MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
SHA3-384 hash: e58a64b1f14645da88b6d046ea96a1400245afa9ed09bd8934863013b56342f06aaab6a39da36b4cfb99a96766f28fdf
SHA1 hash: e4f29ee54067cb1b18269e652f0b9deea63f437b
MD5 hash: 6dd4f871c7d18b3f1b45a7112c21ced3
humanhash: beer-freddie-floor-edward
File name:PO 4500005168 NIKOLA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:655'360 bytes
First seen:2024-07-01 17:21:52 UTC
Last seen:2024-07-01 18:27:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:YAt3lRPMManKx996Fd5UtTOOXKQrdMuZeoakR+pt7aQaBnvy8K:R1RO+Gd+8QrdLZbe7a5vB
Threatray 3'791 similar samples on MalwareBazaar
TLSH T1C5D4125135262863EBAC88F4A525188407F59F9A3815F7EA1DC370E90AF7B481863F7F
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 003061251b120000 (2 x AgentTesla, 2 x RedLineStealer)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
454
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.20449.3186.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6682e616bba6ccecd93a1e23win10vpnfull_triage
Tags:
Execution Network Stealth Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8389447-c9ea-4cdb-b4c7-feb23cddd6a2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1465533
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465533 Sample: PO 4500005168 NIKOLA.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 40 mail.iaa-airferight.com 2->40 42 api.ipify.org 2->42 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 11 other signatures 2->54 8 PO 4500005168 NIKOLA.exe 7 2->8         started        12 GpAHAtkovL.exe 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...behaviorgraphpAHAtkovL.exe, PE32 8->32 dropped 34 C:\Users\...behaviorgraphpAHAtkovL.exe:Zone.Identifier, ASCII 8->34 dropped 36 C:\Users\user\AppData\Local\...\tmp7910.tmp, XML 8->36 dropped 38 C:\Users\...\PO 4500005168 NIKOLA.exe.log, ASCII 8->38 dropped 56 Writes to foreign memory regions 8->56 58 Allocates memory in foreign processes 8->58 60 Adds a directory exclusion to Windows Defender 8->60 62 Injects a PE file into a foreign processes 8->62 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        64 Antivirus detection for dropped file 12->64 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 signatures6 process7 dnsIp8 44 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->44 46 api.ipify.org 104.26.13.205, 443, 49716 CLOUDFLARENETUS United States 14->46 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->72 74 Tries to steal Mail credentials (via file / registry access) 14->74 78 3 other signatures 14->78 76 Loading BitLocker PowerShell Module 18->76 24 WmiPrvSE.exe 18->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-07-01 14:12:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mizlulmmrsuhyn4bqzqacsec2tifg3lss3qi6lbxxiogsk4qd5ta._file
Verdict:
malicious
Similar samples:
378a5373cb0cdab87777f9864381aaeca5bb38f6bd97108feaeedef6f46ea512
AgentTesla
88989d52aae6ee018cab2afb8bfd712a29177ee9e20365d6b228a25828c25ee8
AgentTesla
a3389d421ad67e0668b58bca73585ae641047e2b9b0d798060b96f4ad0648477
AgentTesla
+ 3'781 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240701-vxj38atfmm/
Behaviour
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d6ec15c2-55c7-450b-ab1f-9a226075d117
Unpacked files
SH256 hash:
f90c9c1768e95cfeaa4c0c57ef251571f001d4454d0ca80541b55a0d4182aa5e
MD5 hash:
b79e923379b3287e3e8a039e45609660
SHA1 hash:
c94284392ae41168e81b2452033613e651bb355e
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/1a0d90b4-1f78-4323-a67a-cfc27eeac378/
Parent samples :
6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93
b89f9ae90e40b950bb2c2205bcb70a42da20d12d6044dea8e4a57c099846f729
0c7a66057004515fbac9276dcdbfb9594afd4316ebe900a9ead8d40f6008078a
df42aed98863b49a6f208ef3181f08ba5014cc3192c3a406dad6def44e4a3c14
11bd38092d7eda3842cd5a5dc3fed362d5a5146ae6228a66b8ac2693e9a81279
07c90d353d736c2a8015e7f1e86d4492d697360132914e1379cff9f0e0385ccc
6c721f64b26bc43ddb3cf84cdc213f3cec242df25c73bbb61ec3615fa7a5ffac
8f4cb88d415e2f69fc68b90950a51cd76edac741b2fb8ad899dd0919fab3d483
eed44dd24a2a323d4bc0cbd07e41a9eac099b9684cb1494eeec4f954a2ecfc65
2c63d5c9bece740d05d08aae01b061b9845ebc9c61aaa31417e79b59c454d7be
32ba21b45f7d4a8ed2f4d8fd0736636d4e70edcc4b956ea4c43fde4de696c0d9
a9b71bd91eac64c98a1519e907789fc4aec0bd6de47f643acf462cd4aff8aa8f
e6857118aea19c18f962e1360848b8061eceeb5a601d5a331589ae8fa412f0e7
0966f8078bd21fd4501339ee365b9305818c94c54e880af4fae5d46ecea58763
91a3a97b17a9ca19f8386aa805924d1a553f06b94b13f43c1c936d0be1782ba3
0dc82a04b6db46d96cccd1ac6808018f6c99727d21247132e8758e4cb7a572ca
5ef6dc0f7dc9b434dca80df4d614c4784fcfc693a628b0e43c564570ebaeb402
f85ceead2f82edd03a65480f3debdfd78c1a34427a99a2c50acd80f7a7deadca
115bc334419a209518a0d06220bb12bb5daa2e1ff086eddb23cf9b9191eca203
3de592415d4a458179b6fd30c0711bdc0006628c7d23d93ef223c26c82d50f9c
fab7aee1a03476b0def49395c4bda8d799c2d0302097562fcb95d23dda980633
fd05577096a8cf7e8a3955da0412f698199b9d2f53bea732351b7f2eb18819ce
281581bfe30a69a5662550433d9d7514254bccb890fa89cd2a77e3601a0b62a4
7f0f2c04a5204bcb0314fe9fdf9a3369e516e19b0ead44c8f1d3319d59010e0d
624bfb4fd94c20dd2c4db18937fe8513ee44081981612c8377fb6363f1cc2942
88ee50dbfee90121de2f56cbb6fb8e23384f2423a0598a45147fe08f6503cb3b
f1a7405298874fe0382def7c612ff12d72e7315f5aaa514122200d461717ea44
7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb
19c2d1f233ea3d256026796196e7067af26534ab46874cf4fdbacb7e73e5922a
40898401f5a784cea08158b22b5a17c33791882e6c7c79afcd25690281b73c02
253ae6027d114caeb26331508c9c916b54fe3561faf46679c06c48dad8860cac
c8d4ad014bc77975ff52fc025abc76fdb1ea9676d453eb096a4b89d0529c58ad
faf0e3fa2a040e49e3abeb69849e3a25ff621bc8499c70dcceb577ba89bb5929
cd05700b5fa43cd11f8f5763bc9340b8f8ee40cdc64765cb604ab28ee68a1d0f
505ed9f190d5f7a4b16075a09119a9c2952b2d9c7281a13c6a07f4840200e878
712c970fa57cebf6ccbe56758bb5c616f103d08a9a1404bac0b7ae3c08d6edeb
ec4ae5d1e86adee06c295ad77006d3328d144aad4fa2d0dd4fb7fa1380e21406
e2e3f3315015f5ffc74fa9f868861331fd7afae3b0396fd7911c61aa8606b0ae
a89824df9b88e6da624d0ff53b72685f10eece0d54686d9b8defb4ab9a8e5f9b
58d9c0736d0b202bc82acaedfbce1daf33c8402f58e246e8a78190f445f2c6d6
eebcd1414319130f36bea1e6c8fd29750118b145dae2d094d8a9d6aac0c619ce
140a5535a35a820de41ed7441f1278898247a6adbc2594d8a1f34bd9f4715eb4
b5500a5c920ed8eb3519cf519186ea942f1a459570a2ea0653f33b9bf84089c5
0675bd350929e619eaf3a4f22b68d32ed19e451bb7f8aba8c6e4f242bcb791fd
a5154edc933c692bd6160ce41e1af9d27782f21ba1d25403d1cca7aac25c44a3
e75f8000fdd2081700afa2c137c683bd424d8eca3c5fa928758ba18eeca8f194
1831a7d7cb0309018b48298dee3d789eb6aed6bee466a4ec2cce27db09e458f3
abc5d7e2fe95585f2c118d1e8ed171ea82ec3c76b02353aa5acca13cab13a32c
2ca8a08a83d98fbae1d8683cdb828b64216f9849ee539e09198db53876d419e9
ce51bc85fa9cf4a581de693c5901e0c03fff712c40f723009e393bad1a18d014
40043668b0ad9a66018432d3e9ffe7d0466a6348a8ee6250a606e841e114b270
a745afdd5cb81567de1560ead34145f713b7894058aa2097d755bf5d09b9d34f
3c0b94f379c5c568f8f3d406b22b642d3fae60094f8dffbf2e24c87c8435e0a6
e30e81cc9d2c5e121942bf9bbdb9f1bd164842ab3a380b25a2d7f25c9a358f7d
43ca109175c43c1c619405c79eb8d1b16b077741d87db5715ccdd58de9146bf9
52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad
def1c893697505de0b722e6fb3e516bad1c37f8e19599920714d29861639c274
269e0464214adee11c3339c18062ab56d83d34e745f2809ff35de0bd1ba62bc2
3b253bddd8e49b0353b44254fdc82c53c1614f5c2d09e2fde95698ad3a7815a0
013e39d10c6ec3d7f91105322804e5ec7d6cff966e44659fc568957f243e67a1
eb07f292e4a46ad121d85bac9bea91ab03ffb795527d7c1c1047e7312ea597c0
d2b5d02ad0207f69484b73eae658c2c08b747b4b3125e8856c5f0df261217f1e
71c91905a377be84dca1c0965d8ef92d7c4cd53c137205699f26582cf8107476
dc74ae7a70778659ee1f27f8e772ab2513299da34c7b2eabb866152e5588720b
7289da5a1cc6d7149e862660a7f3f48db0ef1f6f8e5de991501e72bde1192be9
e9d082e59f131a020a870a416b1fbd2aa978f0706fa690080a268a5295bd8bb2
c0e6cea1456ebc9c970e4cfc70ad112501a744373e25c74ae318e9654f852da5
a23d1f07dfef6b5fda6381ecf6866746d624dbc1e510073d83f431124bf7d556
88fc5d96ebc31042f41c8d80e87a1d6b8c4fabe33f11717dbf417f969604af70
8c3c62aafa4ff3a976150dce366c39675fdeceb96362d9071acfd37959770d66
1ec1d53a8f8b891c32c4102cb194093296172cc21167887a7d28b09b88b8b8c8
8d39599a31cac2a8cf51d0b0d6dfd6dbafa76dd1cd33d70d0ce6a8235c662a5d
bf8c949142a94cd782ccaa81fdcda4e35b3864a1907c5be0c6665a7eb9b54cd4
d1517990df29e028a1fc4e2da10b0b51820fed7d258ddbd4c92543538e03a5c9
c9e1b0ef9cfac8e4e002a5609c366489564b246f633d0685fead77e46f7f7d61
6a38f9fba4979abf0676bfa91c7d4ee75c583a6e2ad1a4cf71a3e623b7aa8c37
8155b09e9644fbd69c30e5edbc1fa823d9b9cd224dc9dfe4af8b47ad3f1bb756
4d7d64616dd21810a0a128df33c3cc2f7332c67dc9569f1795d55fc4888177b9
7ddcda1e8561e9d96107c717c5cf5ef9a2f3ff3f5f4c1b188b92b010fc779aa2
467803efbe8c9637962cd2141757f7cdd184cc57f46d75fa8b074bd81229a3f1
a4e1544dee96f911479934ecd89b51ead1ee008026a2468f65167e0d76cb459c
6e3f83c2f76db1f32e9243e7899b98655b3e49658463560513d9a315e865add5
a01dcf8636b3ad56545d228cf3e38c3554ab5622516d1fd9e52b55249ab7fbea
d21d0451a7a8b112776118d88154bf7eab2703b13bf6ae1dcaec2f959bf42305
64874958438945a29c66851bb23bcb9483955577e941e156d559885cca4a6910
b6f0586d835acff8c86c02904729023d95b10d879a066a9eeca973deaf582e07
8647436d5b5e93de1fbaf9571e584ceaee4a620cd39b60472da87e694239c317
22a01767b082d5ef80c5f191c653f73fc7d4f9d2742229580fd928a9a867a4df
7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71
c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe
3c3de54110bc665e6d31e2455372fc489ca5f3be4e0824ca7c0b58802663dbe3
251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87
2f35d828d19942c2daf1989fabb8565c56f9c2d6f3b00e3470c7785ae4ddde50
f251fe71103ef7bc4cbdbcfe9c1d7c4a595f831e51cf4064f2bfa595f47bda35
96c5089380f7452f4695bc517e83cf49f38f5de59e82d8c1142c770545941285
f211a840befa45cad5c369f64b91ff53d0dba7e98835dec3886ded59746e7333
444fb4871f9ee687f90ecf33223c91bbf263a7d66f1c665d653ce71559c557bf
8f9dbdd77e130b7238761966a9c9aa8712baf2100ddebc3d9d206ee17f8f119c
33f7683c768daecbad44d0b27d44ff13be3340d1cb81fb59dbfd7558cca21797
a2f6bbeb5c2756cfd0a71196e98f0b4f71e58101b3e39342015aad98d70d0f31
6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
c42f31c68ee4a14aec74ddce249314d00813289dc36740484b09ceadf72aa0f8
6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c
0464da926fb18f221087c3d88c51b18b81d5776e559fbf9b76d8e1301c95a8b9
a5a3067e6a3c4e957152655df5c68ce4db77f8308feff43c53e7535031033be5
c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33
0f1032dd6e6e984bd0e31d1edb45e027b12d0ec1976505dd6a4d1dd2351931ac
86329825eaf86f08f84bfc3ddd8870b5c05f47a43aba3695eea5ca4c7a0ee00b
c09cba9da1f8a6c8fbda87ce1c29455118eb13876286388a7d768ba98585aa78
26c199fee4db63767ab6a7ca3b251ebaa3d8d08150d1aebef56546bdb5ea395a
80b9b09d79c390fb55a56fcd01f0189e85e8cd8272befb7f35ba2a19ff9ae30b
5aac87d916d8ec903c67280fdff17ce94064c80e0717d7e102d31aa26aa003a9
67bf84d91a5494478d5910d58170c72f85c7d778d755d003b94344a691837209
5327a0f0689f136883119147b37ea30c8d917caac1135909d4b256566180b04b
f87529bd57f54630ff4e0a8391d2e02bd04df4b83ec7c2b879dc258f81103978
21d5d8b254df4c982f0d5e2289dedce8859f154b494a7a560834c6ff341028ea
09f80e5b22639c198be1ef13793c7a0ade764ed89b20a0f09ab0830f3d77eaef
be03b9620b1ae59e5a19f50ee5526a7b9bb4174e09a79cd82a5cf108ecdfd4e1
699af4e8e4d2f3b3ab73268c846f4013f677bc183b9c561279f88c0239972b9b
cb5c22f0aa405129ace6079f8dea8ac27fe89377db7adfffa3c539b59990d6be
6bddff781a97f7479e290a3fb3f34c681f98af9af4ab5dbfb14006bb63223522
018b23732bcac6e2ccc7d8130259b5085d10dafdac74737e1456b5f38ee2c81e
SH256 hash:
3109297f390a7b155a8b99fc71ba270211899a2cfbed9290c7a475a6c549bbc6
MD5 hash:
ca3eb964a153ee205b42a58827ed7121
SHA1 hash:
a09386b0c516ec830e01887ffa5571056ee06c5e
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/1a0d90b4-1f78-4323-a67a-cfc27eeac378/
Parent samples :
836130d92fa30a6cfdef9e8b66289d99f89ab55dbc3dbaa3cc409f565db5457b
b221fbbba9145479c60a63b77da5c52785a2f11ae697a6eb7224f930bbda9cdf
6f3ee68a709242ec89c66deb3a5c7fa9e3a96fcde560096d1c8b7962df8a058a
e1a7994ddfd57c0e0e5640720bab427afa0d0ca11f5b09d50b4fe8c9d030c726
006266f9eda6903e064e94e834d9513ad3a85c2d9964b50dd90d03e2b784ce2a
8bbfa40764eabafad6f90d973784f343b8d7146689f4fd4384da26935b2bca5e
50b5eb20f116100571a794e5fe30953bced95340d1a180108806cfe9e04da768
dc09ed4ade0b108f9774523d064a9a074f46248f1fd42651ba6fb17820e6a417
394b16c1302ab448e7c5c81f7ad92c185a13ac68e585b661d2513a69f7d01857
0e30fb9a51c158c0d9a3d73562e99aff6e9ed61ab56ab18b5288d64c1945e9ae
2ec1db87eadd4126bfd104899d0e7a6c94e69ef80f7022f4388342fa6164e761
7b49be821f82c0045d96a26ce306ee9a65c862f7311efddb54c30bcd27ad94bd
a8970a4e1980b60ab0c3944cc63f4e32935dfee5166164c4fce000188957fa7a
aeed87f06c1d73acfe30d7bed14be7929caea7c5011582b8a807c8c72e88582f
68f60db69dd7b37366528129904a919dc09eef98f604447337da74fd757c5e15
3109297f390a7b155a8b99fc71ba270211899a2cfbed9290c7a475a6c549bbc6
6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
e3308f1dd36bd61758447d5c6eb6e90adabc65e1119bbbe78537c3e3b622835c
f71c34128bf5c4a4ecc05e5aa4fbd02740b96c4aaf075124f3a4e33f36c17c92
0a9e932f64ddd0e3292064029dbc66987f28484dfceb705875b92403f40da037
676cc88d18585152438aa593970014f0f661f98b427d454627513cea119f0777
f32fe860e2a32304024771ae67f2b8190056aad488c7f128ae86f876639b70e9
4e25695bab3ab85fc29d5ec8858b9caefe193916eabe0d7bfc18059cb23c6757
7a4d615a35c88c224f8e4c3f71e1670673ef41d30c27892662a8c44074983df1
46ec294043413ecec9c6a8fa2c8a70d99abdc0d00003b6d31d795a76e50c7a60
8bb52d0be263f9a7841a7a7537f0ac85fe5fe4b5bcc87d94663dce56ebad90dd
457b6241f125cd8c4f030e7b7f05829b89a5e831f624225cb70ea272ecd88876
e46f2d7b2f17430fbf6670db5f785f22a38cec22cf879259032b1edb1d074c41
3e3d796025df4a863c3f4220bfacbe1fce38f67318524891218180857200ecb2
018b23732bcac6e2ccc7d8130259b5085d10dafdac74737e1456b5f38ee2c81e
6f4bbb5aee6549053ab218b1d564cdcb6b07144dcab1dd3e92683d640f3a8b60
76144b7c900168c9893aaa223a1ec8e8081cd827c99eadd3a6695efd0ad337dd
f564c332d78b12de556bd32e8368115f9375f37b00fe07741d8d6214bf6c3998
23a0eed35d69811a38633d41868a1fd6a20faf3912bde628eb556124fd6e5447
978c433d464e5054730c8003bdea37d3e8c9a0b0e254a8eacdbb57fa543da44e
b071d89b6d73e8e71e636ea4f769293c079ecd935e98eadc0b6dfaf71e55368c
c6732e706f9a2046e8bc17f5874e62369124e3eaafb3985164dc62ef288ab0db
c50bc28b5eeca0a3340e4755de566a2712e043aa3d487cdffda72de617610cd7
de9c905c7d05ee8775d644ecc9354ca87a1c74fe5eb23537c0bec8784e7dfaaa
a217672d528e4ecb21e3e93d0da10ea3c6fbfc04483ef457c748f78fa4395400
634e140524f023482bdc5754c81245f02c004c4b8c30e9a9071f7d0a239a6b4a
b56e8431fa939f346a93b8e6178fa2eddeaa734c3e53b42cc7cd2edc087a07e2
422402851019bc4421161c525b901d326acdfff9b33e026256e5de20a91ef0bc
SH256 hash:
7ea1bf584cf3e3325b4a5f84feb3bbfec40ff6d718041c9df6c131505840143f
MD5 hash:
3d890e64370a294eb12f6ecf04b898b2
SHA1 hash:
5f1ac450102ad3e772d482d2f55743bcb267514c
Link:
https://www.unpac.me/results/1a0d90b4-1f78-4323-a67a-cfc27eeac378/
SH256 hash:
ecf1257cb2839319c722daf5323ba2ed7060368b46f84610b6b6823323297826
MD5 hash:
cba51dcdec84ac14ce1eaf2ede86f28b
SHA1 hash:
2e77e64525600817d96b4d9c497135c989e608ee
Link:
https://www.unpac.me/results/1a0d90b4-1f78-4323-a67a-cfc27eeac378/
SH256 hash:
6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
MD5 hash:
6dd4f871c7d18b3f1b45a7112c21ced3
SHA1 hash:
e4f29ee54067cb1b18269e652f0b9deea63f437b
Link:
https://www.unpac.me/results/1a0d90b4-1f78-4323-a67a-cfc27eeac378/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6232ba2d8c8c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 1846bc9f43096f2257427698887dbdddd08a1742949baf3229253efcafbccfc6

AgentTesla

Executable exe 6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1846bc9f43096f2257427698887dbdddd08a1742949baf3229253efcafbccfc6
  
Dropped by
MD5 5da8efb68379590fccaf5ab65fc1f5c6

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments