating a file

Unauthorized injection to a system process

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed packed packer_detected

Link:

https://www.filescan.io/uploads/671adf830f780125dba1f9e5/reports/0336f2f6-92f8-4d6b-9be6-b9598eef161c/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/2518788f855f3dd62be94e01361e96373b1a6d7b86f48e72d3bb899589200f09

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8389b52f-da39-4410-aa41-a2b470eeb459

Result

Threat name:

AgentTesla, PureLog Stealer, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1541686

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected PureLog Stealer

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2518788f855f3dd62be94e01361e96373b1a6d7b86f48e72d3bb899589200f09

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2518788f855f3dd62be94e01361e96373b1a6d7b86f48e72d3bb899589200f09/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2024-10-22 07:09:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=eumhrd4fl465mk7jjyatmhuwg45ru3l3q32i44wtxoezlcjab4eq._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

unknown_loader_037

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery execution keylogger spyware stealer trojan

Link:

https://tria.ge/reports/241025-aabhcaycra/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

AgentTesla

Verdict:

Malicious

Tags:

agent_tesla

YARA:

n/a

Link:

https://app.threat.zone/submission/3cc0d044-ed46-4273-b8f2-fa64e2ab4e63

Unpacked files

SH256 hash:

4cd6c11429610324296e0e2051ab13a099af39b609f77e4b3a361a9495ca7b34

MD5 hash:

349e761a1327259cdce128e845505b0b

SHA1 hash:

99bd9945a209ada20920592b848bf571100d7e12

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/bca205c4-fd92-46b4-bd27-f57ef4076030/

Parent samples :

ae26ace2f3bcb3c94a3a8af4a6684da129aa08d73c18a5311d7491d006b20042
f73021002ed86b0c0025a8b7384b5e122ae3df8db0b9dd4fa2d85b09f85cf32d
17b0a93d47762eaa5fa2f7e88cd664103cf7d106905d3d7a637a21b802481f13
3a259b8cfd64e2e3086299d3038714dbbf4c41dcbb81b222c6b0e5ab979f75d3
173fa94e725abc88acf0d848bdee94d216a3c74b4492e006405c357824fab818
fb1087f5ae803f42c462f64d69e98d93fde21279c9f0be092c38c91caa20825f
8352beed8fb5f5823a3ea3829d7e845a3fd3c53535dfb4a13fa0d11e01231912
fb3f91e5f61d4bb67dbe8b15407b651435a11a2030518d68dbbc18edf1aec539
ec6c0b68ad723bfd12ffe050b290318de9f50ceaac13a9f9483d42a6301ac657
2544c1b36ef1f8bb0400a83f1356a45b0976e7cf9b25941f0cbb872dbb5ba7df
3fb18a9617cf2bb47955b8a9fb5402910dae6c463908f9598eb6851d74fefa1f
9ee9ae311878a9fc88d891aeb7282d9633a90bb4f3a8688216fa3e12e4f33bbd
3e3d796025df4a863c3f4220bfacbe1fce38f67318524891218180857200ecb2
ad2f3629f617763f45abc1be39c4a28f581ca8d0efb97e3bde2ad33106714c85
ee843bcf3bcd091101e9d641670be54dd9c3a2733ad3e248c29eb7e2a667c1d4
a7c07d958dc83b5b3f0f0d5675b93eeced5edaaae7079b218c52a393e2a1b102
80a98cf22ecb8a4904bd619d065c52ec7f4e44c14419a66dfe705c13395520eb
8bb48532070b3a86b87cd98b6981ace04da99995834908ba467408aaa7f33892
e56ff8270b42a7f5cae82ae48e8bf448b70fc1314b0a3d9619bd2b86f5409f39
782ff6293982503e46c9380cc156cc9ef12dd7d89d277b73a900cfe0c58ca10d
2a53872f573a1817be1848779e60c7db22501badc0afd7f364ee30a77dce3395
3ba352819c7abd6700100363b3f63e070549433564bd7636cdd0cf53b6356dc2
d7a245d4f45e341ea312785531a56a9d2b3822587f611e828ec8e58a1fe0380c
5942a6b4e4e062693a6a5ac7b8f1205ebfc6e010964e19503909ea31c12fcd76
65c21e028a8843007236d14d01d3c7eaa4a94547d106347c6eac84ac30e1fc76
36ed24fd100db4ab36461303fcadf2101c391f95e635fb33f0fa396204e642ab
c015ba3cf24ba3b9a60b53b0f36fcf3368296c4951967ce63b3e6a6cfb3e7472
288c3ef10338b99d38a344433451dbb2aadcdc323e656670dae29d9cff5e1313
8e410f45c665e8e5d2e5e690b37e232a596d3c975842a61fd9acf6f46161d7ca
02253d28e37b943a2d0dbbb8e3a1b53f61d63016e6e12c2ba7f5eb2d5da348b8
4e007a23a0658f7417c1767bf2f2a0a3722853216e9a00489f79d57b555acc9e
3a15b2df43b3665b869280969adaec6fc18de92f2da83e1d0228d7379fd55e09
a715e212c1face115bffc6edd614c2fc311339ab07c3ecabe35922dfb8be7b44
2518788f855f3dd62be94e01361e96373b1a6d7b86f48e72d3bb899589200f09
04a71f87d4223328a0dbef5085168ff3710b488b68bca528de391d706e01cd5a
5da381b368562b2c5d9fce29e229c640ea428b3d4519562613f987235bc611b8
8eedf9b52ee1d568c848fbb5c15b0f20bebd0433919b7890f24a6ae61cf9a8ff
4d445668e5286453beb4948cd988771658e6579e1bda2b1ce812c4a58e371380

SH256 hash:

158e2f657002c5780866f7a78a08c91cc98ac7da610e1035be86eeae2aa2fed6

MD5 hash:

d3cb6af0a8b44773714466479f8a9105

SHA1 hash:

28679e0520799d22c2c0bbe8a64cf7d6780ef716

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/bca205c4-fd92-46b4-bd27-f57ef4076030/

SH256 hash:

acff54dc41a4f979a5054bc43649e097472904293fa9c4d23048b30a57bc3149

MD5 hash:

8234c3ec3aba620ca36e9d5629e3db74

SHA1 hash:

09d5b639a270fb4cbf45b2b454db96cc1035a768

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/bca205c4-fd92-46b4-bd27-f57ef4076030/

Parent samples :

ead48c3d70f9e44affecf6fb37769fed5e65c137600e8d97087db029f059f3e1
24738f9d40d5b8b364477a7fe4d85c530ef015b01eb1934361134a1295ef52df
7306a090c8afd7557dc6a32f072937107058f5d14b5d416730b189647980b757
f6acb83ac599ec60d6820c081521a00e3701e7191c8ff2772c3682196a28e531
07a89eff230f0a111d2609d1a5281512c5b4ec5f215415c04304ad605a484541
b2fb490ecbe535fb56d2e56751bbe28eb84e4c08c04ee5517f8dc462743df83e
9b17f0cbd9b4d79fbaf15b281746190dabd6bd1ea8ccf79508753191248d0ca6
44c35217277fbfdde4251ac9c9bad106247b6f5ca5ca0f1dbaf8f3343b364af0
3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86
3ab5cfa98e47af08a289ebfb6bfcdb40b109ac077c1b655b47798cb559931724
958d99a0d72d3367f0e9cde7b716a0adb3f09869bd874f68b43a601f9e9d4f10
1bf2a9ea09f8638ac50155e3bdb1bfdddeb5d3496d8f44fe2be0b3c57ae16941
8ccca04fe86f770d8057a7209a6d31da8df7bace6f4a3d8e04d5bbfefc2661f3
b54ee7375e7ea979d16b76f183aaaccfa49681e2bd748ffca202fde9cf823346
8ef13cc6f1b7142f119d90c5bf9a8e8a4ef30e0151191a9f0e0b96610d8fe183
7f7bc308f1a31734af163c5b00fc0e1159d2ebdcebbe46b7c5113677f84fcea7
75d01f5228312d1ca33e0388355df6a9d35a501564752842c06e798f74d254a4
617aad709ac7d66890968766cc4b21481d268624d5505963058e7fa10748a57c
5cfb623fd29edfb21bc7fb3d734f2e6ebb7f151e12d2fbcb61bafefdfccb24c6
4568453d8e6838ec1f2e1dd9cfe87b257aa7bcbebb888c3b3c8c0514afb74b91
ea3924235164ac07fad6964220f412a07829d4e972eb6278365cc8dd4cf50b6f
458e5bd8e3508c15449bfd4c9931a59cd2a6a95ed9e6bb5b0090aa6641a29c77
e17765cd72f6b95c8167f428ed734688d3b545c45c23e07407361e8979b49167
4a2262967b00cd610107b403747ed727fe8ca66d26716c4cee9b7d4c6ba81db2
38f275624c634801c164c2c8f3294cbeea49b47e8e8d83bda53a0bc8aa7f7106
c30bcd2377714775a591adfba9ffcbc833f646bf9669829acf1d0dd0c07e030d
cff5f0bb2c9dc0d52591745ea43e9c7cd8dc46ea14c5a9996c72f76e7cdf7011
9244463fab1df23ec163c36f7f032245c64f46841f91f139fab5b4fd2b5cd25c
2518788f855f3dd62be94e01361e96373b1a6d7b86f48e72d3bb899589200f09
0b06f6a3a4102c27376f21cbcd09d3c0bf5e6cc7e92f9b9a3810fc386ac8184d
acff54dc41a4f979a5054bc43649e097472904293fa9c4d23048b30a57bc3149
16f4f854287cff6b237abf15c970599a7bd03fe659d1d72241a30c3d904e50d5
f12f27ed1f6364c009e0ac250ffe77455a34ffcd6c45f8d8163d7e23234bee36
00bebcf6a27277b5060ea1264725f496a99b7e5d06649e6e8c9c8ad24055ec61
00a7a6989782618cbd45a4e1f849067b52519eecb58c7f2c0d6c43d8963598bf
37f474ba024470e44cdf908de33a29657d00da334946683d4174daaaa5e71b81
e7fdc8fc613dea0792fac0242c3b51586e4d53cbd85647656b3691d70757df79
bb1cbd0fd591bed430c586933cced40166d459cfd324c738e5d3d6cd8e154a36
8cd8abcb282f372de8c9de1c810b3b201b74974de71166809a7db64f8e344a9b
2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0
0acb6194575f0349812f6d5b0153708d2da2a5a598aa16b345f6b8627aa01f5c
c27531e9608480a9890b88a18f5a99d230bf1dd60a3d0c80166c4db5a5707a98
82bf5f4e4901a995c6218cead424b929e53113cdb0e56c556fe28a7d692b96d3
3ec5faa6aec2047d9e190157b3361a593ea590f14a80b42d22f4492ef68e48e7
4aefded6c2b76de91caea4c02eadc41785d0c0baafd72828e420a80daae1ae5d
95ca76dd91d1b195e9bcf42c567bc118e38511109c0746263c96bac697e8a23e
567ba3c58cd638c6795526ba0cc119eedc5afe6baaf0e1844ba87fd9fa3a29de
e1b0d0f18a452022e45b4dd63d32d5b9686f6a07f34fa886727b92a9b1071132
95f3ecc3d08e23770a8fb82e1a57ae6ba41eeec8aeecc73158fade9be732ba7a
e18a8c681f7f2876a5a4d2f550cc63d4ff25c05ab942d80c4d3a71dce497d4ba
bb6f0186eec1d2587ecd2b6b0e0c88c8189823fc633c56848365b362dc3f53de
00bfd9c7e7ccbeafb8096def85a900153fa548ddf396735fcd84fe05f4ec2961
ff93836635f8fd88849fd7d411612740bd1e1d8c03dee062b0d822914634bb17
8997370d9ed8cad88c1c69ffa39d35ddca8578371b5fe96da08e850308c9d623
c4133609748071a200e855b6681ce59b918d73fea3a3aa67c7053af38cfda2f2
9e537686889d98e616a054e27a557ceb0f91080af7995766bd6c2258fbefa169

SH256 hash:

2518788f855f3dd62be94e01361e96373b1a6d7b86f48e72d3bb899589200f09

MD5 hash:

adf34c05adf9629f38d6388bceaad6fd

SHA1 hash:

12b9c57576e5b2ca7c3d070e68bada4f59a659ab

Link:

https://www.unpac.me/results/bca205c4-fd92-46b4-bd27-f57ef4076030/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2518788f855f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2518788f855f3dd62be94e01361e96373b1a6d7b86f48e72d3bb899589200f09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 2518788f855f3dd62be94e01361e96373b1a6d7b86f48e72d3bb899589200f09

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample