MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ed7941c78a8b93373502b3b638392b1981785718e31bbbcca4f251d6b21f535. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ed7941c78a8b93373502b3b638392b1981785718e31bbbcca4f251d6b21f535
SHA3-384 hash: 15f339c38815f101b6d7e38bbc2c97dae57e6818560fadea7bc87b7fc74b3a71aacb5dab805ddd76420c003895ea8f6c
SHA1 hash: cd184d43614b9a39af6d6fe534b499326c66430a
MD5 hash: 66543965af5b6346e285cdcd58a47e05
humanhash: comet-virginia-seventeen-earth
File name:Vessel Q88.pdf.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'044'480 bytes
First seen:2025-02-20 04:04:34 UTC
Last seen:2025-02-20 04:34:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:qU0S3aYGRMwWbYTPvsEDVeIrV9P+AHeHRVet:naLWUPkEDVeIJkAHyEt
TLSH T17D25BED03B306B16ED6F4A31D05ACC7992B09557B181FBEE6DC86B9B38CA3115909F83
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
509
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Vessel Q88.pdf.scr
Verdict:
Malicious activity
Analysis date:
2025-02-20 04:07:05 UTC
Tags:
evasion stealer agenttesla ftp exfiltration
Link:
https://app.any.run/tasks/efa0e39a-8e76-4108-985e-2d9498abbdd9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.2055.5903.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b6aadc28ab76d43a5c1533
Tags:
underscore lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2ed7941c78a8b93373502b3b638392b1981785718e31bbbcca4f251d6b21f535
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43befff2-f320-4e28-bcea-262ffd4d3572
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1619653
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1619653 Sample: Vessel Q88.pdf.scr.exe Startdate: 20/02/2025 Architecture: WINDOWS Score: 100 48 beirutrest.com 2->48 50 api.ipify.org 2->50 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 14 other signatures 2->62 8 Vessel Q88.pdf.scr.exe 7 2->8         started        12 HIxJrg.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\HIxJrg.exe, PE32 8->40 dropped 42 C:\Users\user\...\HIxJrg.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmpAF81.tmp, XML 8->44 dropped 46 C:\Users\user\...\Vessel Q88.pdf.scr.exe.log, ASCII 8->46 dropped 64 Adds a directory exclusion to Windows Defender 8->64 66 Injects a PE file into a foreign processes 8->66 14 Vessel Q88.pdf.scr.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        68 Multi AV Scanner detection for dropped file 12->68 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->70 24 HIxJrg.exe 12->24         started        26 schtasks.exe 12->26         started        28 HIxJrg.exe 12->28         started        signatures6 process7 dnsIp8 52 beirutrest.com 50.87.144.157, 21, 36056, 49708 UNIFIEDLAYER-AS-1US United States 14->52 54 api.ipify.org 104.26.13.205, 443, 49707, 49711 CLOUDFLARENETUS United States 14->54 72 Loading BitLocker PowerShell Module 18->72 30 conhost.exe 18->30         started        32 WmiPrvSE.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->74 76 Tries to steal Mail credentials (via file / registry access) 24->76 78 Tries to harvest and steal ftp login credentials 24->78 80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 38 conhost.exe 26->38         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2ed7941c78a8b93373502b3b638392b1981785718e31bbbcca4f251d6b21f535
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ed7941c78a8b93373502b3b638392b1981785718e31bbbcca4f251d6b21f535/
Threat name:
Win32.Ransomware.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-02-20 03:44:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f3lzihdyvc4tg42qfm5wha4swgmbpblrryy3xpgkj4sr22zb6u2q._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
captiveaaloader
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
error
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250220-enmjzswncl/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/7ecce1de-7129-4781-9432-8a9725d980a8
Unpacked files
SH256 hash:
2ed7941c78a8b93373502b3b638392b1981785718e31bbbcca4f251d6b21f535
MD5 hash:
66543965af5b6346e285cdcd58a47e05
SHA1 hash:
cd184d43614b9a39af6d6fe534b499326c66430a
Link:
https://www.unpac.me/results/198a8c55-0235-4e01-92d9-55139831b685/
SH256 hash:
5adff9ae840c6c245c0a194088a785d78d91fe734ee46a7d51605c1f64f6dadd
MD5 hash:
e7cb657dfaec55d61ab84188a1a7070c
SHA1 hash:
53ce251ffd8111a5fd17da0aa3d1469deb94cc2d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/198a8c55-0235-4e01-92d9-55139831b685/
Parent samples :
787748d37a912d90bb9e5d124c35305118c11aa25501aecee3f939fcd4efed8f
3a3ab32e4de2e4d9b2548961a5af1841fb8ea6e8b661679e6fcb963df324d7e9
d0a427ef5fa5496840ff480c1ba3f2b4a533d516f6fff8b012e131a4d5f6ddc6
0478f76edf55a95129c2dc410864c96e662827e14cda5d63f31456bb66122e42
faa8850d8a28a308c917200981a80bcc481cb089f804f6867a4608a28bf0b2b5
6c9bfc38f2dd0b8e0ff1ae18e0286fd13cc7f27dfadace3a6663ae53ef3c1ed0
ff040c7bf107a9f1287d37bf802069204275ae3e00df7ea4ac0afc8ac41a7af2
926223176c531972a352050b1fe4dc3a2ddc829c3a5ed15dc7fd27905bfbd1e9
e5f7e2beb3d5e6e5beff31347898bcf5124c432b325775a63863b465b2d1f766
c77f55a3137035638939de24d529042f2b234cb72d079737901be9967d74ad08
f5c2ca5c0224f07b3379faeb4d38d468e3266a939731a540700265568c5ee5a6
40808e79d55a9b69542b9c5204fe4e1ed52c75dfdd86a328461754bbfa8ab4b7
a4f1adf9b786fe5e0f9fc1242b00214ec6532f42e75c4d828d368ac1ef7c91da
cc90da2474f808f86cc1b0653b830630f43518e2e798eba2167b52eb4976faa9
009176f8fe52515f6230b0716f1c6fbed3036b6efc285a4a219260814e739e7c
f5416d2c5f567506a87fd4be6b16ff2f5aac8f0176ba08fd57be4580c28e3ff8
45e3b1735df7c76cac0c02dab2bd084220687e4d9786ea6a32e8bca70dc1a4cd
83c356a66a5fca0dcab9029d90a62358cd17822d0d5bfd745a54e3208bf55bca
3e6ec372972312319cb1a060b9fdd000d3ae6c00eedbd0c9599eb43ae2bcd822
f5147495983f1e0eb0d595bcced8d5fceedfef286909fe6f213760c0742493ac
b604d14fff0103500662f72e757d3c0d6138b9715d752ea68096ce75d0da18d6
77598e60e221cf8ad7c6b1a9f1644a06bf336aa69d86739299f4ffb83f844d32
8ec59075771e7d96b57ca7ff32316e03164dd34f1f72d2e033e795d8449af826
027704a79bc8bc9533c0d2d20c15ff824be56a280512e2305ac66dea22e91f70
57356dbebce9198acc6eb6c6d00d66e6bc1ed21a99988fc3bb473f83f5e8f939
287de19d6a0d64d959d34892c6992c6417aa4b4ebe6b3aeced33522a3d15638a
9ca8a8277296e09fa04ce5393ba39a917d69029dfc2a88b3a6a66e3576b5334f
aac33041fefe8ce37a64b94c622ee3c8c5c3e19018f09df1421f8b7f4e5bffc6
a7dcfd4b6de3f06fdfd1a77b23a4ac800db43cfc3772cd6f202f761d2fee1f96
11d67ce2068437cce35f0b601119ebd071921f536daa8a5afff7c4d03ff1a4bc
33b37dc7c77eeab90f5e561dbf89b3e2967b6477e9071d4ee35c09d4354067ae
84bcffa814dc707ae3f97445f3eb61f7ad8afd890c1cd257bae9db4b2de62982
6d27a676ed779a7ebcd1f6f9dd001af1e2ae84fa98a18ec61709bc79878976e9
02ec52f30f2125a25e1b45c2ad3f35a6601a11f1076d2cee29e6beabba3a655a
b7676b450924ebcad663577093f84f96d1228f4bf9e3808e127e1b2a16a70933
081ac62c1a586905a31013cde41b73255650a037652c9eafcc58b801d1853c1c
d1bcf8347e8ae64035086a221d42e0460b49c52d47fdb3dbbdaf94513e9b3271
aba0672f82dcf1487d5b7b5647291ee0974e962018425dbc48ee10438fd6cf07
9b0ca796af0910c7fc67d8c81a0a4f061c53278bfef5a568d6101c2c1eb8af23
f944ca1d7c21680cbe1f62c78655862863170c51861ea0d930e7ed9b22ebc7b2
be8ae15279781ab2ac7f6985d5d611d6533fdeb2be8d783eebccc28e38ab256d
a1e04def7fd209402cfc002db03fb18c9d8694d6707b4201cbaec8ce3303ff53
16ac39458488454a5d43d2f0d250fe014bf22ab1542ee6cbd10c6f69ab8d91d8
347515299470b63f35aa85a7d38f215520456ba07dd7cb43609197d070381b63
ae1a70825040f157d78228d5668ffa7f2759fdf83293e35c351e5b4e8d035c4f
da5672185bdcb791e426127091bc7da56812d6c6cba9fc6aca754e43b59834db
d4e7b1bcebd9b9150dc206559b929744b9b592d3d62baa7902f3979b60336177
b6d1bbc15f5ae144e4801f8188cbe4768f3ba42e2c4dd56f42a7fa5ec9638460
511058d592e007c9fa589f9a703d385c39b7744e9d10bf94ee5ffe8cc5b6dc34
ae88fec8df2e320104325abf884d96a5a5248b174cb42351fe46bb2f43c99ecc
0166d72b8690a6a6982062474e31e4564a737268d61dec45e8edb759536dd963
33a9199e6a15c0cca7a30439f71a166f9b475a0ce4d1ca548845ec8c49f5fd2d
4aee0546da115d551dd0bbaf2c59f17fde0005196484a6a8b6ebdaf0b2dea1b9
ffcdb62a0cc1adb7700c13310a3234fa7b25d0981a97ad089a7433c60e7f5188
5ae6da4b081c085b0fb204312664df1ad1c293e8b2bd59456c4038bba13ef95b
8d8bb9cc17e7e3bfda2630a37f1b8866fed36b43765ef579977684c7fcc6ee7b
0ac64e3c4051edae7fb30c1381b4406e4e79663e313b4dc0b6af84a460e011b0
ce00a14a2991483cdce0604f80100ca50e70073c171e053057b20d336a71966e
2ac5abf0ad9fd254de8135b4313aa1d06a4fdae68bd44db6891fdb3130e124e0
5f80dbe0b909aa3bbf9fa7f841ddcad1687efdaaf31b7523dda11ab6c8a97d94
538a9c0bb4dd4231c1787b894df3322333bd06d98b115b4cc30720e6b7260921
74eaa1d454050b2d1fbea9d50b8bb5c9cfe9c60e79fbdf9018ab37c8349d5955
5a2a58a5c9a50cda175b03b68636c5f68d7dcc73eb19311ceb2940dddc97654e
f332c9615a0633c97e162e3a76c4c75d3a9c64492a3656d0c6d3f06f89383928
055fc07fef20e60123cd7d9760cffff1cfceac4a752a91b810bb708da88b4316
f9925fbe9ba09a653092fabbcf4b097e46651f500ae7cfaf1f68515168b333c5
58c1bb1c19cd551261465044f769a313549a574a345a2754414e48f8fc08bcbf
9ff30e39c38ae46ea0f2ab5017fc68e32580aa9a8d7a237f98ecd5c3d8fefc34
5f1cae07f4460a2eaf90b0363c946e6a4e3af969064fa1cdfb87a3ace03bdfb0
ea3d846cce6aa910a7ff04f5908946c735f94c41576c4cf44ced9c6304491861
dcb42b8ad4e7cc40fe12cfef0f5b97fba6073716a6315784ed6dd8847a51e86d
edcd9db80fa6bb9d601b9827fd5e745b8b0c6057a34b02584ded808f2ede0a48
4af2c738b8b2cc2a5ffdc33dea46b4e82582d32c95af28456127991bb1b50e09
af991ddeba10d3b5f7d23603c840755386967bcb17175e3ff91dd52da78375b4
de54e5225a9f063cfed9c337da862e02590c3007a23dfbaccbc6365b60d27d3d
1696a69754bd81946fa83afad98de0bab251f1334beaef777aba712e9eddb143
0d30580a153ea3c6f4f23970f0ed810824fbd67a98f02b076db6c01db6af6c62
bb69c9e4dc8bbcb1e7c4d7fe8bcc86c87cdb4af34212b992a5ac82ca8e92782d
1eda4ab84c92facd24c30b894a114994122cab19f4fa0f9368fa147dbfc032f9
c7504e19276343cc24118b10ed938822f791425e06c4e1865101c5446eaea08d
3c00e14ee895971b1e91ad04aebc4970b9526b79ee8413c900acbb9b4ae702b8
a69b613b4c99988b72e10c917489d5a7006b53abc75f7706b578e8b27f3252ab
50e7be9654710bc245e54d71c9992052af681f9f7002bda7232474cc7eefcfcd
b00f2a45170a731d423dd77ccad80fdaaab538d52d4f938ad53eca799eba2b23
c11538b1d7c0d04e036eb09f26e4c59576a79b97fc420bb996c617c392bb8aee
aff2d8ebd4a9c0218b8df1314b12fd2dec7706b7f1cea2029c663c53e52ff187
b6e1a7be0cd6d15ce7ba0bc79da9b8f280ab0060bc7754ba3df84555fc28b0db
724bfa1f9bf8b08699e2cb9a8c6fc0a13da0d863ece815e6b9664aab67c3b61e
2c1df05dfc658609d528cc769dbcb60191e7893fac4b46823d69843f6c7ded71
405fe1e5e2f1e04c918ccad650f5f8c035058f182c8388bb755241dd91589bbf
7d358d9073726daef4a05cef7e9a6138aca76ecc4f679d15b4c98c8e23d2e763
2ed7941c78a8b93373502b3b638392b1981785718e31bbbcca4f251d6b21f535
fb98e235d9cd58d96ab4d3389fdacfff82beda19357f313fabd95729bc984ee1
e44b986da4c6d454e98db437793fa0efb393e329b6667291656224a61f4892c5
c95de6e5963a1f5a56a8c768e69b59217aceb0c725760b29054d4bc68c75ea7e
0b757a7d353142364276c6bea7225a9cf67f81206ce9fc8f9291ab4dc911a481
b69b9806518246a9db6ae7d892b6d20b3b2c3381851def105fc5bcb049e717fb
7c0fba40b02bce96b799951c2e559ff3e78ddb5ef096f13483ee206e33f6ad45
ca24c73a0f1820042d015e2d96c97c08a37cda6cda766e609f9e33970f269fee
0297c69a6525dcc36009ebcf3df69478f22e99d788dd81b1a26728c7acb663e9
76ec6af0a17474fbe15708cfbaf20c8a7ccfd68043e539e4ea38f24f34b8dbd8
3f21cc31c22b4ad07980033f0d016966da2743d9f65dc5bc592c46c2e028a074
05d3f3857ab465a1886005e6d6138c84b8c19447b71d1781e8169e48c371c0a3
30437c6991871291a51ae849894d48d0179bc459db221e48d1c4a5bb1cd522c6
b50e43fcbcbb576fcdaa25d54b1c245eb4896659a1418b0c7a2b517f016ee3c7
7453e2691add44d3d800249e0b5b37ab5f1e598b8e2917f8e0b0cebdde109179
eff4be0205784bb6386855f54630e170d8915e387d5a8f9d3b10174d7cc6f47d
fab2b2eddd748ae7fcbc5a1d0c2e0a7f9c75214a114d9450ca41c85ea9e71a09
730f10ea6f19f62c826e980760a20ded9eccbf13c5595ecfcf989722dabb4b27
3fdfd6e43f7328a408c2c5f27faf60cbf213f595c21cfd5b2fdd54170fcd2036
078263b898d23617f9d122ed659a6262ec0e90f284e429af3d08ef6da5d31b47
04b3e24898ad118dfee0013ae96979d83d0dc99c3497fd123b09d3cbf9180cbb
1b7695c083699fbd1a0f577d68a54a9619981a35dc3234b9298538e2021e3a7a
1fa99b813d2291896dd8a8d468345657d677a49b02b70d7c9f60e668aad2cc67
7b9c9e71110c3980f1803a7438f507eadea9b078e59a61d551e21e1cae8ad5e5
87dc8dea6c3860531876193b34e58dcc590cf646bd863e52430baee19b2271a3
72ef04b633c90ce77442104498f7b667e6bcf0deee9c837beb54d8d3bb3503e0
782cf5337d8a428867a0ab13d474628b427dbb1164d4449f7e8dc96bdab3c7b1
da551ab6e000732499227a67f2be68d1256b58d95963a903cc316e2730db9d1e
b6383a5fe17a23dce23e59aee55a9d304e60b25cc7cefe9d97e7703b0886c1bf
7b1d37ad80336e2eda4720deb2dd61b353c9ea2071f9cc2564b4fe28d2ca775c
6e3a3e33b2e7792291afadfd45153795c642eecf859eb01911943cd57a55e478
8bf01e5c0e48ae7f101d2e955f9829fa545449488b22d5bc1d02fc56545cb27e
39bfc41b1b43a5319ca1c0b1df4906b2ff41c120223f372e85a696432667fd93
572ee11cb26d0952d901bc35f226d46264264f01afa9cc1491745400f5e5f360
70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d
73894e9dabbea10e1befbf6d68c03b45dd45e8170cc9cac9a2fa420585010ce0
d003d51384319fc697de30896a9c38c3363e352de173406f78f29410ca3282a4
1fd19f607089ebe45a528376af9057185444bb15a2f1307eca732674d3c39cd3
511af3c08bd8c093029bf2926b0a1e6c8263ceba3885e3fec9b59b28cd79075d
6506e06b9b96e41137ca0ff6be68c11c31804d350277ef345454459d4c2228bf
6b0bef0d0996bc1eed9dd88ee0f01478b1e5d01b016c03b6f18edc6225a72a6e
cef5d5a46f1f6207c526fbe6e55d370b3bf2543bb7cf53750002933881c89b19
920e4d99f8843d65a8339655a864bc81e03366e974a9f3329d860d515b60a0e1
08a38569c56df9d4889cfac468996617a68a149f8ddff7bad16e6609e7c5571c
e87a5cb662913f9eb7a91ba0879b534da9069f26e3176d9418b16b39eef6f9fc
30a2111fc32aa43eb5e19bbe6a17b4653387dc46c7b4c90f2b735fd1e58a05a9
0e96337c9c239e6151b82cd4caca508f1235787b14024e22f75606901016b232
a0ff35101d202ae3367837980c58ebbc2238ddbed52a614b73fee68bccdb7ad1
9b730e4e913091b07a3ac73db0b0bc8424fe5f005aa6ebdc7218287949ca1524
ddd294075c549d450ca2980348b9aa282fbc1cdc1f032b62f12f991365412fa5
8e000211c865431b51b1e3733e0bc6d7efcfb8a3d45631cb10f0d7813b0b2e59
be959c5af412cea0ace74075b381c4a2328160b92cdde26a4dd8739a437be30e
fa5584ac7257747136c877bd58182430e2d23d5c6b4eff9ab240fcaefe526ee5
e2981af6ab5e2643908ddd54773bcb6235122cf6d1d1a77a876edfea51ee4d63
a433c4a4a88ea7ade87bf36dd4ef522a8c6f13619f2ebf2bedbec029d59bb134
a7550382a1454c2310dd59d031924e796feb64e71ddaa26e16c36f30ba3d3197
9b7fee62771dd489a06bd73844e56c4335034872b8d0286cc456ca6077b0e149
SH256 hash:
2bfde305793352cc0da1adb8ed99447ad59f25f03c67d5756905cce802618749
MD5 hash:
90cebe77febe3d68f79fb7e03876149d
SHA1 hash:
a665a04102d72778358e1b045fe3dd46996d2fca
Detections:
win_agent_tesla_g2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
Agenttesla_type2
Create hunting rule
Link:
https://www.unpac.me/results/198a8c55-0235-4e01-92d9-55139831b685/
Parent samples :
bbe3fb7e0f0ddf898c7f5055707dcd5847cf14801f02563f384b75ffd06ece4b
8647436d5b5e93de1fbaf9571e584ceaee4a620cd39b60472da87e694239c317
c09cba9da1f8a6c8fbda87ce1c29455118eb13876286388a7d768ba98585aa78
d9af97e029e98b7502110beee9913df5132c5e1ad620e6b8124bd395c72131d9
fcb4c6602aeea8229338eab9ed2deb97c27e07601791ef19c7e43a830079e416
053c940f835b1c6624b6b0421b680da5c984b056734db107a7d6c8dfbe1837fd
8e3db35284b6e1ea560c14a69ea4dfd6ef8e27fe9974a609116d00f2d764bfeb
c9f0c595e62ee31b17e1b62cc7be551a1cd46c3395a282fead293a5033674328
793683a76efa38f5ad0608e7a7419af3802b4a7cd5d3d428f2f1a7e6f0e6ad0e
db20bf3295f1aae23ce386ffb850622a77a474a8a1ddaf240965082ee03055bf
faf287257529efa93234ce96fd47d0d43a4884deb7ec54e337bb8ba49b1d12d8
90bca1aee1c83d0c4efc1d89a1c57b991be078a6fcff421495fb9cdbed974c70
b3339675855dc36ef85d78208f43924b6eb62a978caa41971115b13a8c9cd951
03438d007dd69f9021f8c37eb21cd9f817189c99f86e94136b0f6223e07a7366
20aa510e22a6e0abf81a9cdb4491977cc7035ef0f62bf4e97e880688594707a8
ff487e2ea6195cc78c6c3f1d9d23aae0902eec37964143cf85cd425252a0072b
eec4404be651d77865707efa282ec7899a97550ad25351a70a926679f6b34bdf
430ca931fb30ead2352f1f6cc4c832d5e83d0586818e47febd3d9d2dd83950de
e0e7d67763efac156e039e3b9b8e4cf0e269109164788c4901f338f1399699ee
a2e0b264504e6338c455b6227e85273903c8f1f901809eeaaaec9e917ffb09dc
5565d238feb8a0e52f4185f696eac6e4d817d878ca99aab4ab16a341b3c828ed
7a52724e8dd312054edb1fe92f4661be8a4696efe209edfec3f43b7fb8fac3c8
97a1e4bfc76eeec8faa59bd7de85088d2e42cf9562ea66c2305d0309080712ac
68f8a928d8c7b9b1da3ed341ad581da0fadd5bdddf781e0d8831c94553d8d5b3
10eed1464345d7548cbbe6e76ece440f249d9daf5bf13f973f68136d986c7fe5
99e2fcc17330e0e1d8e31c814d659c4a00110a6da389102e22a25eedae3933b2
cb9c62c96c1409b6151ec4cdcda1b0750a13dd61352ca9ed91382a978cc8bba0
7f7219150a44e397a72f82fe9c4232887e991f0b3f0469c29d5cd2b8e3f3d0a7
1f73dccfdf8ee9cb8fb841e40c88a7b124cd28c0b06688eaf2bb81ef4f4ac0aa
c75134c43e97b75bca4ced11b721253c5774cb0a78184acdc5c55580aa07df85
ad3517d5640b93e40bc1e839f6616222801d06dd83ed5887462a71f3858f5b40
941559a78b6e1caf39212048e7f62723e5f283d1942858cc07a339d6d6b24362
59e8919a70ecf74746e7bac52469b520a8a4fa929e8fa8171e22342d8dc4e1d6
b3c12cee79f27bba7b9d58c690083d38170fac66c70ab18dd5897bf0268fc114
e9be7f50bd810d3b8a459a54c2310b567dd7065cb52803306cc5e6132eb9e12f
2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d
20b88c89c50d71a77a0f2e1007a39cdb0b78f44c8507d3b492e8875a44861279
25cc6ca776e3d36b9aa29c331b522f23f1b309398372089d51297ff179a51bb6
853b91e9b020663d17ecc679445126b293adf51dab2791e846c31adf4fbb232a
2f7226f97fc49d8e893e80ff5e3e1127d0ae76650045dbf30c36ddd0535c0af1
8c511dab54355d76edfda60811e62b832f7593919b5c8f683b53bf6690bc808b
2ed7941c78a8b93373502b3b638392b1981785718e31bbbcca4f251d6b21f535
fb98e235d9cd58d96ab4d3389fdacfff82beda19357f313fabd95729bc984ee1
2fc60266d45774d861a84e932cb572f683a5c140406a6709adb10a08e5391b9b
2843e5be520970bc04d4c2d1d64749c730cd115037cd11b10a5c4073f001ad7a
ea245dfb5adebf5c9635d41f7e92c9194f6a20f900d9bcb14b8931501f0bd411
4da351698b0432b56b06b8bdd26fb7103b973a7c70bf666cc1a26e13fd2585bb
29d5ec780d5e5c02484ba41f291e35d29910e0ea2221c48f2ba19c9be746b8a7
602c89f6771cab55f5ec65aeaff614585d4cde2ff38f5751ca52fd062e871d19
0e52d5414536fce593aada88c26086af95af6b44d700b70315f4fdd9feb0b093
b21d51c3a5519c6e41de9ef4e4bbdb821f2d76f6cc1e2b01d0a0fae37723f25b
f687ef7cfbf2fefbfb85644f57319e28c04f9feed590a317056fef8c130c092f
d16be68a77facd56c4553aff3be893308c986f726619cd0785b5cf8cd5993f88
2c94e0937726b8c53f46350c17b50abb816f720708055e92a097c796a9970f01
265047bb3b17c31db8680e5dc97255cfc147e02f730db48a6852cf403033ea69
933e3e0bf29c5545bb4ea400f0ad62be69b957475e82a6bc8ce3c2a44622d4b0
71e061da69a80307913e97800c500938e1aa6eadde0fd25758b9b394ed1532e9
ff67a4429b3cd257a8ef58dbbc90450eda82271ef4256ba1dc5fa6eb215fedec
2f0ae3872ddb72b9c17060aa7608559a5cd92d376dfc88441ff8c54e6f1a65dc
9bb11533ca7287474f25da8cd5ad24afacc6b66175798298c6924035b9b3f92d
ee0176357d58650cedb8212e95249b9ac0e17145587e398a344c03ad95334618
4c17a091bd4bc5abea728c7245ec9c15fb98693e661bc6ec20239b91db33faa8
8024fb977a8ce280bd9bbe8984c2a1eb02a39c82222940de7b8951fc1493cd80
8b83d463c4ddfc873ac4954f326d473cd6aa3443617fdba8860680188500def6
69b4c8361199937a0cb7e28c689e3dfa2967af5dc5ed0c1fccd770273cc3c71a
0f22c8a761d26fc6db2f20b2c3070269bf8248eebc03743250da0805ee9a8511
183c72638416f3649f30da841ff7a88d29f6cf22f393db7a96407e939b9c6647
SH256 hash:
043c294d925b937744d3733db522995289011b4d4d7ce75d5d83828e9a80868b
MD5 hash:
2c7300f184ed009774f6e34cc3875949
SHA1 hash:
ef7c7ecbec15211065d6265495cafe20b66cab6f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/198a8c55-0235-4e01-92d9-55139831b685/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2ed7941c78a8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ed7941c78a8b93373502b3b638392b1981785718e31bbbcca4f251d6b21f535

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2ed7941c78a8b93373502b3b638392b1981785718e31bbbcca4f251d6b21f535

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments