MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
SHA3-384 hash: 3de064e00dd18001cb7e20329b69b6370da8c17ddf694ac1eca0a78d9094f1cc127b63935d935a27e19ed47957c03e89
SHA1 hash: a8e68805e2cca84d6f0c1f4525eb5bcfdd29587c
MD5 hash: 755bd5d68b7534193c16fbde38f20bf1
humanhash: yankee-apart-beryllium-nuts
File name:NEW SAMPLE ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:907'784 bytes
First seen:2024-05-06 14:13:19 UTC
Last seen:2024-05-13 14:05:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:MHbCiAEfDOKa9Uis/5EDOj3SqlV7iOE+nf336MPSbZYALL5xuieo8YXHAq4UkR:+CRE7OK2Ux7j3ZtRtfjPSbZR8MXHAqk
Threatray 1'183 similar samples on MalwareBazaar
TLSH T18215696A570BD30EDB0A4D34AC0967E835F32953A528ADAF5E0671ECF1E2571F00A1F9
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 71ccf0f0e8f0cc71 (6 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
315
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f.exe
Verdict:
Malicious activity
Analysis date:
2024-05-06 14:14:52 UTC
Tags:
stealer agenttesla exfiltration
Link:
https://app.any.run/tasks/cbda5d4d-fce0-4134-96e2-e0b907501744

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2822.18680.9918.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade overlay packed
Link:
https://www.filescan.io/uploads/6638e5b01c9796b80ab3e29a/reports/2fa64b7d-8b27-41f9-bb1b-efa44e5645b3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91d8aa62-5fba-4dd1-91cc-4718ddff8480
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1436807
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436807 Sample: NEW SAMPLE ORDER.exe Startdate: 06/05/2024 Architecture: WINDOWS Score: 100 44 mail.iaa-airferight.com 2->44 46 api.ipify.org 2->46 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 13 other signatures 2->58 8 rWRyhAdHllQ.exe 5 2->8         started        11 NEW SAMPLE ORDER.exe 7 2->11         started        signatures3 process4 file5 60 Multi AV Scanner detection for dropped file 8->60 62 Machine Learning detection for dropped file 8->62 64 Writes to foreign memory regions 8->64 68 2 other signatures 8->68 14 RegSvcs.exe 8->14         started        17 schtasks.exe 8->17         started        19 RegSvcs.exe 8->19         started        40 C:\Users\user\AppData\...\rWRyhAdHllQ.exe, PE32 11->40 dropped 42 C:\Users\user\AppData\Local\...\tmp9DD7.tmp, XML 11->42 dropped 66 Adds a directory exclusion to Windows Defender 11->66 21 RegSvcs.exe 15 2 11->21         started        24 powershell.exe 23 11->24         started        26 powershell.exe 23 11->26         started        28 3 other processes 11->28 signatures6 process7 dnsIp8 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->70 72 Tries to steal Mail credentials (via file / registry access) 14->72 74 Tries to harvest and steal ftp login credentials 14->74 76 Tries to harvest and steal browser information (history, passwords, etc) 14->76 30 conhost.exe 17->30         started        48 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 21->48 50 api.ipify.org 172.67.74.152, 443, 49737, 49739 CLOUDFLARENETUS United States 21->50 78 Loading BitLocker PowerShell Module 24->78 32 WmiPrvSE.exe 24->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 28->80 38 conhost.exe 28->38         started        signatures9 process10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-05-06 04:26:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
17 of 38 (44.74%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gaiy3n47ixm6jfoylviyr26e4aikfpbtewfywdindk75d4cwkaxq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
05a341609057f68b1b8297c7bdef34c889f8a92cb47b54680c8b30afc4c102d7
AgentTesla
08a5fb6838c3c5a8d96de60ddd54076366c8016fe16c00e741a76b00662da1b1
AgentTesla
1809301d773302b15457bfa5830b9eebfbec989867db46e9a06882af386df130
AgentTesla
8402999484537d7b6a3ab9f2d1dc95aa667e35e13aad7b1ff4cf9f8622144848
AgentTesla
94e86d7455f9c08cc57d6706e0f779a59459fbdac1506d5b12f20566ad2b9cce
AgentTesla
cd8edf6fd58e1aab115d9da94f4e8427c29b430cbac0dc9f01f9442c37a5cd7e
AgentTesla
ce356848dbe05d9b3dfe99c857e5abae2e19ceefbbdaf32d2c786ffc434d4314
AgentTesla
+ 1'173 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240506-rjzd7shb83/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
AgentTesla
Unpacked files
SH256 hash:
2ba7b42aeb26f22c74ab70b8c487fac83bc050338c89be9d2e049f99d175cfcf
MD5 hash:
49c60380ea3cb0ca23fc0a9e258f32ed
SHA1 hash:
98d7cc884ad5eadd59e1058fd30eda55fe3ff1b2
Link:
https://www.unpac.me/results/334437b8-f7ec-4da1-aeea-0ea7b76785b2/
SH256 hash:
cb4952b33305e97d86f398405b0bcd4bb59f61bfa16bf4f27be8a8dc2584208c
MD5 hash:
375a7c8575a28440c4e4f0b72df2f759
SHA1 hash:
960eb458a3e68b9388bafe727e6365527e20d841
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/334437b8-f7ec-4da1-aeea-0ea7b76785b2/
Parent samples :
29f2f8293c3b8868dd9f057b6b7ec1a898c1e57205be359afafa433cd9cd7bb3
1c92d3868a5a6d2f87a8c0308ff37d329911dd4c43b5fbd654a69773ca6fbbbc
c2de6c81a5bc4a97ac8e34adb89a14885bfc91bc284550221d865f335f575214
d7e484c20f0341e35945ad2a6f803fcd0829a68b7dedf05430c0be06d5392ed5
d7531e4728438f15714cd44a6ed353d5117b4a3b6db1ece8b945ca8eb0b1408d
d1248b99698d1efcfddacc89384b3df62e8dce35251d7a96dbb13cd31b30f853
30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
b2d9f8edf1b8ab56a07620a6dd37944c423604ea5e25d97de57d03f5412b9906
6443b593fc020a993974a850a6609c498398ac6d8368607dd2bc1ad1d785f38b
b3ac3ae44c087c5dc5d42c5ea8531e82f47cc6740da571a7c60624dfdb436469
0c33297e293bffec0a5728c9553044a89b5b4ef7389b2a45fb460dbc0fdf838a
5eecdaf0426291c6db36cc79cba590e61248a5364197d82228da2074a7fa3bba
57b6b7a5011b1e0d3b8a43da9c78528e3a133cd20f5f9cf72c6359dab423693a
e28f384946d7a17d59de700e40186725163b534eab150d6be5327187e7f83a28
dd566ea9737c75cf44885c842a944952d23abc1fb315867b4f07c3b8f37ce01b
9451626c4ac447e1f325611381448ee5fc8224945bda86cf32ce94306c3cd9ec
104fa5737e0c2aafa7558bd7bd6080cf54ac125b4337f4e0515e41d9e1370a04
cd583aa76a762a640be309b14234e47081d254d416b0567afb293f219428ce46
ec4ae5d1e86adee06c295ad77006d3328d144aad4fa2d0dd4fb7fa1380e21406
cb4952b33305e97d86f398405b0bcd4bb59f61bfa16bf4f27be8a8dc2584208c
22a01767b082d5ef80c5f191c653f73fc7d4f9d2742229580fd928a9a867a4df
7fce3e76c6fced8598769e97c7cf34eaa6e86949bf61b75526fb3b489f6d81f7
15299cddb4e03bc2bbc2e2c057c1abf3ab063a5839e7fc933939797aa5c38fb5
b4930dde2fc721a3d6648831dd4fe2ebd5085e0218864eb48e68e54a69d7cd41
86b3feb69665d03eaf1b1a3fc4dcf8221443f9c75458f34aea20d72d05c16cfc
8e29aa00863b1746ba25132f7ecb7bcb869d3a7e647dc8d6d3255491c5ac5212
3d1e16dec7f88b3ccdf7197c64a6eea6a7d3599c12f34893d60012ffd61f15ce
d5d6f7922d87a58322e5d4ace6819497d0942b3b22dc10c52f5a37cad8e42793
07c65671acce67cfa5a214ce2285563f6b3eaeadd5afbcd21bcaa42a536f7ba6
67f4b6cba186520b5247fa0ec23e129dd20c51640662108c2b9db61cf968f17d
2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd
9c7df3a3e8174fcad51ce98aa8875fd72b8e7acadb309ad8b6ac59e8a0c1d65d
39454a1ce8c389d837bb510efe44858712813fd3ef611822af3a1e5b0f64f52a
001c5c64500979a3b3c0251a7e94292dd1a188638bc7aeb0168e9578c53eaaef
019c0bda2cdb00d88ddd70fae9c57490c14b218aa3c2e9f383f75fa415c03168
0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719
5da381b368562b2c5d9fce29e229c640ea428b3d4519562613f987235bc611b8
c6ca7a0c812b140b8d3e1f7ceb12f0efe6bc0f564c6312814bc9dba1255e8788
b46e55db0693853f1f96a8ba2baad879f4e700db1c976a4041427ed221538922
81313224ee12f9a06f36e6f47f95f01b1bc30e94bf9c576f3c476b3633a0302b
d2200969f527ad8529714c8fdd97ae9646eaa76c702dfcd71dd2ad7e84898cdf
914ca6ae22e3e4d3b6e4fe8442dc7e176037ce54e98dfdec5510a179f4ef3c75
d4a4e4c891bacb6ffa8884695d7d757d8dbbae18ec64370bac3f6ecc024ea334
3b593da5f678af89946aebb762ab465c627a4dea6942b1a134a22536fb9ec7b6
5fd1a09cf8cee6f5529209307343ce46ab95e96b7fe6151d57e4f2d225827b3d
207836d40a534374a426bfb3eda7d988a77b2d8312b122644be1ff6659ecb59d
76930f5752402bbffccf8edeb6b07cd1ccf925c8c34853650e367cb2e0bc3e8a
7f26fab81265bdcc5ee00766756159b473e5350f77e13cddfb28b3af9480d19e
a46460f8d8d27ef7561eec3297790812f7b6187ee066ee2ffbe3cd60c2fd5ffe
e7d6f8ffb410620820c565a54f6360ad432593cb99705ab5d408e7e53c8f19ab
70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d
e87a5cb662913f9eb7a91ba0879b534da9069f26e3176d9418b16b39eef6f9fc
af65f2da3fd19510fafbeeff3fdf3531db13eef1cf40f6bcf6580f76c8abf3e4
276ee9ca37adcf31809cad29a26c112e623e8b0d9444334247139a63563ba268
4587101c910c2af014b4f604c0ba76717c1c8b3f360ce0a191e81158b691f6cc
27bd5e4723cf6f83c2f4a5669ed07025c8c7925ee09b59861c6ec6009615e28d
97f4735ea0610794bdbb279c3d8fab019be4552788b76ea8ffcc4a53f7d731fe
db9075f1eadd4b7dfbc145d16f17c50ec345e99d3b5e3b7593f86e5b8532b4c5
8c3a603f6409c75df6f65da000fb6370e8a95da1572507a6f812d06f219c89b3
d11a5704f52bcddd56abfc1533daf7d30bc6b98ee89d81e7534f1be1343c9a6d
1de9012faa32acb0bd829ee77afa29ea04798a14152e2a624f03b08992922bea
77625c8d0612143544ef6bf2907b6f30fd4be765bdd955004885b29f388fb17d
1d1753775e003c95edf26e2938b3f7b9411c0791a5a65c77f662264e6a554156
d695f1fe44dd596d3132f964c43d9729a7df5bdcea72c504db47a41c6a648164
74b30b12fca88b189c0aec3f5af5dabb8f496811036bc4c1601b2fe49fdd96e4
f140450118202ed165b49c1a623d7e64ecf9b147254359255a734d849b9cb5d5
e71dcdd820367c9cb0b261d69c2bf74bd0d889823b75e92bc5752042a0712dd7
3d2bd0f41f351103caa9c7f99aad63c41884c7d408fba0a9c5eed5af9f5014db
c27773f8b51094bb8518e9b7e896be05144fd7f66e8b7352b974e7f42b6abc98
49a677d5dc211d01e7860854330875894852c15b14e79c19719ca47094962b77
2175bfc02e12d0136d4cdfa370226d8917b46132cbb007b04e1b79dec177b7c5
8f2d4544422f6870cebdfed81c4d0ca7db176e34166306f0fec4e4d509b773cc
750b354b873770c3702def2ba20335091b10e73f2e19e0d9f6c2164d836cf1f0
0c84b7722d83c5eba4829bcc7849e6f791fdca8a8a2c41148b2ff6ccd68e52a1
6f4245e6fc909528580e36c0ac716d6e8b19df8f6ce43bd93f526f282f3e86ec
059e6f46dc494f497e19284906976773271e9118bb7749f1aaa6cbbf4e337d39
9f178274219fc99efcbca3c85ea794c9b7a4ace49176a83a884a54794e8a1ee2
f7121d16f7c5e546edc168027fdcbeee4698b1038b035003002cee8a295468ad
2b3b53a5156b258cbe1babe783c03f3b3733c1b51a45fc6b23d84f4a84b50b84
e12f9f6dd4d092492c0d9e422da3123d88ed33ebdbb77706454e0a4a534aff5e
4b493efbc51d8cc77f3fe9e2b96070d5b9e1641a00a3f265cdb60209993fa515
6a58063fd4bfe4c9fd2bb7b17216fe3353a358a404d8b162d8b6f2a9bfc7b625
SH256 hash:
7b6af3f90191ac8730c6a10f07d6198724dd53942ba69b6e0f8a6f07d4f01ddd
MD5 hash:
175883876843a90f90cd3c59ca4235e0
SHA1 hash:
8a34d78ce942a008e8ab7e3fdd1e10d95a2cc6aa
Link:
https://www.unpac.me/results/334437b8-f7ec-4da1-aeea-0ea7b76785b2/
SH256 hash:
58d69063e7c1778b8fe306608d01b54712dbedc6865f684d2416facc208f3f23
MD5 hash:
c684019e698444faa861bd040ec4b439
SHA1 hash:
4caa1702d5ee83ea9074198adeed93269031dec9
Link:
https://www.unpac.me/results/334437b8-f7ec-4da1-aeea-0ea7b76785b2/
SH256 hash:
925a02479f706216058e6cf4d91699eb576eeefb9dc04c2ece544569154fe891
MD5 hash:
bf426feba5a9a2f55c1a2e439b3f46c2
SHA1 hash:
4b547c42a4a14a4edac9fce0484eeff41f1ec116
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/334437b8-f7ec-4da1-aeea-0ea7b76785b2/
Parent samples :
7e8466ab7fd0c3ce3f6ef1df5bffa0e4fb0c9764b3c553685ca62e3d8fbb80ad
05a341609057f68b1b8297c7bdef34c889f8a92cb47b54680c8b30afc4c102d7
0eb53728acb5e4b7c857ed35dacc4ba1264249cada90f5e69d3fde4e9b243190
48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb
1809301d773302b15457bfa5830b9eebfbec989867db46e9a06882af386df130
30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
ce356848dbe05d9b3dfe99c857e5abae2e19ceefbbdaf32d2c786ffc434d4314
049b5a9dc73afb156d98d5087d9d728287a857420b698ed12d494a2924341667
b9f7f2043b9a1cdeca868f55c33bd83d993be160ca42bb38ac3281ac00f6ec10
7cff23ba2bec8f206920f7814f67fb40698292d87b0137c9a87dac596352aa56
566368d997e93866144f269b23a33a54d910e01c6723ea141bdf88bd9202f31a
20184d8ae4b97f301f2c135cbc53f1600d2da3952653e384aa38578a19dd1b94
d7f670f5225888ddb631d26ccdb01a8c514965d48e15f3913348db8949b606fc
0c12ddd4730b8976410d8245aeb9f69d148afa2a1ae2a761ff82ca1744dfa207
47023bf6cf58f345002a5ced2740eb0244c02d1936123079d1ea41c427d5cf90
925a02479f706216058e6cf4d91699eb576eeefb9dc04c2ece544569154fe891
c68376bcbfd140e682ba3b0f7535af83a9653b63f090718ce028a9a65514959b
622cf81d55d81ae7200c6f7353d62f9ab64a43ba762fa1b604749d85ae2a8d07
1268ff6a657c693e5b4fa2ee3aa1ffcf3f5c0449ab5468fb430a3147314e2931
331621cd29733a7586ec0ecc51705f13433e146daeeaf2fc1848f8f5e8cb1306
3130e85a4fa0df65c8ab6a310c3ea1cb2c91e4cc2cc55f77c1dfa1e606037438
9c88b2fbf7b78279ae5a1f6c4ea318e2d4620d1f6ce23d8f89b1bd3e50bc0f95
966f683a0580f7d052c49ebda86cb0fb3ea22199fa37698cc0e0fa7ac5a9a95f
cd04d0be3d3ffb70bda5e2dce9f0bcdd480e5209f000a91a473f8020eab0deff
9e40251e52536336aee3deb9b764441efff559f90a83987c3f51db874bdee361
d1277cf74db30d16884abaf7a0f487374f63aba610e1a966da28e71a421db7ab
e0c8b02870ad1dbca34a9167a4ed5316e8a3cba0d0872e48ee2f77642c1b70a5
f23060f99dbfae0f176522266f43adedd3a79eef9960d808201e472f3cf96832
0a750351ec2b43d2ff77cf94903bcb9a2fda69450d62eedf2fa4eebda26e07f2
377449ca71b8a9f0688ce1826a2b245cbafc8dcb56498eb6db9b5a973f5ef36d
307b6baff0d23da831efea1205facd7d4352fcd532edca732ac42322eabb6eb5
c5f5072d4434c3210c68708a250b1c62304f213c5f0447c010e55c6d4d6370d5
34f7239e0a54a95941f92fb3e1b027ee214ae6002773e917e23e58e28a754726
1b57a890251e57f1b1861cdecaa0c02ff83d438ea0cef15a677dfa0a67e7891e
ca7bfa1d520a6bdf0711c132a66bf28a10bad487ecbc225f69038ed95619dc86
5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770
bcdc102d9b2ee935356e5888be20ed24f5e6916f668d1847a26630223265d197
b4146ebcc1fa90a7e4adfcabba15f5fe474348666fe15c98367216932fcfa7bf
6a37c6b56b588d4bb27dc42af88e95ac60bf80a0544870cf6476c423f4eec2c1
ca1dc64bb446fe0612f320105ab988ea750a7d7c9e1e0689005925dae6d3a8ee
c6e903556bc2f879377ea0e482875eb73d980edbc156419ea3bb741647e2ae04
22227fce9d09014d3fca954bf6fba7a40cdf9bcf4b8dd13f69914fab061d0dfe
83daa016494bbc800ff8e1db308b5e3dc9c0b73daaf455a579d8268b4f44f3ed
3ba0d394c1cbc83eadb19d11c4f9bd2d831013ccae6f325eed11e18dfccd22f8
e7dbb76c52c158efa316bd2236902bfe1208e0742621b9652806bdc13ea3d6e0
203bacf22feee36e2d35a3846fce5db308f078942ce7ed5a16a9671f6138e46b
9db03971f027f14894036a6c0bc19fd875dad7387708a70623d1f3a8e5627958
8b1ddf6861f6e9fdd05b7e279bf0e218c41946b5162dc12d7da5cb628c98db27
1d7754c8cc8eb7df3bd429fe9806b85f7f6fbd768ff59948a1772eace6dec77c
115fc6621dd995b238916ac8629521d718fb941f0b455f019c85b1a4174f47d2
cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b
c28cff180b9334b37f4d59ec77dd36b6665e1a3e8f4625be51f9205e523750bd
11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345
bbe3fb7e0f0ddf898c7f5055707dcd5847cf14801f02563f384b75ffd06ece4b
28cc41b32461784fcf2bcb6d66d4ad44cdf10edd2dd8d2b2712e901d1d44ce99
9d4250be0e0211b67c9d2817e00441a0031156edf03e4cea333153275bb87519
9909d16ff5a6e59c3f55c3e4a8bc3c4fbe4fd56c728ffd1875ec602ec1ccd57c
8201ae4019ccfc7b3756ddfbed3f8fed7dc3f65fe47ca2d9b2ee67efc0d57e3e
c7a842c7d0b5d81693410eccebf67e1cbd0725fd1292dd695617494f47543f0f
1bc2001563ec7cb81fc1d7086b7d8bf36b285354015654b9ac2bcf051c68d2f7
403fb4a908a97f67ebabaa9d60f9fc520d3f3f44a892c8f3b9b9fe44edf59df2
4e3eb1a503d160b9cd151c523b34ba05c7bcbd79974a0a46fa092569db8bf2a7
11434dae7da8d82c7cfdbcd435b920c3785903e41dee470bc4e191c6c87b5489
f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9
f4a45365e22a84bee73e3d8339ee08f2336d76bd78c3f25cf61a08e4a4085a2e
55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f
655bf2b084f93181d47b1ffb31e944da4cd4779a2ce1a17f37286b17684677f6
a26493d2e56f50c049733bc651849a42513021b26bcf8c9fbb4b71fd0b3bac54
17cb12e355a44f0aefb9ec8069817a61f409d455129feb61b489d508c0721992
561f3664b4dcc39b1eb79236231b0e36fb5fde10c8bda6d356d2fa63925f3a6b
SH256 hash:
30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
MD5 hash:
755bd5d68b7534193c16fbde38f20bf1
SHA1 hash:
a8e68805e2cca84d6f0c1f4525eb5bcfdd29587c
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/334437b8-f7ec-4da1-aeea-0ea7b76785b2/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/30118db79f45/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 18efb91c0c6f0dec6620bf5e170ba7803a1d2e208c2545f3580d265a782cb745

AgentTesla

Executable exe 30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 18efb91c0c6f0dec6620bf5e170ba7803a1d2e208c2545f3580d265a782cb745
  
Dropped by
MD5 bb0784cacd5ff0f33b3e2acc3b8b1ffc

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments