MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad
SHA3-384 hash: 581a6e4c83e040a0d5437ca987d018352530bddd960dcc1f08cccba8a275f9c941ad938899666f22dbed65d8a76760f8
SHA1 hash: 82490708fb75ef57227bc619df99176d97b113dc
MD5 hash: ce10e438071b4871ca1faf189d7ecd95
humanhash: equal-yellow-avocado-bacon
File name:CONFIRM BANK DETAILS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:665'088 bytes
First seen:2024-06-27 12:50:17 UTC
Last seen:2024-06-27 15:37:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:CUwy17fVIZIGT2VMg0HOjPRP5gGmz6MebSp1wGrloYzuDrp9mFrpSuafi87:iyhAfrHcPR8TM+PLzYp9mp8xi
Threatray 3'504 similar samples on MalwareBazaar
TLSH T103E40200B3EFAF46E13E43B695366D101BB2709AEA64E34F4ED264DD1A76FC84514B23
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
373
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad.exe
Verdict:
Malicious activity
Analysis date:
2024-06-27 12:53:01 UTC
Tags:
smtp evasion agenttesla stealer
Link:
https://app.any.run/tasks/298ddba8-71d1-4ab9-afff-e3a73d4e75f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.MSIL_Agent.IGJ.gen.Eldorado.16107.30890.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667d6053f2a3d25545469dfdwin10vpnfull_triage
Tags:
Execution Infostealer Network Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP GET request
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/667d603e0bf5978c0b12e2ef/reports/5a5ce72c-2464-4857-a185-e84596047afb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ce43135-26c1-4c8e-9781-d34c3bf2c51a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1463612
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1463612 Sample: CONFIRM BANK DETAILS.exe Startdate: 27/06/2024 Architecture: WINDOWS Score: 100 42 mail.bengalshoe.com 2->42 44 api.ipify.org 2->44 46 3 other IPs or domains 2->46 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 14 other signatures 2->58 8 CONFIRM BANK DETAILS.exe 7 2->8         started        12 XGDYsF.exe 5 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\Roaming\XGDYsF.exe, PE32 8->34 dropped 36 C:\Users\user\...\XGDYsF.exe:Zone.Identifier, ASCII 8->36 dropped 38 C:\Users\user\AppData\Local\Temp\tmp23E.tmp, XML 8->38 dropped 40 C:\Users\...\CONFIRM BANK DETAILS.exe.log, ASCII 8->40 dropped 60 Writes to foreign memory regions 8->60 62 Allocates memory in foreign processes 8->62 64 Adds a directory exclusion to Windows Defender 8->64 66 Injects a PE file into a foreign processes 8->66 14 MSBuild.exe 14 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 22 MSBuild.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 48 mail.bengalshoe.com 192.185.33.8, 49737, 49739, 587 UNIFIEDLAYER-AS-1US United States 14->48 50 api.ipify.org 172.67.74.152, 443, 49735, 49738 CLOUDFLARENETUS United States 14->50 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->74 76 Loading BitLocker PowerShell Module 18->76 26 conhost.exe 18->26         started        28 WmiPrvSE.exe 18->28         started        30 conhost.exe 20->30         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->78 80 Tries to steal Mail credentials (via file / registry access) 22->80 82 Tries to harvest and steal ftp login credentials 22->82 84 Tries to harvest and steal browser information (history, passwords, etc) 22->84 32 conhost.exe 24->32         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-06-27 11:24:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kl3cjt4voguehmjgvseawx43qglxjqblgxkwjaynbkirpobmvcwq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
04905ab74af1d34a39fdb2609f02e26f5a45f9404874e70efdb9b723d7cd6b9e
AgentTesla
52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad
AgentTesla
81fdcde8fbe4d7ad27f94d3bf8b8276aecf45ae7017e6385c6a5f3e472465dac
AgentTesla
88989d52aae6ee018cab2afb8bfd712a29177ee9e20365d6b228a25828c25ee8
AgentTesla
e7ffc4214d13d6bec7c08d1ff409516585461baf790bc99ccd1e5d58c7203d11
AgentTesla
+ 3'494 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240627-p3gmdsvcmq/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
AgentTesla
Unpacked files
SH256 hash:
f90c9c1768e95cfeaa4c0c57ef251571f001d4454d0ca80541b55a0d4182aa5e
MD5 hash:
b79e923379b3287e3e8a039e45609660
SHA1 hash:
c94284392ae41168e81b2452033613e651bb355e
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/0073049e-170e-4150-8bbb-0be8ed332e81/
Parent samples :
6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93
b89f9ae90e40b950bb2c2205bcb70a42da20d12d6044dea8e4a57c099846f729
0c7a66057004515fbac9276dcdbfb9594afd4316ebe900a9ead8d40f6008078a
df42aed98863b49a6f208ef3181f08ba5014cc3192c3a406dad6def44e4a3c14
11bd38092d7eda3842cd5a5dc3fed362d5a5146ae6228a66b8ac2693e9a81279
07c90d353d736c2a8015e7f1e86d4492d697360132914e1379cff9f0e0385ccc
6c721f64b26bc43ddb3cf84cdc213f3cec242df25c73bbb61ec3615fa7a5ffac
8f4cb88d415e2f69fc68b90950a51cd76edac741b2fb8ad899dd0919fab3d483
eed44dd24a2a323d4bc0cbd07e41a9eac099b9684cb1494eeec4f954a2ecfc65
2c63d5c9bece740d05d08aae01b061b9845ebc9c61aaa31417e79b59c454d7be
32ba21b45f7d4a8ed2f4d8fd0736636d4e70edcc4b956ea4c43fde4de696c0d9
a9b71bd91eac64c98a1519e907789fc4aec0bd6de47f643acf462cd4aff8aa8f
e6857118aea19c18f962e1360848b8061eceeb5a601d5a331589ae8fa412f0e7
0966f8078bd21fd4501339ee365b9305818c94c54e880af4fae5d46ecea58763
91a3a97b17a9ca19f8386aa805924d1a553f06b94b13f43c1c936d0be1782ba3
0dc82a04b6db46d96cccd1ac6808018f6c99727d21247132e8758e4cb7a572ca
5ef6dc0f7dc9b434dca80df4d614c4784fcfc693a628b0e43c564570ebaeb402
f85ceead2f82edd03a65480f3debdfd78c1a34427a99a2c50acd80f7a7deadca
115bc334419a209518a0d06220bb12bb5daa2e1ff086eddb23cf9b9191eca203
3de592415d4a458179b6fd30c0711bdc0006628c7d23d93ef223c26c82d50f9c
fab7aee1a03476b0def49395c4bda8d799c2d0302097562fcb95d23dda980633
fd05577096a8cf7e8a3955da0412f698199b9d2f53bea732351b7f2eb18819ce
281581bfe30a69a5662550433d9d7514254bccb890fa89cd2a77e3601a0b62a4
7f0f2c04a5204bcb0314fe9fdf9a3369e516e19b0ead44c8f1d3319d59010e0d
624bfb4fd94c20dd2c4db18937fe8513ee44081981612c8377fb6363f1cc2942
88ee50dbfee90121de2f56cbb6fb8e23384f2423a0598a45147fe08f6503cb3b
f1a7405298874fe0382def7c612ff12d72e7315f5aaa514122200d461717ea44
7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb
19c2d1f233ea3d256026796196e7067af26534ab46874cf4fdbacb7e73e5922a
40898401f5a784cea08158b22b5a17c33791882e6c7c79afcd25690281b73c02
253ae6027d114caeb26331508c9c916b54fe3561faf46679c06c48dad8860cac
c8d4ad014bc77975ff52fc025abc76fdb1ea9676d453eb096a4b89d0529c58ad
faf0e3fa2a040e49e3abeb69849e3a25ff621bc8499c70dcceb577ba89bb5929
cd05700b5fa43cd11f8f5763bc9340b8f8ee40cdc64765cb604ab28ee68a1d0f
505ed9f190d5f7a4b16075a09119a9c2952b2d9c7281a13c6a07f4840200e878
712c970fa57cebf6ccbe56758bb5c616f103d08a9a1404bac0b7ae3c08d6edeb
ec4ae5d1e86adee06c295ad77006d3328d144aad4fa2d0dd4fb7fa1380e21406
e2e3f3315015f5ffc74fa9f868861331fd7afae3b0396fd7911c61aa8606b0ae
a89824df9b88e6da624d0ff53b72685f10eece0d54686d9b8defb4ab9a8e5f9b
58d9c0736d0b202bc82acaedfbce1daf33c8402f58e246e8a78190f445f2c6d6
eebcd1414319130f36bea1e6c8fd29750118b145dae2d094d8a9d6aac0c619ce
140a5535a35a820de41ed7441f1278898247a6adbc2594d8a1f34bd9f4715eb4
b5500a5c920ed8eb3519cf519186ea942f1a459570a2ea0653f33b9bf84089c5
0675bd350929e619eaf3a4f22b68d32ed19e451bb7f8aba8c6e4f242bcb791fd
a5154edc933c692bd6160ce41e1af9d27782f21ba1d25403d1cca7aac25c44a3
e75f8000fdd2081700afa2c137c683bd424d8eca3c5fa928758ba18eeca8f194
1831a7d7cb0309018b48298dee3d789eb6aed6bee466a4ec2cce27db09e458f3
abc5d7e2fe95585f2c118d1e8ed171ea82ec3c76b02353aa5acca13cab13a32c
2ca8a08a83d98fbae1d8683cdb828b64216f9849ee539e09198db53876d419e9
ce51bc85fa9cf4a581de693c5901e0c03fff712c40f723009e393bad1a18d014
40043668b0ad9a66018432d3e9ffe7d0466a6348a8ee6250a606e841e114b270
a745afdd5cb81567de1560ead34145f713b7894058aa2097d755bf5d09b9d34f
3c0b94f379c5c568f8f3d406b22b642d3fae60094f8dffbf2e24c87c8435e0a6
e30e81cc9d2c5e121942bf9bbdb9f1bd164842ab3a380b25a2d7f25c9a358f7d
43ca109175c43c1c619405c79eb8d1b16b077741d87db5715ccdd58de9146bf9
52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad
def1c893697505de0b722e6fb3e516bad1c37f8e19599920714d29861639c274
269e0464214adee11c3339c18062ab56d83d34e745f2809ff35de0bd1ba62bc2
3b253bddd8e49b0353b44254fdc82c53c1614f5c2d09e2fde95698ad3a7815a0
013e39d10c6ec3d7f91105322804e5ec7d6cff966e44659fc568957f243e67a1
eb07f292e4a46ad121d85bac9bea91ab03ffb795527d7c1c1047e7312ea597c0
d2b5d02ad0207f69484b73eae658c2c08b747b4b3125e8856c5f0df261217f1e
71c91905a377be84dca1c0965d8ef92d7c4cd53c137205699f26582cf8107476
dc74ae7a70778659ee1f27f8e772ab2513299da34c7b2eabb866152e5588720b
7289da5a1cc6d7149e862660a7f3f48db0ef1f6f8e5de991501e72bde1192be9
e9d082e59f131a020a870a416b1fbd2aa978f0706fa690080a268a5295bd8bb2
c0e6cea1456ebc9c970e4cfc70ad112501a744373e25c74ae318e9654f852da5
a23d1f07dfef6b5fda6381ecf6866746d624dbc1e510073d83f431124bf7d556
88fc5d96ebc31042f41c8d80e87a1d6b8c4fabe33f11717dbf417f969604af70
8c3c62aafa4ff3a976150dce366c39675fdeceb96362d9071acfd37959770d66
1ec1d53a8f8b891c32c4102cb194093296172cc21167887a7d28b09b88b8b8c8
8d39599a31cac2a8cf51d0b0d6dfd6dbafa76dd1cd33d70d0ce6a8235c662a5d
bf8c949142a94cd782ccaa81fdcda4e35b3864a1907c5be0c6665a7eb9b54cd4
d1517990df29e028a1fc4e2da10b0b51820fed7d258ddbd4c92543538e03a5c9
c9e1b0ef9cfac8e4e002a5609c366489564b246f633d0685fead77e46f7f7d61
6a38f9fba4979abf0676bfa91c7d4ee75c583a6e2ad1a4cf71a3e623b7aa8c37
8155b09e9644fbd69c30e5edbc1fa823d9b9cd224dc9dfe4af8b47ad3f1bb756
4d7d64616dd21810a0a128df33c3cc2f7332c67dc9569f1795d55fc4888177b9
7ddcda1e8561e9d96107c717c5cf5ef9a2f3ff3f5f4c1b188b92b010fc779aa2
467803efbe8c9637962cd2141757f7cdd184cc57f46d75fa8b074bd81229a3f1
a4e1544dee96f911479934ecd89b51ead1ee008026a2468f65167e0d76cb459c
6e3f83c2f76db1f32e9243e7899b98655b3e49658463560513d9a315e865add5
a01dcf8636b3ad56545d228cf3e38c3554ab5622516d1fd9e52b55249ab7fbea
d21d0451a7a8b112776118d88154bf7eab2703b13bf6ae1dcaec2f959bf42305
64874958438945a29c66851bb23bcb9483955577e941e156d559885cca4a6910
b6f0586d835acff8c86c02904729023d95b10d879a066a9eeca973deaf582e07
8647436d5b5e93de1fbaf9571e584ceaee4a620cd39b60472da87e694239c317
22a01767b082d5ef80c5f191c653f73fc7d4f9d2742229580fd928a9a867a4df
7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71
c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe
3c3de54110bc665e6d31e2455372fc489ca5f3be4e0824ca7c0b58802663dbe3
251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87
2f35d828d19942c2daf1989fabb8565c56f9c2d6f3b00e3470c7785ae4ddde50
f251fe71103ef7bc4cbdbcfe9c1d7c4a595f831e51cf4064f2bfa595f47bda35
96c5089380f7452f4695bc517e83cf49f38f5de59e82d8c1142c770545941285
f211a840befa45cad5c369f64b91ff53d0dba7e98835dec3886ded59746e7333
444fb4871f9ee687f90ecf33223c91bbf263a7d66f1c665d653ce71559c557bf
8f9dbdd77e130b7238761966a9c9aa8712baf2100ddebc3d9d206ee17f8f119c
33f7683c768daecbad44d0b27d44ff13be3340d1cb81fb59dbfd7558cca21797
a2f6bbeb5c2756cfd0a71196e98f0b4f71e58101b3e39342015aad98d70d0f31
6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
c42f31c68ee4a14aec74ddce249314d00813289dc36740484b09ceadf72aa0f8
6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c
0464da926fb18f221087c3d88c51b18b81d5776e559fbf9b76d8e1301c95a8b9
a5a3067e6a3c4e957152655df5c68ce4db77f8308feff43c53e7535031033be5
c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33
0f1032dd6e6e984bd0e31d1edb45e027b12d0ec1976505dd6a4d1dd2351931ac
86329825eaf86f08f84bfc3ddd8870b5c05f47a43aba3695eea5ca4c7a0ee00b
c09cba9da1f8a6c8fbda87ce1c29455118eb13876286388a7d768ba98585aa78
26c199fee4db63767ab6a7ca3b251ebaa3d8d08150d1aebef56546bdb5ea395a
80b9b09d79c390fb55a56fcd01f0189e85e8cd8272befb7f35ba2a19ff9ae30b
5aac87d916d8ec903c67280fdff17ce94064c80e0717d7e102d31aa26aa003a9
67bf84d91a5494478d5910d58170c72f85c7d778d755d003b94344a691837209
5327a0f0689f136883119147b37ea30c8d917caac1135909d4b256566180b04b
f87529bd57f54630ff4e0a8391d2e02bd04df4b83ec7c2b879dc258f81103978
21d5d8b254df4c982f0d5e2289dedce8859f154b494a7a560834c6ff341028ea
09f80e5b22639c198be1ef13793c7a0ade764ed89b20a0f09ab0830f3d77eaef
be03b9620b1ae59e5a19f50ee5526a7b9bb4174e09a79cd82a5cf108ecdfd4e1
699af4e8e4d2f3b3ab73268c846f4013f677bc183b9c561279f88c0239972b9b
cb5c22f0aa405129ace6079f8dea8ac27fe89377db7adfffa3c539b59990d6be
6bddff781a97f7479e290a3fb3f34c681f98af9af4ab5dbfb14006bb63223522
018b23732bcac6e2ccc7d8130259b5085d10dafdac74737e1456b5f38ee2c81e
SH256 hash:
f06568910f8a8db5e48473141ffc43c5609592b21119ae10853f3b7caa4fbe88
MD5 hash:
473c42e90675fb6ac8227cc5ab49b46f
SHA1 hash:
b5fcd386ff0e6ade8c551579246df40d6bcdb00c
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/0073049e-170e-4150-8bbb-0be8ed332e81/
SH256 hash:
8efd28edd07378d15171c4c9114d3bb9c8b8fd1e91651920454d1ea0a28124ea
MD5 hash:
dfabe11606388c64be8da9d966c4c4a0
SHA1 hash:
6ff774dbc99005a123446ea4695b5e2601db394b
Link:
https://www.unpac.me/results/0073049e-170e-4150-8bbb-0be8ed332e81/
SH256 hash:
5e7b6403b1f545de716a736cd497b836a527b2c0cc45f0c716830209df620e42
MD5 hash:
697819049b195f816ec9f58d21a046b2
SHA1 hash:
4eb52569d476b593fec12d5f76cad3c3591fafb5
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/0073049e-170e-4150-8bbb-0be8ed332e81/
Parent samples :
ac7341ace222bc469a357f03c99f5bb261e4119f19650fd71aeae73dc0815340
eb79cca838f57ff5f3bf13f3bbce26859ec27d6dbcdc96ada3c2ead3ef27abf7
18f7507efdb35483a8642553f66647b9c1cc54d67614782622b7a64261042924
8ad4cfc5910c7367a8d9e92d4a1ebbb02b659abef458d8ee765ac09e3e46a484
5026667da06595a547008ed53d4497871f944b195e087aabaf2d94b378b5a99a
5f53f29acdf74a080f30ef950146b680b8e1e779ea69d3f5c4c4556d8eef1073
93bac967fc7f0ec207d860387884416cfbec72dfb8dde37883bd13e1c6df4e3b
e6467422567d07f55c891b1c452dfb2c3c3d24ffa243799c91004cedb8a0dd0c
493b28fea1ea39199b503c952ab4efaa8fd3ba5a5d5a2d9df0af21d031f3ea4c
1bd8c28a74a99cc6eb115161fca392e4dc6b424bf3ff6814f688e470209b0825
981e1722151983fd674cf51efb06108446980136d91110b00cd2e0ef23e67ccd
98e1aa492f377611e489361fbcf1fced75fe6c9028a214aeba35fa7ac577790b
887c98cdd92bba9a1eb80add8cb6f5b539447146878aa35d5da911556aef853b
7ef843eff8a539d4296d4ef84613b9d1efae655d3d5bbe7d23972ac414e0a25b
bfc0d2e3dd073d6bf418cb078fcc85319e79c63289d0b2b6599a09759fbcc8f3
28d2b1b1dcf69a8c47eb0d2950e6fa9942c4595ad90dcc327a36450c4a1ef47d
bf252b8ef4fb77ea9b7a7369d779f7bcb5160bb2af7d40859978b78d873400b4
a3d537273efd479c1cc02c3d7e288482b495d119ffe172afa28aa33a6c90522b
b179625b2f487cc949cb028cca4ef76847f8d8adf054f5d51ebf9d66ecc1dc80
48dcd87fc8e5dca5caa5788ee49d6cbdf1f8c76f789b2fd619665a07af9b5c57
bf2bb447f3c3344ff70beede0d0889840d533b011f963136b9e3b1bf897f7991
c62f2e8a741c0b7d13ac165ab64d572f291102249eef3645b9640f84ea73cd4d
7e97d7cf523a436936c20d4397ad8044177c0ae49c4ea2cf0c9dd77ce6a220b6
ea78c3f4077f3adb2d1269cb445a19d19d8cd8f53d91521b78431cfbadf14d74
1b42d958ccd31edd5a5839eaa6744c3d07d3708dcbc38f4b683d89e1f85dde2c
780c4d3a33c89cd911190c17d7ba3ad69e5ddc66396762e4bef8ff67bd45b7b5
1b4b1066bf9af0a1a45a2a360dd50ab0370a617bd87f13e2e300eee821b398b0
2e462a8c998653e668f36fde72e6dd5911dbdeec6c7dbf4f19cd064b39c184b5
5bc71e7b19eb41b085410ab03ff51651ec69d31f4f672a75ae580f741f0b4ee6
e67fccc9c4055f580dd361b3224a292ad2eb2b4f625b123a4f36872564c8c81b
845c3ba76768948ab3df490599f02d060cd464c6251e16e7847d53707254ee46
d2e215628c338bbf51dae9c69864717aa706f767b082ff5713cc6f4869cfcd81
104fa5737e0c2aafa7558bd7bd6080cf54ac125b4337f4e0515e41d9e1370a04
c5e436daea517264f270beba101c5d2ae9d9b25a72c8c4ed049239ecddb7fcc8
f6a3a015f35a4e3a6c33c51b9368c66b6dae0331f8cea6a53a87edd429968481
0f3ced014fdbc362af044fa537e823784aa7057699041f84065de9cb24f45069
cd583aa76a762a640be309b14234e47081d254d416b0567afb293f219428ce46
afccbcb46f3ef4814055e5d4acbef95679cb05e80c7b57cdd49df43234cfae66
c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db
a6f3627fe6e1480bb6bdab4d1c303915234e6af519788609f7130a6099fa046d
2e1d4437ef481128a02c50ef7a9a9e366bff5809c74548191e7e70452ccdf42e
348a670a96b8de07cb4c376807d33bd7badb5f747917dfec6f3fbccf7c966bd0
17eb6f223723f4f80cc9c443b6f751fa690eb67e44643d688a305ab96e7dafae
0d3dc72897efce304e361a013137643fa8a93b26bf654980b19120d2b242de7c
c97a7970e247697ee931d61c10242a1f0f2b24d4e8ef784b26e7b8409ae13131
b89f9ae90e40b950bb2c2205bcb70a42da20d12d6044dea8e4a57c099846f729
0c7a66057004515fbac9276dcdbfb9594afd4316ebe900a9ead8d40f6008078a
df42aed98863b49a6f208ef3181f08ba5014cc3192c3a406dad6def44e4a3c14
11bd38092d7eda3842cd5a5dc3fed362d5a5146ae6228a66b8ac2693e9a81279
4e4855563c47f7a6c230b54ef27c2e1d46f6d895220588d5ba50652414de98e2
60761883606401d50efcb7441ee6214e4b1e90e89554ab7df2aa852a970807ae
aeed87f06c1d73acfe30d7bed14be7929caea7c5011582b8a807c8c72e88582f
68f60db69dd7b37366528129904a919dc09eef98f604447337da74fd757c5e15
857e4f74c6f7824d5c0a201bce65c2c0553657c6a095190e442d01a215a7e2df
b2674ba6829b75d6161ce5bbb523892a7ca369e8b1a0c6218b67a1a08aec22c7
66fcfbb25cb0e50b4cd85852ef21ddbf36e4c19a36cffef9e5f3e22c04b4290f
35bc174139612d416a683cb302b450d21b1eb2a8cc23d0fb22d0152b35d585c6
b449b20b95c94cd1dc77a0edbd7eb8c183392ff0bbb53f2ca374d129f5ace20a
a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d
316352339068b73a707dfb3f7607a20570ebbfcf353c4ba3673f20020265f550
5ef6dc0f7dc9b434dca80df4d614c4784fcfc693a628b0e43c564570ebaeb402
f85ceead2f82edd03a65480f3debdfd78c1a34427a99a2c50acd80f7a7deadca
3de592415d4a458179b6fd30c0711bdc0006628c7d23d93ef223c26c82d50f9c
281581bfe30a69a5662550433d9d7514254bccb890fa89cd2a77e3601a0b62a4
19c2d1f233ea3d256026796196e7067af26534ab46874cf4fdbacb7e73e5922a
cd05700b5fa43cd11f8f5763bc9340b8f8ee40cdc64765cb604ab28ee68a1d0f
505ed9f190d5f7a4b16075a09119a9c2952b2d9c7281a13c6a07f4840200e878
712c970fa57cebf6ccbe56758bb5c616f103d08a9a1404bac0b7ae3c08d6edeb
e2e3f3315015f5ffc74fa9f868861331fd7afae3b0396fd7911c61aa8606b0ae
a5154edc933c692bd6160ce41e1af9d27782f21ba1d25403d1cca7aac25c44a3
e75f8000fdd2081700afa2c137c683bd424d8eca3c5fa928758ba18eeca8f194
1831a7d7cb0309018b48298dee3d789eb6aed6bee466a4ec2cce27db09e458f3
abc5d7e2fe95585f2c118d1e8ed171ea82ec3c76b02353aa5acca13cab13a32c
2ca8a08a83d98fbae1d8683cdb828b64216f9849ee539e09198db53876d419e9
ce51bc85fa9cf4a581de693c5901e0c03fff712c40f723009e393bad1a18d014
a745afdd5cb81567de1560ead34145f713b7894058aa2097d755bf5d09b9d34f
3c0b94f379c5c568f8f3d406b22b642d3fae60094f8dffbf2e24c87c8435e0a6
e30e81cc9d2c5e121942bf9bbdb9f1bd164842ab3a380b25a2d7f25c9a358f7d
b7b48d122d433baf4f3902f723bfebd850d9696b1e815ba6cdd4c46b9bbb47c2
43ca109175c43c1c619405c79eb8d1b16b077741d87db5715ccdd58de9146bf9
52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad
def1c893697505de0b722e6fb3e516bad1c37f8e19599920714d29861639c274
269e0464214adee11c3339c18062ab56d83d34e745f2809ff35de0bd1ba62bc2
013e39d10c6ec3d7f91105322804e5ec7d6cff966e44659fc568957f243e67a1
eb07f292e4a46ad121d85bac9bea91ab03ffb795527d7c1c1047e7312ea597c0
d2b5d02ad0207f69484b73eae658c2c08b747b4b3125e8856c5f0df261217f1e
71c91905a377be84dca1c0965d8ef92d7c4cd53c137205699f26582cf8107476
dc74ae7a70778659ee1f27f8e772ab2513299da34c7b2eabb866152e5588720b
7289da5a1cc6d7149e862660a7f3f48db0ef1f6f8e5de991501e72bde1192be9
e9d082e59f131a020a870a416b1fbd2aa978f0706fa690080a268a5295bd8bb2
c0e6cea1456ebc9c970e4cfc70ad112501a744373e25c74ae318e9654f852da5
a23d1f07dfef6b5fda6381ecf6866746d624dbc1e510073d83f431124bf7d556
8c3c62aafa4ff3a976150dce366c39675fdeceb96362d9071acfd37959770d66
a01dcf8636b3ad56545d228cf3e38c3554ab5622516d1fd9e52b55249ab7fbea
b6f0586d835acff8c86c02904729023d95b10d879a066a9eeca973deaf582e07
8647436d5b5e93de1fbaf9571e584ceaee4a620cd39b60472da87e694239c317
7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71
3c3de54110bc665e6d31e2455372fc489ca5f3be4e0824ca7c0b58802663dbe3
2f35d828d19942c2daf1989fabb8565c56f9c2d6f3b00e3470c7785ae4ddde50
f251fe71103ef7bc4cbdbcfe9c1d7c4a595f831e51cf4064f2bfa595f47bda35
96c5089380f7452f4695bc517e83cf49f38f5de59e82d8c1142c770545941285
f211a840befa45cad5c369f64b91ff53d0dba7e98835dec3886ded59746e7333
444fb4871f9ee687f90ecf33223c91bbf263a7d66f1c665d653ce71559c557bf
8f9dbdd77e130b7238761966a9c9aa8712baf2100ddebc3d9d206ee17f8f119c
33f7683c768daecbad44d0b27d44ff13be3340d1cb81fb59dbfd7558cca21797
6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c
e3308f1dd36bd61758447d5c6eb6e90adabc65e1119bbbe78537c3e3b622835c
b2059d6bde8d6af8476a968a13f14486edf3c905495a36cd963dc9765c40863a
d19b5a1575fa5271b9888b4cfeaefa97501a6937a9a97bef8adeaf85a619ed6e
a7b52cf2515d8262cdbea58597fb73cb7ff5a9d1cf82e232cf186d0947b17f7c
92dc348193523762bc873e593467abfb04b3509f650976608e6c89436eea993f
d384ba14fe02622e460cd9805eb86a45b6c4f9e787ecdc015bc6034e69410e3d
d1e3807c89e5cf0dc6541e2241cd052698319bc15ce5335bbb23352f58308bb4
47830d839ae5a350a354134943cf6d177d78af6aadcfb7700ed48afd60254c96
825f69fe9f15110c8199a4f1e9ab2f316385585a6b436b9a7c33ab2dc31fe76b
b9656140215404d17dd5e081226c84638776f6bd44adccdbff29665facdd71e2
394f4b6501c2bf285cebb93d355d5a7525e8470d7c6c6f5142e0a9a9a52be9e7
764383701d3baf35c316f19dcd0926a6818769e5c659aab5d2db7586fea3df6e
07bf5e726ae6e3eb3d135dda4314a00b99d6470592da7c87ae186f5a745fb5d9
3a2922837d9ef526c8e44c93e84decbf93f9c0ba34a43241c1f77f9594f26dec
8c57fbd466e5026289d1c56bfbd9a09979f3ef516b318318dcd4ef9a8119f4f8
e52b3dc41d89873f785b8710d0bbd2efc1acb1f2f34f36957e909d3113bb00b8
6f19b81c0a43cadb5d5447e3dc0485c04fd400d4a0656ff4af092ab9faac7213
3bf21e8b1e7af8f546a342fa142cc296fee61b9cd48cb250ba699d60200694dd
1290144f772581d872189713bb0fa06f9ddefbc34b96203daa1385428753c647
6e96f02123bda97a2255ac99a19e72e477237ecfd69755dc042f243affd34af4
123a6e0ffbf48e1136e15e255e9eed03e7524b1999f4afb480ea59ba9ddf225d
a8528698af2f0256467229c6e265bad403c57d941040cfd94678516769587394
f0ec07e537c7bf74abbc66af82e1f273fceca81467e1d74ed69514107421de61
e61c55bebdde9bf6dbfccb5cbee08d10d4147b71496624e6d1a220f8bcd7ca4c
866c6f0599d2375ac1d50a165f5735c74b980bc6bdea3f023522f897999f6770
72629b026d1626923f7d3280d0dabb7c1a9ee869b7ce9ec2f02c949544c8326f
dc98561aa04c9c3d9297d9cbb0612db5c537d2d44381265263c30433b7b955ae
d458bbf26ec21c119bb6d6613367f43b1d854d3e51eb6eefaf41df19e76a4039
77b793bb0e1a76c821c2ce95add67a09dbfb3c2aba4b8de5b09cf4eea4546f99
447a029de16aaee71734ac59079379bb6e054f4a91244161af4e31ec1a54e69c
55d5b7f7b3486740cc5f4d89a05c0036087804127fe537c97618aaa33399539e
ad803445061842b349c8988b27609bd0d79cbb12e37bf0e86ca72304d057ad2a
dacf76612ec19aa3f80f070321abac8830e376981ccd5ec4eebd1ba017c6e462
c3a045823e045eb117eceefa8d34697c835fc969831e0f1d1401bea5edb8e596
4d7a7d2b1e9422eae20449218fc515b1e526d03f1bbf0d371ad4ffbcb13a51b4
0d7f81bf5df4bb53947a85f21d0e83dccd3e151b2fbabfc00bd2eb584a273f0b
16a7347fc7b7eb611e341bff5d6a7fdf6ab600e30c0b71dac8e672e2e7857c47
4c38813ca8fc7a8a94acab611b0d5a8f64592e6c8e5df52e35b7182cdec8dab0
b250139ddfe1f4e0849357b17563dcd09d2dc82f69730c7e5e3797148b47ce16
89d5d25cd020213d6426f13296765683202542062cdcfb10b611d46a65d38d0f
2d6eb4f35570a71972008b6f1e3572aaab6d0ef97e19c42dbc68aeb57b670964
6eecadfd2838192c745cf88fa82ed4e96d9f27b15f1372ab24a5e94fdba22978
6ce9c6e014f84badeec8435e6e781fbde6946dc45b627aff3a307e4dee1f0934
88fcbe786b16f3cbb9292ed742d3e284d1936b20e4567cd0318effefd61fc176
48d19b1644c9d67726df35e5ca07970db83813e981ec75a0eaa89960d8b5d020
eaffc7cc6da06f5894642bb88fff4a0186cf61100558af3cb552145f86d8e041
c007abe1f3573ab9a0a63e586439590a079da51afe795328b9a0866be4625b6f
8797ef6cb2e95b65334b38d11068783acad3aa173ede96e152ad66beb40deee3
17877d2c03215f22bfb6cb7cd3a2b8d3cba1c17bf2f33f44163da90c67f56697
6f73393dfb236ab191e8b247573693f6d2913bf59a95541488d0fa6037f9e589
3724853be234af96fc81211c901194d667d5750574859e073e475f3752ab7ee5
494c2e3f9d7b369ac1f7f471a170f31d421ee5027af82f1c5e32227860e00404
2b60a60cc965883183d2a376c5136c088d29da5238dff2ac9223149064e31fde
e7c888a111eeb26eec94afc97e0f9b838fda41ab74e083cb5b94f06800890d2d
953dbb09953afb206f8fad0d62883a572f75e39c3fc5177332bf970c59c77278
fd310dd65cf99f9392307b0b7fe8e3c4c45ad5019a321107abbfbd9c6c571de0
0a1882b30751ffb0a0d2df299a3b91a0d816103544b9bc4b2cd1106822037ad0
7f12d621d13d212ed99ef23b8fa1b34337a4491f8df52dd3e5c0b9f3568f2c1b
4a45b99ba18fc60bbe3bf3ca42a0c1e9ab35597a1863c4010f2477bfded40963
76650fb8aeaf679cd204ca347026a67767ab8d9c27f65597b275d8d57327e096
af3cf8969b0fdaa379f685e9c822eb12d92c0b7103743671dcd006346ca6df78
86329825eaf86f08f84bfc3ddd8870b5c05f47a43aba3695eea5ca4c7a0ee00b
6eedc70dbeeb29b5f978d19bde0a32b02c54b9c9699c6a3a97e6f20de816c86d
74d9431b9ca92014c5d687bc0515de79c81917c3bba3896804d4e6c912d5b024
bfdeb36839c4bea7f10ff81531bf3bc7994d13ac97060f72154c61e5e3dbbd8c
c40673c9dabf11cb8247c5eefe2bf42d425bde40dd560679f82ba4599fb6d180
45d0c2ec2ede02e8b8ef535346a4e7e06fd52ba27995a15a5f1a0b11e305d4f7
c09cba9da1f8a6c8fbda87ce1c29455118eb13876286388a7d768ba98585aa78
77ccc61481c9fa009dfb6af2f6293b604312d440df4338e757ad2df844d10e0b
30225014a390133cd81a5896e070c88313e33c21c6cb40d9fec1600bf9f70f4f
0b6552f35a24fdef4ea92e7a0f48775178603092f271c406568ead3851cc37dd
2a005539d78a0c685832affb3bfbfba01de751fa8b6cdf02becddabfc89b9029
50f213324308d7628f1708c4cb7c6242bb15ed45f1828f459703bfd692d007a0
b1dbe37d7e430630d1806b9cf40e71f3e1c0865892b9f5a74ff7dff422817596
557b3fa206360feb6819be479141409870903732a43861f8e882e3fa5c3f96a5
e555da2ac86f48df592dcafefab28e1032e93b7a547553ccea0085d4e9292a08
b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32
5caa5dddcf2a4b84e0280a606151dd4c2bb4729c97ca6fa944ac002180e54c2a
aa5728008a7a4b1173fc74eb5e41666688baddefbb2d5214d46cd6815646b5f3
d960e4cb723ab80fa57bbc9c3f2d4fb76e3b4b62880589da1c1726e258b8bb56
d22ba564b79465fff584d41655b8bd84e6bf0046b30d371cc2ccc5adc08e5a84
668493fe37aeaea5f2e74a1a4b7d36b8a65728d317ecc8bbc7f0f2a7de549af4
c6af34274ba09e990bdbc008c74f95f935ba6d256ed23ee8c67ea06530c8c0ea
19a9f45abfa7ceb531cb8a3bc3dfb3af77561896ccab95743713c761729204bb
a02e9411c556434a56164ec32b0f990f7d14060ecbfdc793d9d1cfa689574d71
f283343fa80ef56dde660bc481d63a31cd2535d83adb4c4ffb5a4ba2dce9e85a
32877fef0decf21737a3557ca00a32a3fc6ba9cdda8c25cb7cbba43dccc0df49
0d9bc30154620d0ed79a04571725f034f0965092d067935885bca02605723bc3
59558d5bc10450ec63904f60f61b13f2e2feba2160c02bdd50eba25cd1b3b355
044bd666c83a8a9550b7396dddc1a31947fed990842c57c112f7abb4e19ecf33
ce47ccc820d244b5a55bfced33779fc1262758c2b8212c0f63b614cc85381973
026722d98d68645cbffa896e2c7d0d59a90d079688834422f5c97f379d4ab720
2062ba9b3665e425d4d02aa3cf2eeeccb682ff6c09a8033f512c13c52f12d978
636943f682f71370760679bd6afb382f5e0aacf31995624007c6541eddd62f53
f97691d405f1255b2d966ef6f581f160c6a708e5581a7d79e97b9bd70260d0b6
2e8f25978abc50fec94b06de6a551953a21faeac624ef6983d6df036d239a302
ef9cf558fc63c945b28f69a30c01420e8e28b3fa33d8c9b9e40e7402717b4ecd
76c3b1e7151a1048d4a802f857c3efc2dde24a73698111bcc1dc9907faabc9b8
33fd426f31fe7cb35425f7349a3b4428c005a061b3adc82c44de90913b5b51ef
932f8408820168efa7e334cbd4c0222eff4296b326e8d25196d998c2168979a7
5aac87d916d8ec903c67280fdff17ce94064c80e0717d7e102d31aa26aa003a9
3691019c577e36528e2dd3eee61a809d857a226b979d331874354211cd58bc32
6b152f6f8ae8598cc7893632c92878ffadc3e2ffb850f68e66a7917249c9821a
88d1da4410f80cd136f9af155ef136ed298b391abeb4c53960c3b562f1648813
67bf84d91a5494478d5910d58170c72f85c7d778d755d003b94344a691837209
e861afaa4755a6f42c02be20ea94ea195e45b8a952928a76692bc146decb78fe
a6c97c54c4bebd6114ddcfac0414fb0d432877d2916012c8a5fc2cfb45d9346d
0903961ba7ce91a965ee42d92da305ecf174b588351dbac5bd7f53506cc5a0f3
7e67a390a2557aa2dc6f740d1b0906f74f6a9c6875800746bbeab17b2e3f0fb7
3c1f8c10253bfe7388f5d51391a2253b56e348f92ec68ad70f78a4d7f526147d
be03b9620b1ae59e5a19f50ee5526a7b9bb4174e09a79cd82a5cf108ecdfd4e1
699af4e8e4d2f3b3ab73268c846f4013f677bc183b9c561279f88c0239972b9b
fb15b15a5604f81ee72b9b4faa0160b5d49a8eda415b9a1f54416a69bb3facb0
cb5c22f0aa405129ace6079f8dea8ac27fe89377db7adfffa3c539b59990d6be
6bddff781a97f7479e290a3fb3f34c681f98af9af4ab5dbfb14006bb63223522
018b23732bcac6e2ccc7d8130259b5085d10dafdac74737e1456b5f38ee2c81e
SH256 hash:
52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad
MD5 hash:
ce10e438071b4871ca1faf189d7ecd95
SHA1 hash:
82490708fb75ef57227bc619df99176d97b113dc
Link:
https://www.unpac.me/results/0073049e-170e-4150-8bbb-0be8ed332e81/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/52f624cf9571/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip fb144b5c477688a3a589cbde2c25fb4fd0e9fcb31e40f8649027636dbe6df37c

AgentTesla

Executable exe 52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fb144b5c477688a3a589cbde2c25fb4fd0e9fcb31e40f8649027636dbe6df37c
  
Dropped by
MD5 730757ac10ad906762f22ce0f706a57d

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments