MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93
SHA3-384 hash: d97ed786f370b31a885955b1f73d67d571a5b3aea556da287f895b86242a0bee045bf9c49a9a034239694f7f78570142
SHA1 hash: 8a7e9287ad714c6b29954e553faf52113f9f6d98
MD5 hash: b60527779e09f5f02b4404fd051cb0c1
humanhash: fanta-nevada-edward-mobile
File name:Order of CTS-SFCS-104.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:872'960 bytes
First seen:2024-06-23 23:15:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:TfTixkCRnIbQXc7nFne+ZDE43g47deneQDN:TfGkqIbQXyDNEy5UN
TLSH T10B05F015A3684BA3F06F87FD80455411D7B5A106F29FE3484EC1B0EA0FB2B34D995EAB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0dce8d4d4e89ef8 (3 x AgentTesla, 1 x RemcosRAT, 1 x RedLineStealer)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
359
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93.exe
Verdict:
Malicious activity
Analysis date:
2024-06-23 23:16:29 UTC
Tags:
netreactor stealer agenttesla exfiltration evasion smtp
Link:
https://app.any.run/tasks/6ea4187c-fba6-4c35-ba95-c68a9f10f10f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.7975.25016.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6678acb4ff0cdfb06de5ed14win7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Gensteal Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Forced shutdown of a system process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6678acb39fd5f9d59210702d/reports/b1b30971-f9e9-435d-8586-5b85c698873f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/666aa40e-cab9-409d-b83c-6ec9d8ee0dbf
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1461393
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Silenttrinity Stager Msbuild Activity
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1461393 Sample: Order of CTS-SFCS-104.exe Startdate: 24/06/2024 Architecture: WINDOWS Score: 100 44 mail.mahesh-ent.com 2->44 46 api.ipify.org 2->46 48 3 other IPs or domains 2->48 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 14 other signatures 2->60 8 Order of CTS-SFCS-104.exe 7 2->8         started        12 wfqOPElrkygB.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\wfqOPElrkygB.exe, PE32 8->36 dropped 38 C:\Users\...\wfqOPElrkygB.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp39D4.tmp, XML 8->40 dropped 42 C:\Users\...\Order of CTS-SFCS-104.exe.log, ASCII 8->42 dropped 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 66 Adds a directory exclusion to Windows Defender 8->66 68 Injects a PE file into a foreign processes 8->68 14 MSBuild.exe 14 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 22 MSBuild.exe 12->22         started        24 schtasks.exe 1 12->24         started        26 MSBuild.exe 12->26         started        signatures6 process7 dnsIp8 50 api.ipify.org 172.67.74.152, 443, 49735, 49738 CLOUDFLARENETUS United States 14->50 52 mail.mahesh-ent.com 148.66.136.151, 49737, 49739, 587 AS-26496-GO-DADDY-COM-LLCUS Singapore 14->52 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->74 76 Loading BitLocker PowerShell Module 18->76 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->78 80 Tries to steal Mail credentials (via file / registry access) 22->80 82 Tries to harvest and steal ftp login credentials 22->82 84 2 other signatures 22->84 34 conhost.exe 24->34         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-06-23 23:10:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
89
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=npsc27ukwyyjeshmcgrwfk6xsitpv3pu6642ceajj4yduftlfwjq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240623-284qbs1bpj/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
AgentTesla
Unpacked files
SH256 hash:
f90c9c1768e95cfeaa4c0c57ef251571f001d4454d0ca80541b55a0d4182aa5e
MD5 hash:
b79e923379b3287e3e8a039e45609660
SHA1 hash:
c94284392ae41168e81b2452033613e651bb355e
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/dfae7916-3d70-450c-8662-7e55534575b5/
Parent samples :
6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93
b89f9ae90e40b950bb2c2205bcb70a42da20d12d6044dea8e4a57c099846f729
0c7a66057004515fbac9276dcdbfb9594afd4316ebe900a9ead8d40f6008078a
df42aed98863b49a6f208ef3181f08ba5014cc3192c3a406dad6def44e4a3c14
11bd38092d7eda3842cd5a5dc3fed362d5a5146ae6228a66b8ac2693e9a81279
07c90d353d736c2a8015e7f1e86d4492d697360132914e1379cff9f0e0385ccc
6c721f64b26bc43ddb3cf84cdc213f3cec242df25c73bbb61ec3615fa7a5ffac
8f4cb88d415e2f69fc68b90950a51cd76edac741b2fb8ad899dd0919fab3d483
eed44dd24a2a323d4bc0cbd07e41a9eac099b9684cb1494eeec4f954a2ecfc65
2c63d5c9bece740d05d08aae01b061b9845ebc9c61aaa31417e79b59c454d7be
32ba21b45f7d4a8ed2f4d8fd0736636d4e70edcc4b956ea4c43fde4de696c0d9
a9b71bd91eac64c98a1519e907789fc4aec0bd6de47f643acf462cd4aff8aa8f
e6857118aea19c18f962e1360848b8061eceeb5a601d5a331589ae8fa412f0e7
0966f8078bd21fd4501339ee365b9305818c94c54e880af4fae5d46ecea58763
91a3a97b17a9ca19f8386aa805924d1a553f06b94b13f43c1c936d0be1782ba3
0dc82a04b6db46d96cccd1ac6808018f6c99727d21247132e8758e4cb7a572ca
5ef6dc0f7dc9b434dca80df4d614c4784fcfc693a628b0e43c564570ebaeb402
f85ceead2f82edd03a65480f3debdfd78c1a34427a99a2c50acd80f7a7deadca
115bc334419a209518a0d06220bb12bb5daa2e1ff086eddb23cf9b9191eca203
3de592415d4a458179b6fd30c0711bdc0006628c7d23d93ef223c26c82d50f9c
fab7aee1a03476b0def49395c4bda8d799c2d0302097562fcb95d23dda980633
fd05577096a8cf7e8a3955da0412f698199b9d2f53bea732351b7f2eb18819ce
281581bfe30a69a5662550433d9d7514254bccb890fa89cd2a77e3601a0b62a4
7f0f2c04a5204bcb0314fe9fdf9a3369e516e19b0ead44c8f1d3319d59010e0d
624bfb4fd94c20dd2c4db18937fe8513ee44081981612c8377fb6363f1cc2942
88ee50dbfee90121de2f56cbb6fb8e23384f2423a0598a45147fe08f6503cb3b
f1a7405298874fe0382def7c612ff12d72e7315f5aaa514122200d461717ea44
7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb
19c2d1f233ea3d256026796196e7067af26534ab46874cf4fdbacb7e73e5922a
40898401f5a784cea08158b22b5a17c33791882e6c7c79afcd25690281b73c02
253ae6027d114caeb26331508c9c916b54fe3561faf46679c06c48dad8860cac
c8d4ad014bc77975ff52fc025abc76fdb1ea9676d453eb096a4b89d0529c58ad
faf0e3fa2a040e49e3abeb69849e3a25ff621bc8499c70dcceb577ba89bb5929
cd05700b5fa43cd11f8f5763bc9340b8f8ee40cdc64765cb604ab28ee68a1d0f
505ed9f190d5f7a4b16075a09119a9c2952b2d9c7281a13c6a07f4840200e878
712c970fa57cebf6ccbe56758bb5c616f103d08a9a1404bac0b7ae3c08d6edeb
ec4ae5d1e86adee06c295ad77006d3328d144aad4fa2d0dd4fb7fa1380e21406
e2e3f3315015f5ffc74fa9f868861331fd7afae3b0396fd7911c61aa8606b0ae
a89824df9b88e6da624d0ff53b72685f10eece0d54686d9b8defb4ab9a8e5f9b
58d9c0736d0b202bc82acaedfbce1daf33c8402f58e246e8a78190f445f2c6d6
eebcd1414319130f36bea1e6c8fd29750118b145dae2d094d8a9d6aac0c619ce
140a5535a35a820de41ed7441f1278898247a6adbc2594d8a1f34bd9f4715eb4
b5500a5c920ed8eb3519cf519186ea942f1a459570a2ea0653f33b9bf84089c5
0675bd350929e619eaf3a4f22b68d32ed19e451bb7f8aba8c6e4f242bcb791fd
a5154edc933c692bd6160ce41e1af9d27782f21ba1d25403d1cca7aac25c44a3
e75f8000fdd2081700afa2c137c683bd424d8eca3c5fa928758ba18eeca8f194
1831a7d7cb0309018b48298dee3d789eb6aed6bee466a4ec2cce27db09e458f3
abc5d7e2fe95585f2c118d1e8ed171ea82ec3c76b02353aa5acca13cab13a32c
2ca8a08a83d98fbae1d8683cdb828b64216f9849ee539e09198db53876d419e9
ce51bc85fa9cf4a581de693c5901e0c03fff712c40f723009e393bad1a18d014
40043668b0ad9a66018432d3e9ffe7d0466a6348a8ee6250a606e841e114b270
a745afdd5cb81567de1560ead34145f713b7894058aa2097d755bf5d09b9d34f
3c0b94f379c5c568f8f3d406b22b642d3fae60094f8dffbf2e24c87c8435e0a6
e30e81cc9d2c5e121942bf9bbdb9f1bd164842ab3a380b25a2d7f25c9a358f7d
43ca109175c43c1c619405c79eb8d1b16b077741d87db5715ccdd58de9146bf9
52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad
def1c893697505de0b722e6fb3e516bad1c37f8e19599920714d29861639c274
269e0464214adee11c3339c18062ab56d83d34e745f2809ff35de0bd1ba62bc2
3b253bddd8e49b0353b44254fdc82c53c1614f5c2d09e2fde95698ad3a7815a0
013e39d10c6ec3d7f91105322804e5ec7d6cff966e44659fc568957f243e67a1
eb07f292e4a46ad121d85bac9bea91ab03ffb795527d7c1c1047e7312ea597c0
d2b5d02ad0207f69484b73eae658c2c08b747b4b3125e8856c5f0df261217f1e
71c91905a377be84dca1c0965d8ef92d7c4cd53c137205699f26582cf8107476
dc74ae7a70778659ee1f27f8e772ab2513299da34c7b2eabb866152e5588720b
7289da5a1cc6d7149e862660a7f3f48db0ef1f6f8e5de991501e72bde1192be9
e9d082e59f131a020a870a416b1fbd2aa978f0706fa690080a268a5295bd8bb2
c0e6cea1456ebc9c970e4cfc70ad112501a744373e25c74ae318e9654f852da5
a23d1f07dfef6b5fda6381ecf6866746d624dbc1e510073d83f431124bf7d556
88fc5d96ebc31042f41c8d80e87a1d6b8c4fabe33f11717dbf417f969604af70
8c3c62aafa4ff3a976150dce366c39675fdeceb96362d9071acfd37959770d66
1ec1d53a8f8b891c32c4102cb194093296172cc21167887a7d28b09b88b8b8c8
8d39599a31cac2a8cf51d0b0d6dfd6dbafa76dd1cd33d70d0ce6a8235c662a5d
bf8c949142a94cd782ccaa81fdcda4e35b3864a1907c5be0c6665a7eb9b54cd4
d1517990df29e028a1fc4e2da10b0b51820fed7d258ddbd4c92543538e03a5c9
c9e1b0ef9cfac8e4e002a5609c366489564b246f633d0685fead77e46f7f7d61
6a38f9fba4979abf0676bfa91c7d4ee75c583a6e2ad1a4cf71a3e623b7aa8c37
8155b09e9644fbd69c30e5edbc1fa823d9b9cd224dc9dfe4af8b47ad3f1bb756
4d7d64616dd21810a0a128df33c3cc2f7332c67dc9569f1795d55fc4888177b9
7ddcda1e8561e9d96107c717c5cf5ef9a2f3ff3f5f4c1b188b92b010fc779aa2
467803efbe8c9637962cd2141757f7cdd184cc57f46d75fa8b074bd81229a3f1
a4e1544dee96f911479934ecd89b51ead1ee008026a2468f65167e0d76cb459c
6e3f83c2f76db1f32e9243e7899b98655b3e49658463560513d9a315e865add5
a01dcf8636b3ad56545d228cf3e38c3554ab5622516d1fd9e52b55249ab7fbea
d21d0451a7a8b112776118d88154bf7eab2703b13bf6ae1dcaec2f959bf42305
64874958438945a29c66851bb23bcb9483955577e941e156d559885cca4a6910
b6f0586d835acff8c86c02904729023d95b10d879a066a9eeca973deaf582e07
8647436d5b5e93de1fbaf9571e584ceaee4a620cd39b60472da87e694239c317
22a01767b082d5ef80c5f191c653f73fc7d4f9d2742229580fd928a9a867a4df
7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71
c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe
3c3de54110bc665e6d31e2455372fc489ca5f3be4e0824ca7c0b58802663dbe3
251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87
2f35d828d19942c2daf1989fabb8565c56f9c2d6f3b00e3470c7785ae4ddde50
f251fe71103ef7bc4cbdbcfe9c1d7c4a595f831e51cf4064f2bfa595f47bda35
96c5089380f7452f4695bc517e83cf49f38f5de59e82d8c1142c770545941285
f211a840befa45cad5c369f64b91ff53d0dba7e98835dec3886ded59746e7333
444fb4871f9ee687f90ecf33223c91bbf263a7d66f1c665d653ce71559c557bf
8f9dbdd77e130b7238761966a9c9aa8712baf2100ddebc3d9d206ee17f8f119c
33f7683c768daecbad44d0b27d44ff13be3340d1cb81fb59dbfd7558cca21797
a2f6bbeb5c2756cfd0a71196e98f0b4f71e58101b3e39342015aad98d70d0f31
6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
c42f31c68ee4a14aec74ddce249314d00813289dc36740484b09ceadf72aa0f8
6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c
0464da926fb18f221087c3d88c51b18b81d5776e559fbf9b76d8e1301c95a8b9
a5a3067e6a3c4e957152655df5c68ce4db77f8308feff43c53e7535031033be5
c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33
0f1032dd6e6e984bd0e31d1edb45e027b12d0ec1976505dd6a4d1dd2351931ac
86329825eaf86f08f84bfc3ddd8870b5c05f47a43aba3695eea5ca4c7a0ee00b
c09cba9da1f8a6c8fbda87ce1c29455118eb13876286388a7d768ba98585aa78
26c199fee4db63767ab6a7ca3b251ebaa3d8d08150d1aebef56546bdb5ea395a
80b9b09d79c390fb55a56fcd01f0189e85e8cd8272befb7f35ba2a19ff9ae30b
5aac87d916d8ec903c67280fdff17ce94064c80e0717d7e102d31aa26aa003a9
67bf84d91a5494478d5910d58170c72f85c7d778d755d003b94344a691837209
5327a0f0689f136883119147b37ea30c8d917caac1135909d4b256566180b04b
f87529bd57f54630ff4e0a8391d2e02bd04df4b83ec7c2b879dc258f81103978
21d5d8b254df4c982f0d5e2289dedce8859f154b494a7a560834c6ff341028ea
09f80e5b22639c198be1ef13793c7a0ade764ed89b20a0f09ab0830f3d77eaef
be03b9620b1ae59e5a19f50ee5526a7b9bb4174e09a79cd82a5cf108ecdfd4e1
699af4e8e4d2f3b3ab73268c846f4013f677bc183b9c561279f88c0239972b9b
cb5c22f0aa405129ace6079f8dea8ac27fe89377db7adfffa3c539b59990d6be
6bddff781a97f7479e290a3fb3f34c681f98af9af4ab5dbfb14006bb63223522
018b23732bcac6e2ccc7d8130259b5085d10dafdac74737e1456b5f38ee2c81e
SH256 hash:
fa9e1e36193174ff3dda4135e35641ae6a762ec44ef19658ed5e7953437cf569
MD5 hash:
d8e42899d2b33ee8c1ceb28ce53a12e7
SHA1 hash:
b8fb0f35a807c1cc63827124ec8ba5a2811cdffc
Link:
https://www.unpac.me/results/dfae7916-3d70-450c-8662-7e55534575b5/
SH256 hash:
aa4240d3c6a1ba38ff9c7abe3455a20c782b5e3aaa96af6e4332bc9476fd656e
MD5 hash:
06af3c3f7b31c9d3d27981a0842dacb0
SHA1 hash:
407cc724660e5787cf05e03b08c6f28b4835d51f
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/dfae7916-3d70-450c-8662-7e55534575b5/
Parent samples :
5c1009bc821a697905465a8c104b90813332d5815a85b73cea23131b930db557
db083048a859cc61f02d17f62e940ca93ae1e986c91d80a8c7b5300fb80e3eb4
fe2a9ae78a0634c404db5100489e946283cfedf0240ddf57e7b4f17dfec30162
09c2bde39a42e15cf277c4d992c091a5832a396cf314345e9c233d786dc3438a
e9232107c85b4b3a9ec90a32fa98b99d27f1ca84ef2b5654d7ab696f9f034890
f419ddfc11a334a5ab4f9a289db5783877d4108107ed912e2e2b3f57ae9be808
19b604df73a21665949858204d634fc31077cc0b1c0c02f53712b2cf3b5e8bc0
18f7507efdb35483a8642553f66647b9c1cc54d67614782622b7a64261042924
a3d537273efd479c1cc02c3d7e288482b495d119ffe172afa28aa33a6c90522b
bf2bb447f3c3344ff70beede0d0889840d533b011f963136b9e3b1bf897f7991
afccbcb46f3ef4814055e5d4acbef95679cb05e80c7b57cdd49df43234cfae66
df83a2880c473c9491465e517ca3fdeefb533e3520b13432b7e6f063ccea8247
6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93
d18d881b4d582a792946d651f91f77a1b68b23b2abada7cb9b864ce4da24dbee
cda61139578f1cb169cfaa8b588dd7691c4f912baab91ad355ced6ea3edfdabe
c897b3234947f6478f99c333ecf8b9f06a52d8058de70fc5e6eb09aa4195d214
2cd4a1b5a6970f10245111eed4113323d391b1fe221f01fa11ad0d9695b82ea8
ec9b3edc6fdb39696ddff5fa0cba95f486c7fa765136eb92d78c94f57e37ccdd
ce69c0e4efa80c87b672f5fe7ec35808b24d05a1feffba954720e8a801a8acac
7d32ffb777ed327a39961748d04917f29b52bf373e7cb07a64cc86ebc172352b
f0a1308efe7bcf1be384db385b8183f48c5f1c2432da2322263b90f01a0820aa
ee58426723ce085d5ec2a045c3e020bc0b9ab6dc90e16ad1c2b8bac0804a2604
524cc2764d1bab453b5148129ee6942b8f6dca3fefa60a785d3d0f96848290ba
553efa334e9610ef0f28120965724b031ff0f26fb16e8aa23098c8af570ebc51
ba84ff47581d052e6fefe8f380126d6f770b6307b7d512388907225b576749d2
eb89a7b195591d21c6f902d02560d4b2d1d1837fd94d404c3211e9f4ae12444d
c7dc84187ebfc4521a3fe173e5b59850c753251a1a935b294c0a6fb63d6c9315
feb7b9b695fa6e3d5c9d19b4309aaadada0b15529364e17781e91553dc7e3406
508de38b2d605ccd6886dad188e151e3061896f795fc7ee60db182397d1b397e
e4d1908e539f5c7bcc6960d7616c88db9a0382e76186f28026e4f659b1ae058d
31ed160a5d6da518efe41113124db5c203316a965ccce18cca9e0ead7bac96f6
5dd25e32ca50fdacf6b304cfebd5d222141b9a13d9120c3a61342ff4588c85f0
96d2a9befbbed1913469d5e03f50cbbd700311f7cb8d87dc28d325be258cf35b
0d045677fbab19a80b17225c90ecca8fb973f67db71e7f86df8af5c25e0ac7a6
f9898f9bbef6d022dd0ce4343009f8d8ec465322ec384723e565a7ff0db259e7
87044fd80bd4cb7069021fa48e337e1ffc5d6f192932645045536ffccab8c4db
0a5816f1e55e810043fd6ac8a6d28eabd755696e76cf1b96d9fc3680c8af6177
3add79dac5ae034342c137acedfc270130622c6ccb3db23c36b3483a06c4fc96
c0606c7a28717e12ff2ba17844d4be166dcc9cfa060c98d0bd3b940c79d81ef8
d3956670c2fb4ab0739bff8f47efc5f6accc848960a9ec11e8bb1849dfc8a59d
317d4b1683e217b6af80de147bbeb8581255f320dd11ca5c13b0796f837d42aa
fd9725ecc7ed625c2174660e7f51f647fff9474f4c21c8ed84e0608bbcc5a409
67a8b2077a1aa43d393b1f843e556fd030c13dbe7a0e041d41c86fe233bddb38
18bdc6654a91219d11b56059df0aa5bdce67e8db3faade250c5d40dba9cf0e9b
97565e05b015972c9b22a7b55d9e68c6f8d0bc90693731cfc1c925a127611800
SH256 hash:
ecf1257cb2839319c722daf5323ba2ed7060368b46f84610b6b6823323297826
MD5 hash:
cba51dcdec84ac14ce1eaf2ede86f28b
SHA1 hash:
2e77e64525600817d96b4d9c497135c989e608ee
Link:
https://www.unpac.me/results/dfae7916-3d70-450c-8662-7e55534575b5/
SH256 hash:
6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93
MD5 hash:
b60527779e09f5f02b4404fd051cb0c1
SHA1 hash:
8a7e9287ad714c6b29954e553faf52113f9f6d98
Link:
https://www.unpac.me/results/dfae7916-3d70-450c-8662-7e55534575b5/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6be42d7e8ab6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments