MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42c52ed2af4708289cb182a0fd83026691eabc7c4916a3ef0cf8a01b5f890856. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 20


Intelligence 20 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42c52ed2af4708289cb182a0fd83026691eabc7c4916a3ef0cf8a01b5f890856
SHA3-384 hash: 6e7d370a06d9ca1bc759273f3e26e7c1df1074a3db2a5c11ca29353d9f155b6a80db918f0922fce5a820ac648c49b6e6
SHA1 hash: 68226fb98f6e93db77d607dcc305716e8a80871d
MD5 hash: eedbda81d4f3d69ee2798e40a8a5572b
humanhash: princess-beryllium-oscar-sink
File name:Shipping.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:751'104 bytes
First seen:2025-01-20 07:37:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:O7G3eV0l1vF6gv+W5DzalTl3YeirTX/8pi+eAH5vgQVT/fRO8UYeA6h:2V0eM1DzalFYvPX/yi+pZvgiLf4Fa6h
Threatray 685 similar samples on MalwareBazaar
TLSH T1CDF4234DBE76BAB4DA5E0F3FC133014146A8880771A2F6BF4BC61DD64C6BE18C1875A9
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
448
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Shipping.exe
Verdict:
Malicious activity
Analysis date:
2025-01-20 07:41:00 UTC
Tags:
evasion exfiltration smtp stealer agenttesla
Link:
https://app.any.run/tasks/396301a9-2ea8-4be2-a022-522786976d71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.8679.22028.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678e2ddfe708b6e7a3ad9104
Tags:
micro shell lien sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/678dfd642d219e36112b360b/reports/9bbb1024-9e9d-4701-a2ae-db9f87442192/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/42c52ed2af4708289cb182a0fd83026691eabc7c4916a3ef0cf8a01b5f890856
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a7668ff-987f-464d-a0f4-f90ecee45b9f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1594941
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1594941 Sample: Shipping.exe Startdate: 20/01/2025 Architecture: WINDOWS Score: 100 59 mail.starmech.net 2->59 61 api.ipify.org 2->61 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 73 10 other signatures 2->73 8 Shipping.exe 7 2->8         started        12 oDsvWZJmBpNs.exe 5 2->12         started        14 BjTxJte.exe 2->14         started        16 BjTxJte.exe 2->16         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\oDsvWZJmBpNs.exe, PE32 8->51 dropped 53 C:\Users\...\oDsvWZJmBpNs.exe:Zone.Identifier, ASCII 8->53 dropped 55 C:\Users\user\AppData\Local\...\tmpB3D1.tmp, XML 8->55 dropped 57 C:\Users\user\AppData\...\Shipping.exe.log, ASCII 8->57 dropped 89 Uses schtasks.exe or at.exe to add and modify task schedules 8->89 91 Writes to foreign memory regions 8->91 93 Allocates memory in foreign processes 8->93 101 2 other signatures 8->101 18 RegSvcs.exe 16 4 8->18         started        23 powershell.exe 23 8->23         started        25 powershell.exe 23 8->25         started        35 2 other processes 8->35 95 Antivirus detection for dropped file 12->95 97 Multi AV Scanner detection for dropped file 12->97 99 Machine Learning detection for dropped file 12->99 27 RegSvcs.exe 12->27         started        29 schtasks.exe 12->29         started        37 2 other processes 12->37 31 conhost.exe 14->31         started        33 conhost.exe 16->33         started        signatures6 process7 dnsIp8 63 mail.starmech.net 207.174.215.249, 49709, 49712, 49987 PUBLIC-DOMAIN-REGISTRYUS United States 18->63 65 api.ipify.org 104.26.12.205, 443, 49707, 49711 CLOUDFLARENETUS United States 18->65 49 C:\Users\user\AppData\Roaming\...\BjTxJte.exe, PE32 18->49 dropped 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->75 77 Loading BitLocker PowerShell Module 23->77 39 conhost.exe 23->39         started        41 WmiPrvSE.exe 23->41         started        43 conhost.exe 25->43         started        79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->79 81 Tries to steal Mail credentials (via file / registry access) 27->81 83 Tries to harvest and steal ftp login credentials 27->83 87 2 other signatures 27->87 45 conhost.exe 29->45         started        85 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 35->85 47 conhost.exe 35->47         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/42c52ed2af4708289cb182a0fd83026691eabc7c4916a3ef0cf8a01b5f890856
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/42c52ed2af4708289cb182a0fd83026691eabc7c4916a3ef0cf8a01b5f890856/
Threat name:
Win32.Trojan.Genie
Create hunting rule
Status:
Malicious
First seen:
2025-01-20 03:15:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ilcs5uvpi4ecrhfrqkqp3aycm2i6vpd4jelkh3ym7cqbwx4jbbla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
98b85ee0663117740bdac3c6af9fd2c637206f83be0978b865bc9cce1cc2eb51
AgentTesla
9b2a20382a2f0aa6745217b19f51ba20f0e9bf07121ae3ff6aa0ec74850b0507
AgentTesla
e0b9c05954186f5d54bcaf95e425448540d4a0fdc6cac1a12899bda66e38ac37
AgentTesla
error
AgentTesla
+ 675 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/250120-jgdeysyngp/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e65a957f-4db3-4f8e-8917-1d1f5a3a2529
Unpacked files
SH256 hash:
2dedd720692680d8e9915afb905a578eb3d7dbf48b67770477f5af3f57d09228
MD5 hash:
1bfac51519c85f4db45ad6f6e38579d8
SHA1 hash:
bc54289f42eee7398f593ccafbf337584ff7514d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4703dc23-e33f-4203-a616-1d7ec76e9065/
SH256 hash:
ab737fa94d5638dc23955700ae5443fa7a05882c821c51b995935a91e42c3561
MD5 hash:
8ae00a26ba2f9f1d519fd6455db2cb4d
SHA1 hash:
9270d95cc7f7a8d1915de694d54a550b3c683684
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Agenttesla_type2
Create hunting rule
Link:
https://www.unpac.me/results/4703dc23-e33f-4203-a616-1d7ec76e9065/
Parent samples :
6c06c665c435cf95787310f59e984006711d50bf091ae610cb4440abae1448c4
e62255f98543e0bb1abf017af13fd483e1382158021b7edde65fa55c1ad290cf
433327373b99264a0a5f11194a3722e1a53c832e837f0eab264f89306f9e42cb
3029eb76575a110e9bfeadcee488cb4db00d25da6d8529e48d49f2fee0770f80
98b85ee0663117740bdac3c6af9fd2c637206f83be0978b865bc9cce1cc2eb51
6a73ce1fbde07e660aa6713b7e1c20cc34aa6f576d82f2189da9661abaa5211f
9b2a20382a2f0aa6745217b19f51ba20f0e9bf07121ae3ff6aa0ec74850b0507
ca4db0fd02f9a6e22c53d273087156269b720cf0b92140c67cc0cbc9d279cc26
ecbd820686317cc38e97ceac59f26f853bd924695b2d124c4e87f5f48c82bd63
21e7743ee49b00d201af99fbd9fc0a430032f416070834294b12f3ea2c12b48d
ab0d0bb327fcb4f057c64df4d03ac22f606461f5ab86cf0543ace64c30110c35
36136923c9475c273bce4a1c5bff84b565635565a6bf470e6626ea33a4c3a358
ad9b8625f2d2b98ff577f78aaf80cd4ab30b640680135cbb2328a3ffbb1623bb
bd0e1cfd8ac5fef73e78b0a784c11682ed8d3120e6293d7d87425e5cd65d91eb
e0b9c05954186f5d54bcaf95e425448540d4a0fdc6cac1a12899bda66e38ac37
5f9a7f6a183b3966e84173f3ea7fec1ed563e9cd08577d87d523d9f69f66eb8d
0222c1554ceb01925bccffabe846186b951f8b48a9f1731ed25d51c42761826e
1ddb5066864496c4fdb477252d09eee2f3304d5801c93bc9a72acb22eb78523b
cb8e8d185adfffe272bafb00ef1000724beac1e478fba3e50682ac0c2300d0bc
4c2de5043cb67a6805824b096a6640ab47b60c0c1ed71a452d3228144c92b0f3
0989a20ad0aceb20e2199f0bceaec9461f94b49899f7d2cb1ce61d05473f5d1a
cb9790cad0a60c5d06786c99700a84a880c04abf6477ab97453b13ba386306f4
097c7472803e5dca675ac074c1092848ae92cb468447eb8d0b57afe392c156ad
0d7a4a69f12914329cbff3ca263858dac70c0b5afa1657806129e553fd9e246e
8a8794d42a442da3a12f8424a51685fc7da1b9113452b2a5dd1ef23352b5f0b6
4814d2923369ffb5245d01dc4d9854aadd669fed95cfe32c24919256b2176165
4bf19e00f15d689c108b9935716d0f5f34be07e6a08c39dd715bfbe806d99fe9
f303f80350d34a05961ace4456cc3408510a36852b94a75e0e9abfcd75f803b6
4bffa4186f899e3474a07b07fa5caaec795250cfe89d4c24b9369e2da967238f
7abd614a718eae6e0544e6828c834f275248093b5d807b7cc5c4de975dc7abc9
24ce2be70ffbceba0067972a154cba571866cbeca67e2132bc01352f46acd9b6
42c52ed2af4708289cb182a0fd83026691eabc7c4916a3ef0cf8a01b5f890856
e16ed69e1d337d88539ff98cda8d36aabc495db375d68e4f9b86a1843ad8c679
887f393b62c6c4b69e81cfc772397619082d936dd38cbcbc0f54b623ef871af6
487a65a744364c95696bf450fe78819afac41980fb6a106231f84aa0835aa5f2
496183edd167fc6543a66bfc47c6a486eacf7fcafa9149d6d78c590e6d6b3be2
b8dbf3db5d56d847b13c3e517dd9e9e396038948ea1189e7f57c419f493c368c
a689d2c7fa2cc3712ff115a0dce0cd90c5d55c92bc87e7f24dcd05ad4a38db63
4bb53e8f6293f4328bc49ed18f542bb729d48f6841c171438e1bd42b02ed23b7
83a7159eda11a47065c266929a9ea0c387be8db616b2d46c75a18c4e473760c8
72c54730956921bbe2e5d9013b3dfdc738a98a2868ace2b85d7becc16ae6e55a
6a48b22bd969313fc663ff3517d4d95c316623f099b68a0b5499cb0bb7f68f0b
SH256 hash:
52623f7f653468852363e6eecd312eacb8c07d24f3e4d06a736ee88d5945d6b6
MD5 hash:
bc67ec4fbc8d26fa2992db28c17d1bd1
SHA1 hash:
09de04d8f8eaa2f5509b632e26e0d66053e6a3d3
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4703dc23-e33f-4203-a616-1d7ec76e9065/
Parent samples :
701cc76315954f7e5e8b0fb36db44cdb6e6e40384be529670490523be1429d8f
84e892d4627a3a3aa053b30200788bd6942c046d2dadcf5121017a32e10142f2
6f094aa75a8322555241fae3063c17075a6ed5166bfb41c9055c390278178d6b
339c521fe6235de8b0b912c9fffcad6cc2eab721902ac095bafa510d68868c97
06c6a4f57f8b8d5b12406b5b2c8960362c0c2ef3cf74c4dcb49481ebb942230e
c470eab16e537bf777506e63bbedd58114c0403965e9a01965507ffd731dde4d
845304505e2c101665da5f7c34cff35f470b7a02d7c0218d7bd0d25664cc9cfc
e69d37275cc3b52a9d3a26f76073191ab8f59901781b5ef2859f33dee2252ddc
00580380c811027c799634812e6f785df11f2f2eb3fa1718ac8c4ff47fd6ef2d
3cad0fb9280972f24f68c74e7b9c93dbd446c22f704f3b66cc7f1effc54d7a09
8bd60c5add862eb634b15fad4020a9afcf8ed6f523485665c80044f90bc8b305
5d4dc700ab772bfb4ac1fa290c0dfeae62058d31c42b48b5072a2c13b4c419bb
1de6c06cde011693219b05444f8e18cf1fe97373d0557a083a6e6e7d836e3153
db86c56e2f1c33504e4bd47d1490709bc5afe4ec1d95a0fbf22510bc3c542a8b
202efe071db5f07fc1570f9f296799dafd1bdcd29085e0b9c8c5c9e2ce1199d5
07abbe06a2d17f142846d33bda215df5b05355148c781cb9ff1c8f233f534cbc
f89d5db1d93b61d6e6346fa86e914a5b02e927c8eee905e658b0818f76a545ca
784f9e5d1eedc785401f6397aab1d9fbfff7593262f8db591e50ae06d37cba02
1c80bf8e780ae58203e7f816c8fe04f66df434a3fbd981ba7c6e52e588622c03
efd65e32b20afe5bd0541a097bb5f4e7f741875b2c65cab7f08c04a645ccdf6f
eda2bf8423a8046d884b20532a74bed0ce7219a2ee5f9fe829a72624d081e3df
8fe18e6c77d0b63ad58b669472c8247a8771c82ce4edc65814bb4c53fe5ab51c
cb45d6a207ad4218619ad1b7e1001b55201894ef21f717588e5f3df5122c0583
7abd614a718eae6e0544e6828c834f275248093b5d807b7cc5c4de975dc7abc9
91a04734fb1bfa93391d961ff94dfdfffc3021d6cf56cb31f9d696aa3251c6e2
51d5fbecdf7459fc37ab296b97245a020f31cfd4ac1073f3fb2947a3710a8523
0198cc6636a1c05da00eb7457f498c6e1743fe0a9e3d50fc106621f862bf04dd
0ec77a2b6843ab87887929ed395775aa2280cb4d8d16454827bde96fcb3a100a
4fc7cb2b1080330179c0164b3cbd8b5906375fcadaad566896a5b6468917a21a
7a4b80b6d3ea4ca73224197f7d85d763dd953826978cdc30c6e75fb298cfb5ab
1b758fdf653d34cd62c7fecd1e3023ca5d3537360097676b5cc83b7915c2ac90
489d60af14c516d7b4f712272b1a2803988385e197a5883431d58f7694f22f20
f9075b95c77272f8c8f1b8fa996374c9c8e6bc0e2a6f1cbb6cc2fab34b9b589c
d122657bf2b391fb9fe392a711526b7ea4163bc606d629144c0e7b72700872d5
60541941074f0d0772bfd1b307f3ac777ed84f776bdd89aef505960bc97c1404
5e0237bb820fdcd2bafcaee8be22bb60004ef0f644c9eabaebcad2c423f4d4d4
1f468ba035928b41550cd68056a3e2ba8b4ef5e98b61b45c4562f110ddaba29a
24ce2be70ffbceba0067972a154cba571866cbeca67e2132bc01352f46acd9b6
8078b743d8a317718f8fa77d12caa85019cce7dfeab9da4e268fb4836a7f9e74
d4f10c758df8ca5f3bd16209cf5b82a27b218719453ad29e7f5073d08c376676
13aef47049b6f723e3b24e8f794b9c09e18ed477f62436d1a8250951b4fe253e
42c52ed2af4708289cb182a0fd83026691eabc7c4916a3ef0cf8a01b5f890856
9bf5d73a9924bd9e616336e200767e575569869d7d0ab959de9c7ebb37914dfc
7f10867f8a37f96369cf305b122fa7f5fb3f61e0a98dc35d66a7206530557c1d
422bb7209a36ebb05303bbf0e6de6e1fcaef855b360f658eeee67ff9dd49d5bf
2e7fac97bc9785e461473c2776be1da2d9dfe7916753d4a3148c5055edeb9bd6
e16ed69e1d337d88539ff98cda8d36aabc495db375d68e4f9b86a1843ad8c679
799332983f0739446bd4e37db4163529d016947426bdc4ee519dc2e5976445f7
fea0db3026f3e075b240d97b0ff93ac157c8dc69a7d56a32e3595ed261a9ea55
2bc219aa0c642b6064f467a9abe85ccf81dfd0191377fa4453863384f22b5fa5
5d4360996a1f89361dda1818a51dcdd2a551698c6c4d887b5ba67fd86b946e3b
79a83acd6e34d187228950510e8bdcb36f0d3cc6dd9d6d35d40d37651454c1a3
2040a0fdd0eddf11176cddce8489b0906e9bb6ed39b2c825f883e26a3309db57
da8f006e36cc66990a1a1f43539bebc73fc9531413ba2960180db55927552014
52588fe73383ccdb5d715ecff941d1ae169a57d49deddcc8e3c06536f2c56795
7300535ef26158bdb916366b717390fc36eb570473ed7805c18b101367c68af5
23b7eb252bc2a67247c1a93f3f810acb46664d21fbb029051297c016e2991bcc
fd3164057ef5cfebb668b25b93a0638edf8d032f7a1e0c13249334bd913a1ad3
d07f3d05d91790637901f276b2b2a13ae4006768c22d9e6576a283a916530e38
eeae24981abf36649d9eeeedaee30acb50374d5567c8543e66b9c337688a7794
887f393b62c6c4b69e81cfc772397619082d936dd38cbcbc0f54b623ef871af6
12156a70576773f3aea3bb59bcb042ddc4033a7e0c1ec5dadaa8df2470a53664
a932a1ece48c319e2ea472193afc00132644c7540b4d0156b1c9b518c54869dd
a91e52d4bedcc2c8114e3f2ddb80908c4abb92b0838689a14818494009088b95
7ea98bae6d7f0176c1ae6cecc9bfbc8611304fe007899d8d989425c7b13f3339
238525043acd0e92e92f6317fdadcb469dd26ef5cd7460e0188a673165ebef84
9410ad58ad07e9b3ed28bc9be7a567ed733e14ca0de9faa470cc7c200ddd917a
2ded7ae6526b0a58dbeb50d575c13c84f76751f15a81ffb81d4a4d7f9d8539ce
232a7e46e445365072b4a136330efec9284ce63b7b1525442a10f68a8ef02ee4
1fa03ffa990685dcc676b8706fd5ef7246de2c18b97c14d882ee25b0d130955e
9529683e6579dc09cc61d5f2e5909d922f2bb589586d9c2350642d525924c1c4
8bcb1766e1f236382b36fab2fc6a8ee385275c0acbf3067471cd9b35703f2875
9fd0ede72e03f6a4897daaa809a4dafa9b9e0eeac52c5244b11df40e9a4af2f2
ece49e828c96a3cbc96535f04ef66109c997cb13a87850c4b66b3de0fd2818f7
320daf03f7f2b9e697955ebc5c479c51fa3fb32caf789187c54b52749550305a
01e140fe679c25634196075a34eb5c8594ec3631571023282955962b3dc1f609
0d222d3b5efc99f87cab1fd26440f65f531c1058dad5d9153e45331bbcf5e856
f7fbfc0649a348b742faf012fd443a55ee310f475a9b58d7b07ede4e0428f494
b5bc975891963c29a16fe8ac7dd612f15afe937fd14ba95707a6ab30224bfc7a
f6093a0d468e3cd2df9b2563336ccbd3b5783e8c06c52e296770fc31fe5257f4
99430e62ab4f67847bae708e0414b25e6df4a3631c7477231ef4bb3c214d37c3
25f9a9731702553929452710d25a8587ca7e7e7ef9494b7f82c6682a2cecf024
9d206d3991c8549fb048a2aac2bf5aa7d25c0958713fc8f3aa2bfec18d47dbe7
e07298c237f7f69d83c9760409b8c38dc311581008c751c3f6ddd37bb408cc87
e3ce6cb3e592837181c06c157cd1afd190afbedca9c66da7f4dbaf58c51afcd8
143a58287706e26be705b3756cf1810922cb28e92954ec6e669131178bf196fa
089e95b16d5f1acc07ddaf59d1edf60fd52ce6cd29f4bfa17377f4a68c383d12
662c96f27f4533d72e97b4cffe31be71d810dae4e6c1ac981060c38d3f627142
a5d951ea30a7079b09113a1f7d98abfe809f8030be45de8f8f9e96a51778867c
24d731e94d2250181a75707739b145da491194c5a6bfd29fd93ab276bb106601
SH256 hash:
42c52ed2af4708289cb182a0fd83026691eabc7c4916a3ef0cf8a01b5f890856
MD5 hash:
eedbda81d4f3d69ee2798e40a8a5572b
SHA1 hash:
68226fb98f6e93db77d607dcc305716e8a80871d
Link:
https://www.unpac.me/results/4703dc23-e33f-4203-a616-1d7ec76e9065/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/42c52ed2af47/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42c52ed2af4708289cb182a0fd83026691eabc7c4916a3ef0cf8a01b5f890856

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 42c52ed2af4708289cb182a0fd83026691eabc7c4916a3ef0cf8a01b5f890856

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments