MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac
SHA3-384 hash: ee66d1e1a64b9404998da8d44df1eeec8fa74836990a34399b814d0f67fbd02996421d529b37a2c245ef62c347517c5a
SHA1 hash: f7ef8c07bdfdb90f3550271ea9b131a196158379
MD5 hash: 2960ac18967f4ed7edd6c232ca765df9
humanhash: cat-texas-hawaii-florida
File name:SATINALMA SİPARİŞİ VE ÜRÜN ÇİZİMİ_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:666'624 bytes
First seen:2023-07-11 08:35:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0N1ujtn5gWKjId0DGDos94TI9JOiGA4ikoHM+0oZYUYzPR:vbKEd0iD9DGOkoHaoZYrr
Threatray 4'724 similar samples on MalwareBazaar
TLSH T17DE40288A2B80F17C82DD7F92050227047F875E6FA12D39A8DC370E72E67F85465A767
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4428d4ccd4d03028 (10 x AgentTesla, 3 x SnakeKeylogger, 2 x Formbook)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SATINALMA SİPARİŞİ VE ÜRÜN ÇİZİMİ_PDF.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-11 08:38:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0c5faa65-9586-45ff-a303-dcedd7d49ab8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/415365/
Detection(s):
SecuriteInfo.com.Heur.17661.22907.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b6eabeb-6604-4305-8e8b-d1384e865b8f
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270667
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1270667 Sample: SATINALMA_S#U0130PAR#U0130#... Startdate: 11/07/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 5 other signatures 2->53 7 SATINALMA_S#U0130PAR#U0130#U015e#U0130_VE_#U00dcR#U00dcN_#U00c7#U0130Z#U0130M#U0130_PDF.exe 7 2->7         started        11 PIWpRektq.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\Roaming\PIWpRektq.exe, PE32 7->35 dropped 37 C:\Users\...\PIWpRektq.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp2B31.tmp, XML 7->39 dropped 41 SATINALMA_S#U0130P...M#U0130_PDF.exe.log, ASCII 7->41 dropped 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 SATINALMA_S#U0130PAR#U0130#U015e#U0130_VE_#U00dcR#U00dcN_#U00c7#U0130Z#U0130M#U0130_PDF.exe 2 7->13         started        17 powershell.exe 19 7->17         started        19 powershell.exe 20 7->19         started        21 schtasks.exe 1 7->21         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 23 PIWpRektq.exe 11->23         started        25 schtasks.exe 11->25         started        signatures5 process6 dnsIp7 43 cp5ua.hyperhost.ua 91.235.128.141, 49711, 49712, 587 ITLASUA Ukraine 13->43 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        45 192.168.2.1 unknown unknown 23->45 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->67 69 Tries to steal Mail credentials (via file / registry access) 23->69 71 Tries to harvest and steal browser information (history, passwords, etc) 23->71 33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-07-11 08:36:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=opfcxofvuilqsikqwp6a7rdjifugqgmlcelz4unalumiib2cykwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1ba6f7ec607829c69af7e290cddbf57ac86c6776ea762fd32b89403fcad35c39
AgentTesla
1c4c7802f3a6bcc8d0355ad3e5c482c0fcdcb79845733a5ffe5c081ef59241cb
AgentTesla
3034f4c4123e20d2d2306263c3fc0cf2ddd0b9ed15e480386d45c4550140233c
AgentTesla
3fc2adeb47b4f9fdf134587dc79fc696f13852e509b883e9ed7b308b77846016
AgentTesla
4d60f9998376b2059e5a19aa9337f44285cce66c0e6bf0535de18a87d3aaf973
AgentTesla
7c8f766c92bb04f1a2ea22e8a3fa91909bbb2c918c67a957aa956cc901488e56
AgentTesla
8fa741885aa3008210667909c5dc93bbd695bfa9f10b808f329e70a87dbbc262
AgentTesla
996802dcddf7a2afc542a0d2eab92d8243a3126dd2f9a8c6e8cb9cebc09e8d61
AgentTesla
be91f662c6129ebed98724e3bcc3b1756f34ae703ecd0c2d1b7b24680a911b02
AgentTesla
+ 4'714 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230711-khkq4aff78/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Unpacked files
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
SH256 hash:
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
MD5 hash:
ec5e9334f65168cce67cd57bc6391d0a
SHA1 hash:
4f2ac65623e89a9457cdd5fc51dc5d747b4830e4
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
Parent samples :
be91f662c6129ebed98724e3bcc3b1756f34ae703ecd0c2d1b7b24680a911b02
7c8f766c92bb04f1a2ea22e8a3fa91909bbb2c918c67a957aa956cc901488e56
8fa741885aa3008210667909c5dc93bbd695bfa9f10b808f329e70a87dbbc262
3fc2adeb47b4f9fdf134587dc79fc696f13852e509b883e9ed7b308b77846016
73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac
bf4eb25b59a0472448b5efed8a8b5286867ffcc99751f2aee8c2b5e208800b7b
0de129849e28a7281cd7d6e6ca69f950a27efca7d1b121b1635e6c34b76ad167
ba2ca0c5ba29b90d2ce55292293642c9f6b3b931381db8221d529452d04a5189
c93dc9b3ec14e0e1d375ee919ac40ed95eb67eddc6cb9b7508b4f64743ad8804
0fa983b67dc6abd6cce03b0fcebd96d1bb78ffbbc65b8a0f5fe7ff6c79baa109
24952a927387b2cfbd99c117a3b7d74fa69dce826f70767765622a5aab3db707
6f417ed94d121bb0379a9ce8c0465c503b998bcd2c0df5021c0ee595901aebca
f79e68687f0f3089b125964c398199c04e5ba690540d213ee014eabf29e8eeca
fd272b82f6a8bba4cf146ca17e16030eee6bca8df4dc58330a3721dddd79a43e
87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e
3f53c498838571bd3333fc44bda24180a57a37a5a1268f4cdb1d204212c29858
4518d27e5b9109b044c8dabfa242bb224be62ed58111701c1f5e9fb7ed189f11
e75f34f2f6cbed8eb31dbef8ec7d031fce2feacd74f3a516e777923e6170b5f5
e8c89752942b8011820e9d04753700eb70f77a8701796ef7e826399cf889f9ec
d98ed54790efc6d718d719228e2bdbf4295cc23c94c22c6d77b55217337f860c
6d304e636be69bafcfae9423e629770fe3499d352e2a2259b9dc8f428b9e7cbc
6dac7514d424951b1e3091f61a94441b718c5e64e9dba95cfff15a51d8cde370
a4ad4601041ce6d58fb2468be1a3570c6d4e8c0914762972d3ea9a7e66fb85f6
ac32a3b616e9fb1f37a3f8e84db8475dfefb5e3ca56c6eb5580fc6f3887d8744
129467623307928e4bd892bf6320cd2f4c791e5d91d374036469ed09127dba45
a84d6a658ddfea2bf155df47943d616f4dce09d55bf7abc2eac1f1485be7bb48
830eb8430c1b8ce58ea1e6fef98794ef5dce3c485e244adc2e8ad310f2fe2bc6
48b23bea4cdfe0a7e79bc5ebde6eb2d9c69485e14694c48c13f0aab452b60d74
a5888a484f812f66cd39e16dbbcbb0891fd7f88e28a02660acfbe95635055696
96703bd16fbb6ebb4d19bbe99956cc74bc08ef7b8c05d258783c970e7c300ffd
810af925d95b0578d0051b1c49ed2a708c6b8057445794020382560315e611df
527bd1688c686cfb6d7fe4b85e2456a5a80c6995cb8ffc5aea8deae08877062d
cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
4b6bdd2b172adc692eb97dd87b5a6bc461e24ba6e714096771dbc3c45168b600
94459db0dd7ef2cab3fd0969b43bb53680c55bf2ea9d03e66bfdd6ba9af65fbf
62ddf21940294964b888e9370713e136b014b8e850ce276d94e9b410a498e739
8f49069af492e2a87edd3a35aafec61b4640c7759917252d317eced01bfbe25f
f42ecdadfc4ba973e68738550d4346e1ca67f0574c7a88a0f8fcf24fd9317cf5
f735fee6c67843c3661810ddde634e99d4eb301e4b298ec06e55d5f58b2a9351
b2436df85bd09d9aeac01c9f7e9b0ba093ad117b8444c99fed71db13ce86f95f
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
9e4960cd3423e643c807c5ac464331fe6844040bcddd39a1b373769ef2b13f6f
bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817
598fd9267e154c9fd5a5d36f5cf153a570c3265bd131cf63082b64cb4b4e7861
2b6f9aaa250051acb504eb782e963ef4bffca581d26d7c632b405f130ee5e09b
ef8e672ff4f30d2630ddebcf804c67d572e9979c949e4803654572479f486db0
061e29f834b607e0f56113f3318890231346ac04a7fe24673989e10261fe55e1
7d83a92926f6caf31b31a57f3fd55bff1105f3dac0d686847556149067897e55
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
3717f0928a99c81222dca1d74f568e2f92584b5bac7848697bd3913c01742baa
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
SH256 hash:
809b6acd2a8b1fb003e0d118f69a882c4162d446b92347a94b47f85daf373aa9
MD5 hash:
c2f402144ccdd76b4b5110162a8dd93b
SHA1 hash:
4f1c367adee3d8747bfd225e0cdf6b909a23df52
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
SH256 hash:
3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9
MD5 hash:
a5228b97b33467ac41fac5cac2718252
SHA1 hash:
28bb020c8a53b046fc8e8106f2913e62c5941a0d
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
SH256 hash:
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
MD5 hash:
ec5e9334f65168cce67cd57bc6391d0a
SHA1 hash:
4f2ac65623e89a9457cdd5fc51dc5d747b4830e4
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
Parent samples :
be91f662c6129ebed98724e3bcc3b1756f34ae703ecd0c2d1b7b24680a911b02
7c8f766c92bb04f1a2ea22e8a3fa91909bbb2c918c67a957aa956cc901488e56
8fa741885aa3008210667909c5dc93bbd695bfa9f10b808f329e70a87dbbc262
3fc2adeb47b4f9fdf134587dc79fc696f13852e509b883e9ed7b308b77846016
73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac
bf4eb25b59a0472448b5efed8a8b5286867ffcc99751f2aee8c2b5e208800b7b
0de129849e28a7281cd7d6e6ca69f950a27efca7d1b121b1635e6c34b76ad167
ba2ca0c5ba29b90d2ce55292293642c9f6b3b931381db8221d529452d04a5189
c93dc9b3ec14e0e1d375ee919ac40ed95eb67eddc6cb9b7508b4f64743ad8804
0fa983b67dc6abd6cce03b0fcebd96d1bb78ffbbc65b8a0f5fe7ff6c79baa109
24952a927387b2cfbd99c117a3b7d74fa69dce826f70767765622a5aab3db707
6f417ed94d121bb0379a9ce8c0465c503b998bcd2c0df5021c0ee595901aebca
f79e68687f0f3089b125964c398199c04e5ba690540d213ee014eabf29e8eeca
fd272b82f6a8bba4cf146ca17e16030eee6bca8df4dc58330a3721dddd79a43e
87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e
3f53c498838571bd3333fc44bda24180a57a37a5a1268f4cdb1d204212c29858
4518d27e5b9109b044c8dabfa242bb224be62ed58111701c1f5e9fb7ed189f11
e75f34f2f6cbed8eb31dbef8ec7d031fce2feacd74f3a516e777923e6170b5f5
e8c89752942b8011820e9d04753700eb70f77a8701796ef7e826399cf889f9ec
d98ed54790efc6d718d719228e2bdbf4295cc23c94c22c6d77b55217337f860c
6d304e636be69bafcfae9423e629770fe3499d352e2a2259b9dc8f428b9e7cbc
6dac7514d424951b1e3091f61a94441b718c5e64e9dba95cfff15a51d8cde370
a4ad4601041ce6d58fb2468be1a3570c6d4e8c0914762972d3ea9a7e66fb85f6
ac32a3b616e9fb1f37a3f8e84db8475dfefb5e3ca56c6eb5580fc6f3887d8744
129467623307928e4bd892bf6320cd2f4c791e5d91d374036469ed09127dba45
a84d6a658ddfea2bf155df47943d616f4dce09d55bf7abc2eac1f1485be7bb48
830eb8430c1b8ce58ea1e6fef98794ef5dce3c485e244adc2e8ad310f2fe2bc6
48b23bea4cdfe0a7e79bc5ebde6eb2d9c69485e14694c48c13f0aab452b60d74
a5888a484f812f66cd39e16dbbcbb0891fd7f88e28a02660acfbe95635055696
96703bd16fbb6ebb4d19bbe99956cc74bc08ef7b8c05d258783c970e7c300ffd
810af925d95b0578d0051b1c49ed2a708c6b8057445794020382560315e611df
527bd1688c686cfb6d7fe4b85e2456a5a80c6995cb8ffc5aea8deae08877062d
cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
4b6bdd2b172adc692eb97dd87b5a6bc461e24ba6e714096771dbc3c45168b600
94459db0dd7ef2cab3fd0969b43bb53680c55bf2ea9d03e66bfdd6ba9af65fbf
62ddf21940294964b888e9370713e136b014b8e850ce276d94e9b410a498e739
8f49069af492e2a87edd3a35aafec61b4640c7759917252d317eced01bfbe25f
f42ecdadfc4ba973e68738550d4346e1ca67f0574c7a88a0f8fcf24fd9317cf5
f735fee6c67843c3661810ddde634e99d4eb301e4b298ec06e55d5f58b2a9351
b2436df85bd09d9aeac01c9f7e9b0ba093ad117b8444c99fed71db13ce86f95f
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
9e4960cd3423e643c807c5ac464331fe6844040bcddd39a1b373769ef2b13f6f
bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817
598fd9267e154c9fd5a5d36f5cf153a570c3265bd131cf63082b64cb4b4e7861
2b6f9aaa250051acb504eb782e963ef4bffca581d26d7c632b405f130ee5e09b
ef8e672ff4f30d2630ddebcf804c67d572e9979c949e4803654572479f486db0
061e29f834b607e0f56113f3318890231346ac04a7fe24673989e10261fe55e1
7d83a92926f6caf31b31a57f3fd55bff1105f3dac0d686847556149067897e55
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
3717f0928a99c81222dca1d74f568e2f92584b5bac7848697bd3913c01742baa
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
SH256 hash:
809b6acd2a8b1fb003e0d118f69a882c4162d446b92347a94b47f85daf373aa9
MD5 hash:
c2f402144ccdd76b4b5110162a8dd93b
SHA1 hash:
4f1c367adee3d8747bfd225e0cdf6b909a23df52
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
SH256 hash:
3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9
MD5 hash:
a5228b97b33467ac41fac5cac2718252
SHA1 hash:
28bb020c8a53b046fc8e8106f2913e62c5941a0d
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
SH256 hash:
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
MD5 hash:
ec5e9334f65168cce67cd57bc6391d0a
SHA1 hash:
4f2ac65623e89a9457cdd5fc51dc5d747b4830e4
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
Parent samples :
be91f662c6129ebed98724e3bcc3b1756f34ae703ecd0c2d1b7b24680a911b02
7c8f766c92bb04f1a2ea22e8a3fa91909bbb2c918c67a957aa956cc901488e56
8fa741885aa3008210667909c5dc93bbd695bfa9f10b808f329e70a87dbbc262
3fc2adeb47b4f9fdf134587dc79fc696f13852e509b883e9ed7b308b77846016
73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac
bf4eb25b59a0472448b5efed8a8b5286867ffcc99751f2aee8c2b5e208800b7b
0de129849e28a7281cd7d6e6ca69f950a27efca7d1b121b1635e6c34b76ad167
ba2ca0c5ba29b90d2ce55292293642c9f6b3b931381db8221d529452d04a5189
c93dc9b3ec14e0e1d375ee919ac40ed95eb67eddc6cb9b7508b4f64743ad8804
0fa983b67dc6abd6cce03b0fcebd96d1bb78ffbbc65b8a0f5fe7ff6c79baa109
24952a927387b2cfbd99c117a3b7d74fa69dce826f70767765622a5aab3db707
6f417ed94d121bb0379a9ce8c0465c503b998bcd2c0df5021c0ee595901aebca
f79e68687f0f3089b125964c398199c04e5ba690540d213ee014eabf29e8eeca
fd272b82f6a8bba4cf146ca17e16030eee6bca8df4dc58330a3721dddd79a43e
87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e
3f53c498838571bd3333fc44bda24180a57a37a5a1268f4cdb1d204212c29858
4518d27e5b9109b044c8dabfa242bb224be62ed58111701c1f5e9fb7ed189f11
e75f34f2f6cbed8eb31dbef8ec7d031fce2feacd74f3a516e777923e6170b5f5
e8c89752942b8011820e9d04753700eb70f77a8701796ef7e826399cf889f9ec
d98ed54790efc6d718d719228e2bdbf4295cc23c94c22c6d77b55217337f860c
6d304e636be69bafcfae9423e629770fe3499d352e2a2259b9dc8f428b9e7cbc
6dac7514d424951b1e3091f61a94441b718c5e64e9dba95cfff15a51d8cde370
a4ad4601041ce6d58fb2468be1a3570c6d4e8c0914762972d3ea9a7e66fb85f6
ac32a3b616e9fb1f37a3f8e84db8475dfefb5e3ca56c6eb5580fc6f3887d8744
129467623307928e4bd892bf6320cd2f4c791e5d91d374036469ed09127dba45
a84d6a658ddfea2bf155df47943d616f4dce09d55bf7abc2eac1f1485be7bb48
830eb8430c1b8ce58ea1e6fef98794ef5dce3c485e244adc2e8ad310f2fe2bc6
48b23bea4cdfe0a7e79bc5ebde6eb2d9c69485e14694c48c13f0aab452b60d74
a5888a484f812f66cd39e16dbbcbb0891fd7f88e28a02660acfbe95635055696
96703bd16fbb6ebb4d19bbe99956cc74bc08ef7b8c05d258783c970e7c300ffd
810af925d95b0578d0051b1c49ed2a708c6b8057445794020382560315e611df
527bd1688c686cfb6d7fe4b85e2456a5a80c6995cb8ffc5aea8deae08877062d
cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
4b6bdd2b172adc692eb97dd87b5a6bc461e24ba6e714096771dbc3c45168b600
94459db0dd7ef2cab3fd0969b43bb53680c55bf2ea9d03e66bfdd6ba9af65fbf
62ddf21940294964b888e9370713e136b014b8e850ce276d94e9b410a498e739
8f49069af492e2a87edd3a35aafec61b4640c7759917252d317eced01bfbe25f
f42ecdadfc4ba973e68738550d4346e1ca67f0574c7a88a0f8fcf24fd9317cf5
f735fee6c67843c3661810ddde634e99d4eb301e4b298ec06e55d5f58b2a9351
b2436df85bd09d9aeac01c9f7e9b0ba093ad117b8444c99fed71db13ce86f95f
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
9e4960cd3423e643c807c5ac464331fe6844040bcddd39a1b373769ef2b13f6f
bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817
598fd9267e154c9fd5a5d36f5cf153a570c3265bd131cf63082b64cb4b4e7861
2b6f9aaa250051acb504eb782e963ef4bffca581d26d7c632b405f130ee5e09b
ef8e672ff4f30d2630ddebcf804c67d572e9979c949e4803654572479f486db0
061e29f834b607e0f56113f3318890231346ac04a7fe24673989e10261fe55e1
7d83a92926f6caf31b31a57f3fd55bff1105f3dac0d686847556149067897e55
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
3717f0928a99c81222dca1d74f568e2f92584b5bac7848697bd3913c01742baa
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
SH256 hash:
809b6acd2a8b1fb003e0d118f69a882c4162d446b92347a94b47f85daf373aa9
MD5 hash:
c2f402144ccdd76b4b5110162a8dd93b
SHA1 hash:
4f1c367adee3d8747bfd225e0cdf6b909a23df52
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
SH256 hash:
3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9
MD5 hash:
a5228b97b33467ac41fac5cac2718252
SHA1 hash:
28bb020c8a53b046fc8e8106f2913e62c5941a0d
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
SH256 hash:
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
MD5 hash:
ec5e9334f65168cce67cd57bc6391d0a
SHA1 hash:
4f2ac65623e89a9457cdd5fc51dc5d747b4830e4
Detections:
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
Parent samples :
be91f662c6129ebed98724e3bcc3b1756f34ae703ecd0c2d1b7b24680a911b02
7c8f766c92bb04f1a2ea22e8a3fa91909bbb2c918c67a957aa956cc901488e56
8fa741885aa3008210667909c5dc93bbd695bfa9f10b808f329e70a87dbbc262
3fc2adeb47b4f9fdf134587dc79fc696f13852e509b883e9ed7b308b77846016
73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac
bf4eb25b59a0472448b5efed8a8b5286867ffcc99751f2aee8c2b5e208800b7b
0de129849e28a7281cd7d6e6ca69f950a27efca7d1b121b1635e6c34b76ad167
ba2ca0c5ba29b90d2ce55292293642c9f6b3b931381db8221d529452d04a5189
c93dc9b3ec14e0e1d375ee919ac40ed95eb67eddc6cb9b7508b4f64743ad8804
0fa983b67dc6abd6cce03b0fcebd96d1bb78ffbbc65b8a0f5fe7ff6c79baa109
24952a927387b2cfbd99c117a3b7d74fa69dce826f70767765622a5aab3db707
6f417ed94d121bb0379a9ce8c0465c503b998bcd2c0df5021c0ee595901aebca
f79e68687f0f3089b125964c398199c04e5ba690540d213ee014eabf29e8eeca
fd272b82f6a8bba4cf146ca17e16030eee6bca8df4dc58330a3721dddd79a43e
87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e
3f53c498838571bd3333fc44bda24180a57a37a5a1268f4cdb1d204212c29858
4518d27e5b9109b044c8dabfa242bb224be62ed58111701c1f5e9fb7ed189f11
e75f34f2f6cbed8eb31dbef8ec7d031fce2feacd74f3a516e777923e6170b5f5
e8c89752942b8011820e9d04753700eb70f77a8701796ef7e826399cf889f9ec
d98ed54790efc6d718d719228e2bdbf4295cc23c94c22c6d77b55217337f860c
6d304e636be69bafcfae9423e629770fe3499d352e2a2259b9dc8f428b9e7cbc
6dac7514d424951b1e3091f61a94441b718c5e64e9dba95cfff15a51d8cde370
a4ad4601041ce6d58fb2468be1a3570c6d4e8c0914762972d3ea9a7e66fb85f6
ac32a3b616e9fb1f37a3f8e84db8475dfefb5e3ca56c6eb5580fc6f3887d8744
129467623307928e4bd892bf6320cd2f4c791e5d91d374036469ed09127dba45
a84d6a658ddfea2bf155df47943d616f4dce09d55bf7abc2eac1f1485be7bb48
830eb8430c1b8ce58ea1e6fef98794ef5dce3c485e244adc2e8ad310f2fe2bc6
48b23bea4cdfe0a7e79bc5ebde6eb2d9c69485e14694c48c13f0aab452b60d74
a5888a484f812f66cd39e16dbbcbb0891fd7f88e28a02660acfbe95635055696
96703bd16fbb6ebb4d19bbe99956cc74bc08ef7b8c05d258783c970e7c300ffd
810af925d95b0578d0051b1c49ed2a708c6b8057445794020382560315e611df
527bd1688c686cfb6d7fe4b85e2456a5a80c6995cb8ffc5aea8deae08877062d
cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
4b6bdd2b172adc692eb97dd87b5a6bc461e24ba6e714096771dbc3c45168b600
94459db0dd7ef2cab3fd0969b43bb53680c55bf2ea9d03e66bfdd6ba9af65fbf
62ddf21940294964b888e9370713e136b014b8e850ce276d94e9b410a498e739
8f49069af492e2a87edd3a35aafec61b4640c7759917252d317eced01bfbe25f
f42ecdadfc4ba973e68738550d4346e1ca67f0574c7a88a0f8fcf24fd9317cf5
f735fee6c67843c3661810ddde634e99d4eb301e4b298ec06e55d5f58b2a9351
b2436df85bd09d9aeac01c9f7e9b0ba093ad117b8444c99fed71db13ce86f95f
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
9e4960cd3423e643c807c5ac464331fe6844040bcddd39a1b373769ef2b13f6f
bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817
598fd9267e154c9fd5a5d36f5cf153a570c3265bd131cf63082b64cb4b4e7861
2b6f9aaa250051acb504eb782e963ef4bffca581d26d7c632b405f130ee5e09b
ef8e672ff4f30d2630ddebcf804c67d572e9979c949e4803654572479f486db0
061e29f834b607e0f56113f3318890231346ac04a7fe24673989e10261fe55e1
7d83a92926f6caf31b31a57f3fd55bff1105f3dac0d686847556149067897e55
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
3717f0928a99c81222dca1d74f568e2f92584b5bac7848697bd3913c01742baa
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
SH256 hash:
809b6acd2a8b1fb003e0d118f69a882c4162d446b92347a94b47f85daf373aa9
MD5 hash:
c2f402144ccdd76b4b5110162a8dd93b
SHA1 hash:
4f1c367adee3d8747bfd225e0cdf6b909a23df52
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
SH256 hash:
3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9
MD5 hash:
a5228b97b33467ac41fac5cac2718252
SHA1 hash:
28bb020c8a53b046fc8e8106f2913e62c5941a0d
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
SH256 hash:
73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac
MD5 hash:
2960ac18967f4ed7edd6c232ca765df9
SHA1 hash:
f7ef8c07bdfdb90f3550271ea9b131a196158379
Link:
https://www.unpac.me/results/5e1a39d5-5445-402f-900c-9b00e3eff497/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/415365/

Comments