MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 19

Intelligence 19 IOCs YARA 22 File information Comments

SHA256 hash:	2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0
SHA3-384 hash:	7ebe6f0f75755cf9d1d0d2174c2141dd1c8e9374e6a35cc94fb9b8670e36b2e3feeccf837a531df656c82ca9356cf20e
SHA1 hash:	cc6a2eab70def6f10c6be941e30e5c8bf5c88c8b
MD5 hash:	d5144747a0ac45151b3c5da28eed836b
humanhash:	massachusetts-island-massachusetts-william
File name:	2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'086'056 bytes
First seen:	2025-01-10 14:07:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	24576:KQqL6rVbCx3YNB9WwzdXcaEPLPelSu2VRhNam+:U6lCyJuaEYA3fb+
Threatray	2'321 similar samples on MalwareBazaar
TLSH	T17F35F082A2146F26DD799BF56A32C53103327D6DB875E22C1DE97CCB3B7AF928510813
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	d4d4dad6d6dcc4e4 (34 x AgentTesla, 8 x Formbook, 7 x SnakeKeylogger)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0

Verdict:

Malicious activity

Analysis date:

2025-01-10 14:42:09 UTC

Tags:

stealer agenttesla

Link:

https://app.any.run/tasks/7d8ad0d5-48c6-4c8f-8bc4-e62a69398bd6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.BackDoor.AgentTeslaNET.34.12352.25830.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=678129f32c8240e189bb8251

Tags:

shell virus lien msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Connection attempt

Stealing user critical data

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/678129de0e6ff2c75703269b/reports/f52685d2-4e3b-4538-a813-bfd8f5290b3d/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b071881f-f4d8-4d89-bc23-ee1fa8541d69

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1587614

Signature

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Found malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2024-10-10 07:40:45 UTC

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ey4nni6f5edmplml7tqkjmrtpcoavwmki3bs32yphtmissa2owya._file

Verdict:

malicious

Label(s):

unknown_loader_037

agenttesla

AgentTesla

5f14a244f730788efe3dc87a9b3d73955ca9e76862c822d6cd3707804a4308a3

AgentTesla

9244463fab1df23ec163c36f7f032245c64f46841f91f139fab5b4fd2b5cd25c

AgentTesla

a7c2b459805c50ca9c86290e12bdeafbf35f75727d20a8975002d71f4a951259

AgentTesla

+ 2'311 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery execution keylogger spyware stealer trojan

Link:

https://tria.ge/reports/250110-rfk3eawmcz/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

AgentTesla

Agenttesla family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9de359b7-94f0-42ac-a2ea-1c48aa6abc44

Unpacked files

SH256 hash:

a193ca3b85a39c67ce59b28223ff573d3979387253380571d7382a341adbbaff

MD5 hash:

8d3bceb4f351d16d8c19a1c3553ec70c

SHA1 hash:

adf070a8f4f475800c619b4d88ccb17a488f38cd

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/2f9a772b-b667-490b-a749-079436e69c5b/

Parent samples :

abf6f6f8527a650cbc514945d036330694d9febe77fdae82e8a2d207789faa51
06d709cf438f3fefe0ed7858278e77e1188422e2b4d59706f6c4759df1a5aafd
9266e7c60ee4abd1b415a2ca3273d0a9d83547807f610565ca964065fa0aac14
4d5fc3f460988b553111d1272933b57a7b98deb12ca477e16f89f95126c92613
23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d
eb825b11d00bc3ec41e7856a59ebe1027e3f9c9128a177e182f688535f22bfb6
08fc3b1fd5055344609064d31139e4a8e1c26d8c5d353b1ca97b4148f03d8823
142873db547e46701d0630bf254b6e4d7570a37e62194e89264b53410682d9a8
3c6442f58e0a1c358a1175dc5510899c7f5a753e9615abefbbfec7cb1bcb7bf4
a5c97f8e1ff612fbfcc18f1a1852db11099e58bb241f5b825c74715c60dd0fef
9bed7abc83b78434c8423a380739d28aefdb7dd445f4cf8d3894991de7c79c16
cef7d88f9ddb7a30478aa00624340d206b0d84553d8ee969178d8ed59cea3033
470733344bb4e563a0b482efd18cf1f643808164c1093b9eea60e6eb0f40127c
b1520b6a3358bbcad7d55344f3d7bd2e75a9075ef4afd3f7c23de5def92daad0
175b56f2026e4e7b12259dca5a6181cc8b8dc85f88f6e24561246fc71ac9624c
9ca515b794477e792d95386fb74f8efe7fba769a2a082c5ebb3cc2b7d2460a95
732336eccda1e0e01a9474a968eb6ac9725fec8e8e03ad950472df75ba470693
f972a54ca5d86ea9ced7ddc4621a816f1ae22b6fe0a24e40fbef01ce07283e1b
fef8a3967f5c6164745be39c6911671f07e6fb7c690df94bbad259fb550a7abb
834d4e9657f33ca5bea5956050e5188ecd53b8a2fcad2b6136dc60f83619691a
e7372cd29537f5e27f70f6b9969cf16b2b2bcaf655406722f87efb7a74f2be38
c56b0068b210b206f7c93062eb115654919ea50fcb21a35391b25e33fcf92af2
4c862b599a4c9a2e709ab39c52f577a99685c5a2fd2683ff58ef67bef169438e
88fd2273dba726f8e93082eef548564c84ee1f3be9f69a7d02ef9a3ed7f8ea18
febb5bdd2ccb5a6421696cff51519112f8eef6abe873b37e24e6b1b78fa942ba
0309aa8889daca83b4cf97ab99bc9921bb549c9187736a69c76185dfe68cd325
94f98b239d0b82e134302c53455418fdcc7ed9ff19b9d8e9b079a7961c03068a
d1c69953a06498fe205f2b9feeeaff6258ed120ce94790d3a7107b521e09bc6d
399b9d5f1658e0050f4861e992ce7648ed78f8da0b9c7789da902550e7513884
4b7fd648f2be722b797647d77097c9245f2d61d9898913544f3f1702ced2a3d7
0868d29bf99ab1267ab55c306ecba0d147e12c1e8c6cec05acd76ded3e4edd1b
c9f9cac249b944a81dcaf942997c774b267cd4b27d64318dd5d91583274098f1
44223862b1ca9060ca97e5f36246dc1efd66a68745380ac1a6a221f0bc485b35
cff5f0bb2c9dc0d52591745ea43e9c7cd8dc46ea14c5a9996c72f76e7cdf7011
b37b37330f9c4970ca450212d0e3e902fb44110b4570bb07574621354509d045
cc080dac2e57cd7ce34efc7e9cfe8d14ed9dffda5f95006f2d010557b08220f3
3b233c5cc8b85a8020975ed736b93644fdae180f1d6f5190d91a3512e813ba8a
ea0d7f34cfddec8c57ddf23bfc5eab2c1692f1b3f5e8fdd6f4f7f8596e478d9d
dc4adc8ac3a46bc4cf987c81c9bdb338994bb77ffaf9ee803bb3987600ea7a12
d8df8ae0a2b685d4a9e0e2bc5c624c2b8b9be74d8a0ce6d00ba982e9077398e4
fe32cd498b7f031639961bfb962d1289896a3667f38f06f801b2c5d97d0b5906
836e1a1a93d29eeef8a26fd8001cb5efe017c899bea5c4d404db74cc7e6ea563
171b961f6ef845235612fb2685e94832c38dba1143dc02970bdcab7389fa3383
31a702cd5ff00baefbeb5f301ca3015587a099b0046939cc3d1e8cd553eb3147
40472fbefd08c24147afbf941b4504ee7a4658409e0077ec98c1e7dfb4c507fa
d360ba3b74cc01e2352a4070922b2dca3d46c7bfe5e4cde8ac474274f8522455
47e643f3f3a8fcb062b8e83acf86adc8b6f5256714d88aed3c95e48693c937c6
e46f2d7b2f17430fbf6670db5f785f22a38cec22cf879259032b1edb1d074c41
c12ecca79747db3f47b548b79fe0efc40e048fd1f430ec2e2fd9eccd6bcc8ec3
d72e2b372f10ca73099c02fedf3506ba76ba2aae1719f5bce7c7781454d1eace
68e83b9aefb2c1899294a6a9da8a3c2e34380d3e3af51c68d6c706d383ae61ce
4c11a38a17a285f3c95774f535fa79e2596bf5723b2cc7b870a29f06e85727c3
1546c45496290063818a4e24b240aa8cd88c8023dccb2876706a569a0359be9e
194f2fcea5e7a2056112f479911bf768c494f8dd04702471f643dca95bae46fa
51bad1b993f7599689fdf576e1f79383f6aa47e6ff1ba4775a7e4412a51ebd1b
e23a32c4d68cbf04b1206bd1459678a749482d44ef5ed825e507d124d34f8bc9
b4b6159351045ef04f9ba6321722c1c1fd920eac7a3799665d2663775edfa84d
6f4bbb5aee6549053ab218b1d564cdcb6b07144dcab1dd3e92683d640f3a8b60
57c7933d769882ce3fe88605d7796c2137e8ae2ff2084469478af084740cb721
8f7124624844c97145faad6f265f2a15b5f1fa67f107168b61fd777d987d9f35
f228af74ecf7302bb5e8d9ce8060a9aa3fc2bd583bd477e23543452cf1cebad6
cbcd738e4acad1d80148a67af4dca082e19f2d411f14fd0aa41d1c9c98fe5048
bfb4b96460ce25a3a585f3780f8ab6c0db4d31dccfe614491876332c028d4328
c82b82cf444e4a02ffe7091ef5ea7bea733c2127c38366c88775cade7d234681
b612dbe8660225d074563250626237783bfdeedf5bb38d5af1e2789690787fc8
5d021ca8e798f9713c4778b806fa00c207dbe34f4efec22ec5d1b65dd59c68a7
03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6
1e3104a64ac3e19163d22210b2f4df66dbccfe1731177ba1022ff9044b421c84
868444860f70d7825d5801e3ebdc8e9f0c5ffe72c3f42a938b7df98d50e10758
1dc4c4881f138a6f1ffae6b406e696a46a89f3a0d1265a5ec6ed3d80dc40ea32
86983eeb3231d8cc4eddbdec4b8b19194410f6adbee3265bbe68cd4a1ddcd161
d25aa55294fe6a2e98ba3c985c3182d745c511754c03ae7b4080133a8bb2e3bd
20648ff1d02266ebeece4bd2cc799c0b2be339887a45593c43cc851116820d4d
545f70314c72e3b34893811f991d96aa1cee2049f346419264e10f0ae44400bb
f86f20a799e10fb4906d426906e30734636a4c2743b8dd1b781adb307f4d5576
a6d2a47171f9630a8db62eb4001e196dfbad94cf40638e108cc649883d1bc069
8ed60c6c3516465b2918af6a467e3b38c3b64fa39a32ee79d1337b15e1c3ac0d
ac56ec5a81bca833585ad1c052dc5614936523763c87ade64f519b23a4f0b24a
de9e447ac18100ef9696307210d5de75744aaa34f346c0b3bb894f7e4fff92c7
ebb5ff83ff02d5cc378fdcb1730736e22535ea3b945df2f80c992fdf09d21344
0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719
ec40bd9352347399d79a1393ee4478d945b81a0c5555a8d30bf043afb1e70e93
2d1500188097d6bc8f6bcd1690db485ea07e82470b2a631246a4ff5c4b64fa42
067d0a32b11208193e232f3b4d05b24f0d730ffb23049a1611be068738b9d11c
2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0
8c3b7bab6d9c32f813aa49cc65578049f516dd8607f6b2b43fd1e696d5b86988

SH256 hash:

d5888d4b810ecf0e0fda69bb35dfe95d316a6832c8d146007f6c3b4e6530e81b

MD5 hash:

807ee1e104e96316c75430570af9d6d6

SHA1 hash:

743d35b385ce9a24cf43720b1f053811f117003c

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/2f9a772b-b667-490b-a749-079436e69c5b/

SH256 hash:

acff54dc41a4f979a5054bc43649e097472904293fa9c4d23048b30a57bc3149

MD5 hash:

8234c3ec3aba620ca36e9d5629e3db74

SHA1 hash:

09d5b639a270fb4cbf45b2b454db96cc1035a768

Detections:

AgentTesla

win_agent_tesla_g2

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/2f9a772b-b667-490b-a749-079436e69c5b/

Parent samples :

ead48c3d70f9e44affecf6fb37769fed5e65c137600e8d97087db029f059f3e1
24738f9d40d5b8b364477a7fe4d85c530ef015b01eb1934361134a1295ef52df
7306a090c8afd7557dc6a32f072937107058f5d14b5d416730b189647980b757
f6acb83ac599ec60d6820c081521a00e3701e7191c8ff2772c3682196a28e531
07a89eff230f0a111d2609d1a5281512c5b4ec5f215415c04304ad605a484541
b2fb490ecbe535fb56d2e56751bbe28eb84e4c08c04ee5517f8dc462743df83e
9b17f0cbd9b4d79fbaf15b281746190dabd6bd1ea8ccf79508753191248d0ca6
44c35217277fbfdde4251ac9c9bad106247b6f5ca5ca0f1dbaf8f3343b364af0
3b5e5fb317040ff6197982f73c65426ea39e48f0108a4349acfc27468cef1e86
3ab5cfa98e47af08a289ebfb6bfcdb40b109ac077c1b655b47798cb559931724
958d99a0d72d3367f0e9cde7b716a0adb3f09869bd874f68b43a601f9e9d4f10
1bf2a9ea09f8638ac50155e3bdb1bfdddeb5d3496d8f44fe2be0b3c57ae16941
8ccca04fe86f770d8057a7209a6d31da8df7bace6f4a3d8e04d5bbfefc2661f3
b54ee7375e7ea979d16b76f183aaaccfa49681e2bd748ffca202fde9cf823346
8ef13cc6f1b7142f119d90c5bf9a8e8a4ef30e0151191a9f0e0b96610d8fe183
7f7bc308f1a31734af163c5b00fc0e1159d2ebdcebbe46b7c5113677f84fcea7
75d01f5228312d1ca33e0388355df6a9d35a501564752842c06e798f74d254a4
617aad709ac7d66890968766cc4b21481d268624d5505963058e7fa10748a57c
5cfb623fd29edfb21bc7fb3d734f2e6ebb7f151e12d2fbcb61bafefdfccb24c6
4568453d8e6838ec1f2e1dd9cfe87b257aa7bcbebb888c3b3c8c0514afb74b91
ea3924235164ac07fad6964220f412a07829d4e972eb6278365cc8dd4cf50b6f
458e5bd8e3508c15449bfd4c9931a59cd2a6a95ed9e6bb5b0090aa6641a29c77
e17765cd72f6b95c8167f428ed734688d3b545c45c23e07407361e8979b49167
4a2262967b00cd610107b403747ed727fe8ca66d26716c4cee9b7d4c6ba81db2
38f275624c634801c164c2c8f3294cbeea49b47e8e8d83bda53a0bc8aa7f7106
c30bcd2377714775a591adfba9ffcbc833f646bf9669829acf1d0dd0c07e030d
cff5f0bb2c9dc0d52591745ea43e9c7cd8dc46ea14c5a9996c72f76e7cdf7011
9244463fab1df23ec163c36f7f032245c64f46841f91f139fab5b4fd2b5cd25c
2518788f855f3dd62be94e01361e96373b1a6d7b86f48e72d3bb899589200f09
0b06f6a3a4102c27376f21cbcd09d3c0bf5e6cc7e92f9b9a3810fc386ac8184d
acff54dc41a4f979a5054bc43649e097472904293fa9c4d23048b30a57bc3149
16f4f854287cff6b237abf15c970599a7bd03fe659d1d72241a30c3d904e50d5
f12f27ed1f6364c009e0ac250ffe77455a34ffcd6c45f8d8163d7e23234bee36
00bebcf6a27277b5060ea1264725f496a99b7e5d06649e6e8c9c8ad24055ec61
00a7a6989782618cbd45a4e1f849067b52519eecb58c7f2c0d6c43d8963598bf
37f474ba024470e44cdf908de33a29657d00da334946683d4174daaaa5e71b81
e7fdc8fc613dea0792fac0242c3b51586e4d53cbd85647656b3691d70757df79
bb1cbd0fd591bed430c586933cced40166d459cfd324c738e5d3d6cd8e154a36
8cd8abcb282f372de8c9de1c810b3b201b74974de71166809a7db64f8e344a9b
2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0
0acb6194575f0349812f6d5b0153708d2da2a5a598aa16b345f6b8627aa01f5c
c27531e9608480a9890b88a18f5a99d230bf1dd60a3d0c80166c4db5a5707a98
82bf5f4e4901a995c6218cead424b929e53113cdb0e56c556fe28a7d692b96d3
3ec5faa6aec2047d9e190157b3361a593ea590f14a80b42d22f4492ef68e48e7
4aefded6c2b76de91caea4c02eadc41785d0c0baafd72828e420a80daae1ae5d
95ca76dd91d1b195e9bcf42c567bc118e38511109c0746263c96bac697e8a23e
567ba3c58cd638c6795526ba0cc119eedc5afe6baaf0e1844ba87fd9fa3a29de
e1b0d0f18a452022e45b4dd63d32d5b9686f6a07f34fa886727b92a9b1071132
95f3ecc3d08e23770a8fb82e1a57ae6ba41eeec8aeecc73158fade9be732ba7a
e18a8c681f7f2876a5a4d2f550cc63d4ff25c05ab942d80c4d3a71dce497d4ba
bb6f0186eec1d2587ecd2b6b0e0c88c8189823fc633c56848365b362dc3f53de
00bfd9c7e7ccbeafb8096def85a900153fa548ddf396735fcd84fe05f4ec2961
ff93836635f8fd88849fd7d411612740bd1e1d8c03dee062b0d822914634bb17
8997370d9ed8cad88c1c69ffa39d35ddca8578371b5fe96da08e850308c9d623
c4133609748071a200e855b6681ce59b918d73fea3a3aa67c7053af38cfda2f2
9e537686889d98e616a054e27a557ceb0f91080af7995766bd6c2258fbefa169

SH256 hash:

2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0

MD5 hash:

d5144747a0ac45151b3c5da28eed836b

SHA1 hash:

cc6a2eab70def6f10c6be941e30e5c8bf5c88c8b

Link:

https://www.unpac.me/results/2f9a772b-b667-490b-a749-079436e69c5b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTeslaV5 Create hunting rule
Author:	ClaudioWayne
Description:	AgentTeslaV5 infostealer payload

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Generic_Threat_9f4a80b2 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_AgentTesla_ebf431a8 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample