MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb
SHA3-384 hash: befd1c037a7c328a3607aff40ff20af2ce181a8121f0dac906f17df8c8cdb8b0e44ea01e2a1a89cab45261a3550883bf
SHA1 hash: ab90d51c523a61e46ad053c046c3d4765f3b12a3
MD5 hash: 2b053de6103f3da71504080dc0eecc4a
humanhash: high-neptune-tennis-pasta
File name:TÜBİTAK SAGE TEKLİF TALEP VE FİYAT TEKLİFİ _xlsx.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:684'032 bytes
First seen:2024-05-06 10:00:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:RlJMiAEfDX3mKXW1uLzqEmxlU5o5KeNJGlsJWrE8zX1hCWOSBH8ycETckfjXFB:RlaRE7XWKXW7EN5ycuWrrzlMWRBc5kfb
Threatray 1'238 similar samples on MalwareBazaar
TLSH T15FE42326B398BF97DDAA80BD405290045339A771F41EEBC45E6949F2C7E3FD1814BB82
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb.exe
Verdict:
Malicious activity
Analysis date:
2024-05-06 10:02:50 UTC
Tags:
smtp exfiltration stealer agenttesla
Link:
https://app.any.run/tasks/353538b5-a5b8-4ced-8f55-6609026a871f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Connection attempt
Sending a custom TCP request
Forced shutdown of a system process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7627912-297d-4bb2-9378-ba135bbf079d
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1436676
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436676 Sample: T#U00dcB#U0130TAK SAGE TEKL... Startdate: 06/05/2024 Architecture: WINDOWS Score: 100 42 cp8nl.hyperhost.ua 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 13 other signatures 2->50 9 T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 _xlsx.scr.exe 7 2->9         started        signatures3 process4 file5 36 C:\Users\user\AppData\...behaviorgraphYcoEboYmuloT.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\Local\...\tmpE5FA.tmp, XML 9->38 dropped 60 Writes to foreign memory regions 9->60 62 Allocates memory in foreign processes 9->62 64 Adds a directory exclusion to Windows Defender 9->64 66 2 other signatures 9->66 13 GYcoEboYmuloT.exe 5 9->13         started        16 RegSvcs.exe 2 9->16         started        19 powershell.exe 23 9->19         started        21 2 other processes 9->21 signatures6 process7 dnsIp8 68 Antivirus detection for dropped file 13->68 70 Multi AV Scanner detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 82 3 other signatures 13->82 23 RegSvcs.exe 2 13->23         started        26 schtasks.exe 1 13->26         started        40 cp8nl.hyperhost.ua 185.174.175.187, 49735, 49738, 587 ITLDC-NLUA Ukraine 16->40 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->74 76 Tries to steal Mail credentials (via file / registry access) 16->76 78 Loading BitLocker PowerShell Module 19->78 28 WmiPrvSE.exe 19->28         started        30 conhost.exe 19->30         started        80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->80 32 conhost.exe 21->32         started        signatures9 process10 signatures11 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->52 54 Tries to steal Mail credentials (via file / registry access) 23->54 56 Tries to harvest and steal ftp login credentials 23->56 58 Tries to harvest and steal browser information (history, passwords, etc) 23->58 34 conhost.exe 26->34         started        process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdohuwozreg3pmbq6a5lug5vyzfuahsxfvctdr4vnsbgl2cg435q._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
08a5fb6838c3c5a8d96de60ddd54076366c8016fe16c00e741a76b00662da1b1
AgentTesla
1809301d773302b15457bfa5830b9eebfbec989867db46e9a06882af386df130
AgentTesla
20184d8ae4b97f301f2c135cbc53f1600d2da3952653e384aa38578a19dd1b94
AgentTesla
30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
AgentTesla
566368d997e93866144f269b23a33a54d910e01c6723ea141bdf88bd9202f31a
AgentTesla
+ 1'228 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240506-l1pnfagd8z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
AgentTesla
Unpacked files
SH256 hash:
4e3eb805f85f3e77207e6636ad1f5c585c24c19bc9ca522cd90268ef88124698
MD5 hash:
d6ce51e6b00d785e306f0a31762cb0c1
SHA1 hash:
bac25ed7af5bba9790d9d0237467795755cc93e7
Link:
https://www.unpac.me/results/a2416a2e-5126-4469-9b3d-686564a04c17/
SH256 hash:
7fb66b4744990ab56516e9fc89730f7a6ee0468a8c44745d2f0131d525cee366
MD5 hash:
b0f78f97ab33a0bb8f987ea02f34ff0f
SHA1 hash:
6e1d4f4e886f16f935969ed47e5e180a8e535a60
Link:
https://www.unpac.me/results/a2416a2e-5126-4469-9b3d-686564a04c17/
SH256 hash:
58d69063e7c1778b8fe306608d01b54712dbedc6865f684d2416facc208f3f23
MD5 hash:
c684019e698444faa861bd040ec4b439
SHA1 hash:
4caa1702d5ee83ea9074198adeed93269031dec9
Link:
https://www.unpac.me/results/a2416a2e-5126-4469-9b3d-686564a04c17/
SH256 hash:
925a02479f706216058e6cf4d91699eb576eeefb9dc04c2ece544569154fe891
MD5 hash:
bf426feba5a9a2f55c1a2e439b3f46c2
SHA1 hash:
4b547c42a4a14a4edac9fce0484eeff41f1ec116
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/a2416a2e-5126-4469-9b3d-686564a04c17/
Parent samples :
7e8466ab7fd0c3ce3f6ef1df5bffa0e4fb0c9764b3c553685ca62e3d8fbb80ad
05a341609057f68b1b8297c7bdef34c889f8a92cb47b54680c8b30afc4c102d7
0eb53728acb5e4b7c857ed35dacc4ba1264249cada90f5e69d3fde4e9b243190
48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb
1809301d773302b15457bfa5830b9eebfbec989867db46e9a06882af386df130
30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
ce356848dbe05d9b3dfe99c857e5abae2e19ceefbbdaf32d2c786ffc434d4314
049b5a9dc73afb156d98d5087d9d728287a857420b698ed12d494a2924341667
b9f7f2043b9a1cdeca868f55c33bd83d993be160ca42bb38ac3281ac00f6ec10
7cff23ba2bec8f206920f7814f67fb40698292d87b0137c9a87dac596352aa56
566368d997e93866144f269b23a33a54d910e01c6723ea141bdf88bd9202f31a
20184d8ae4b97f301f2c135cbc53f1600d2da3952653e384aa38578a19dd1b94
d7f670f5225888ddb631d26ccdb01a8c514965d48e15f3913348db8949b606fc
0c12ddd4730b8976410d8245aeb9f69d148afa2a1ae2a761ff82ca1744dfa207
47023bf6cf58f345002a5ced2740eb0244c02d1936123079d1ea41c427d5cf90
925a02479f706216058e6cf4d91699eb576eeefb9dc04c2ece544569154fe891
c68376bcbfd140e682ba3b0f7535af83a9653b63f090718ce028a9a65514959b
622cf81d55d81ae7200c6f7353d62f9ab64a43ba762fa1b604749d85ae2a8d07
1268ff6a657c693e5b4fa2ee3aa1ffcf3f5c0449ab5468fb430a3147314e2931
331621cd29733a7586ec0ecc51705f13433e146daeeaf2fc1848f8f5e8cb1306
3130e85a4fa0df65c8ab6a310c3ea1cb2c91e4cc2cc55f77c1dfa1e606037438
9c88b2fbf7b78279ae5a1f6c4ea318e2d4620d1f6ce23d8f89b1bd3e50bc0f95
966f683a0580f7d052c49ebda86cb0fb3ea22199fa37698cc0e0fa7ac5a9a95f
cd04d0be3d3ffb70bda5e2dce9f0bcdd480e5209f000a91a473f8020eab0deff
9e40251e52536336aee3deb9b764441efff559f90a83987c3f51db874bdee361
d1277cf74db30d16884abaf7a0f487374f63aba610e1a966da28e71a421db7ab
e0c8b02870ad1dbca34a9167a4ed5316e8a3cba0d0872e48ee2f77642c1b70a5
f23060f99dbfae0f176522266f43adedd3a79eef9960d808201e472f3cf96832
0a750351ec2b43d2ff77cf94903bcb9a2fda69450d62eedf2fa4eebda26e07f2
377449ca71b8a9f0688ce1826a2b245cbafc8dcb56498eb6db9b5a973f5ef36d
307b6baff0d23da831efea1205facd7d4352fcd532edca732ac42322eabb6eb5
c5f5072d4434c3210c68708a250b1c62304f213c5f0447c010e55c6d4d6370d5
34f7239e0a54a95941f92fb3e1b027ee214ae6002773e917e23e58e28a754726
1b57a890251e57f1b1861cdecaa0c02ff83d438ea0cef15a677dfa0a67e7891e
ca7bfa1d520a6bdf0711c132a66bf28a10bad487ecbc225f69038ed95619dc86
5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770
bcdc102d9b2ee935356e5888be20ed24f5e6916f668d1847a26630223265d197
b4146ebcc1fa90a7e4adfcabba15f5fe474348666fe15c98367216932fcfa7bf
6a37c6b56b588d4bb27dc42af88e95ac60bf80a0544870cf6476c423f4eec2c1
ca1dc64bb446fe0612f320105ab988ea750a7d7c9e1e0689005925dae6d3a8ee
c6e903556bc2f879377ea0e482875eb73d980edbc156419ea3bb741647e2ae04
22227fce9d09014d3fca954bf6fba7a40cdf9bcf4b8dd13f69914fab061d0dfe
83daa016494bbc800ff8e1db308b5e3dc9c0b73daaf455a579d8268b4f44f3ed
3ba0d394c1cbc83eadb19d11c4f9bd2d831013ccae6f325eed11e18dfccd22f8
e7dbb76c52c158efa316bd2236902bfe1208e0742621b9652806bdc13ea3d6e0
203bacf22feee36e2d35a3846fce5db308f078942ce7ed5a16a9671f6138e46b
9db03971f027f14894036a6c0bc19fd875dad7387708a70623d1f3a8e5627958
8b1ddf6861f6e9fdd05b7e279bf0e218c41946b5162dc12d7da5cb628c98db27
1d7754c8cc8eb7df3bd429fe9806b85f7f6fbd768ff59948a1772eace6dec77c
115fc6621dd995b238916ac8629521d718fb941f0b455f019c85b1a4174f47d2
cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b
c28cff180b9334b37f4d59ec77dd36b6665e1a3e8f4625be51f9205e523750bd
11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345
bbe3fb7e0f0ddf898c7f5055707dcd5847cf14801f02563f384b75ffd06ece4b
28cc41b32461784fcf2bcb6d66d4ad44cdf10edd2dd8d2b2712e901d1d44ce99
9d4250be0e0211b67c9d2817e00441a0031156edf03e4cea333153275bb87519
9909d16ff5a6e59c3f55c3e4a8bc3c4fbe4fd56c728ffd1875ec602ec1ccd57c
8201ae4019ccfc7b3756ddfbed3f8fed7dc3f65fe47ca2d9b2ee67efc0d57e3e
c7a842c7d0b5d81693410eccebf67e1cbd0725fd1292dd695617494f47543f0f
1bc2001563ec7cb81fc1d7086b7d8bf36b285354015654b9ac2bcf051c68d2f7
403fb4a908a97f67ebabaa9d60f9fc520d3f3f44a892c8f3b9b9fe44edf59df2
4e3eb1a503d160b9cd151c523b34ba05c7bcbd79974a0a46fa092569db8bf2a7
11434dae7da8d82c7cfdbcd435b920c3785903e41dee470bc4e191c6c87b5489
f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9
f4a45365e22a84bee73e3d8339ee08f2336d76bd78c3f25cf61a08e4a4085a2e
55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f
655bf2b084f93181d47b1ffb31e944da4cd4779a2ce1a17f37286b17684677f6
a26493d2e56f50c049733bc651849a42513021b26bcf8c9fbb4b71fd0b3bac54
17cb12e355a44f0aefb9ec8069817a61f409d455129feb61b489d508c0721992
561f3664b4dcc39b1eb79236231b0e36fb5fde10c8bda6d356d2fa63925f3a6b
SH256 hash:
f3c655b7405b888e1b70fc1514624e6679d5275195124dab147d676335a14564
MD5 hash:
6a0dd0417a45366517804ad211553702
SHA1 hash:
005ed2faba3389af1df01ab5a3079b82402c8f75
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/a2416a2e-5126-4469-9b3d-686564a04c17/
Parent samples :
e1b2bdcecafc712713647e95e0a5eb4f66c180d2fe0a357016772a85f7a0b86c
1bf711744adbf1b2de0f3fb5d8abb2966018b61fa5b248de1ba6aaaac8bb681a
bb053a3a97825365645e56cff486dd5b1e25b86a88d66264bdd4cf50a889fb85
91ff4b06f7998bb1adb5e183e8b3440a5f7fa743190f31f58ddf3fada68e51e4
ec7534a141105f0d82f8be59729135367412db7515de7b277687b5facf4d6b44
d328bc308e5ff8ee2d51cef6d963b63a8a498966bbb88a80b672ac680812051c
f769796d247965892aa708ab02692d2ca0f207f7e1c91e05098cd0684e56b29f
9aabc10562a1cf6cb564902721e28fb964f776f2e7c319252d77a3ac8f0deba2
feb0c2c55cd253b97c2c0959c69e88a7849bb33808d4ecb98d4c8da0aa7de9cd
29892da2a7bee385ddd6e192ea579f8f35f20134b2a8b5273c0ad10c93040f9a
9a405f12de1dc4e10c3515e36540aeaaabbceb7d3b4857e3d6ecba4c06cc4e8d
56a18ef03d93610834e7b53c24cb389f0f63d8296e2244a4ff1ac3328579cf2e
9ca2b5622a36e207a1d11a748f637920d4f96d88e34b2dede0840bcce07f5788
275f0215c61c0ac28c4da0e355f33fabdf5709dfc46eca4249a76f7925805030
d85a4e28a6003aaf9cf0a6c0bf3f5bee31eb82f39930f8ecec7657dd24093c49
b01f723c553f2255990656cbbfa5835293fd9489d65cd05b3d50799f063c3087
c7a296061f998ed6e86d15eb594248f1cf01f37a909c7b2553dbea7fbc805e2b
fe8740d99ceab2db3f8d780de23b7d42daa2918cfbdd7c4be197119132bdccb5
fad3e7058eb2fa88ce97e62a6a243748d6736f9c4e21e4112ed61a40813588b2
19d65215feee20f606dbdd5a4ed5196a96c6bc925df69ad26684a3221aec0521
213ce2632de1980290dd5a2835af6b5200d60bc451a9414b7904d8e30b0de305
707bbd9a748b709cca51737b3a5221c2f77090fa4af2d2bde2598d8fb08e558e
bd60848c5c86d483a65707d9c596938371a2967f18d6eb2f5c3db1140cce2ae2
48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb
62601d311e6061480f42b44495215c0137dd6436e74f5744008687898b28350b
584022a11fa25bc77ada9ec361c791001f8d8da848930b386f42841d9e0be7d6
f145869f71b3a2caf5f0a6ee1b2425efa2b15b1a0344443dfcb63dcadf954534
SH256 hash:
48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb
MD5 hash:
2b053de6103f3da71504080dc0eecc4a
SHA1 hash:
ab90d51c523a61e46ad053c046c3d4765f3b12a3
Link:
https://www.unpac.me/results/a2416a2e-5126-4469-9b3d-686564a04c17/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/48dc7a59d989/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments