MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 20


Intelligence 20 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde
SHA3-384 hash: 8021561add1a0dfc5e6359f4d004afc386127b4614f47c95928d5223627564142d9be52016d91941aea35cdf83e88154
SHA1 hash: 7e274ef56e9d4bbe57e3cb008c3bd1de981feb7a
MD5 hash: efeac648e34cf17cc09a3c0a0410aa1f
humanhash: kansas-nevada-hot-illinois
File name:jrmNeelg7a0j38e.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:646'144 bytes
First seen:2025-11-27 19:35:49 UTC
Last seen:2025-12-08 16:04:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:hLURCp7zinGJ/NUFJIZlbPm70Eqy8w5ADrB+3ZUNZBZT:+tiUJ+ljS8qADFSZUNZBZ
Threatray 99 similar samples on MalwareBazaar
TLSH T1DED4126537A89F33E9765BF12571E13203B90E5BB821D79B8EDAACDF3A127110840B53
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter amznemu
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
ID ID
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
draft doc.pdf.rar
Verdict:
Malicious activity
Analysis date:
2025-11-27 19:29:53 UTC
Tags:
arch-exec stealer ultravnc rmm-tool auto-sch-xml exfiltration smtp agenttesla amznemu
Link:
https://app.any.run/tasks/38ff3d8d-d1bc-4c31-9c74-06e5612fe9fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41674/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6928a82e6657e3433281945f
Tags:
keylog krypt lien msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/6928a82c1b65ca0bb925bf4b/reports/edd45398-dd11-4ad5-89de-9c7180cd5604/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-27T03:38:00Z UTC
Last seen:
2025-11-29T15:58:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Agensla.sb HEUR:Trojan.MSIL.Taskun.sb HEUR:Trojan.MSIL.Agent.gen PDM:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb Trojan-PSW.MSIL.Agensla.g Trojan-PSW.MSIL.Agensla.d Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan.MSIL.Convagent.gen
Link:
https://opentip.kaspersky.com/74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/775aeda8-f9ee-4aaa-ad0e-c0b028202b04
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.43 Win 32 Exe x86
Link:
https://app.malva.re/file/efeac648e34cf17cc09a3c0a0410aa1f
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-11-27 06:43:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oswoad3tcwi26mk53kd2shok2u4nwp5lpjrnt2dbf3xvtxasrppa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
38713a538ea46799f3de660b3ff86d5888c71fab824b330c986ab03ff0a07382
AgentTesla
5f46a374aa835171dd23fce8a649b6be19294f7162a6d048b54aac8f7cf357dd
AgentTesla
78c05491c78074584397569ba91acdcd5353b77dcf1e40df17b510f7672f9931
AgentTesla
93d8f58337eb1309d7fadafe6707dde3a7d20d65870d05a689b3c2f264e61193
AgentTesla
+ 89 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/251127-yba5zavldl/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e77af1a6-706d-4016-ae92-38fb80fa090b
Unpacked files
SH256 hash:
74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde
MD5 hash:
efeac648e34cf17cc09a3c0a0410aa1f
SHA1 hash:
7e274ef56e9d4bbe57e3cb008c3bd1de981feb7a
Link:
https://www.unpac.me/results/f62cd336-0025-4c33-998b-04a1251967a5/
SH256 hash:
3aa8ce5d4766e6fa27c0f3e031c1425b79322fc25ced61c68998ddd0fe84afe0
MD5 hash:
62963935f4f4a7a5d71e15077781146b
SHA1 hash:
374f566ec38e44ea82e0aef8c79417067b37f003
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/f62cd336-0025-4c33-998b-04a1251967a5/
Parent samples :
5fc5368bad8a8b519f2c392b97c458d9425307b00d52aaadea20eba58e8eeb24
707fdafc56b969ced0f79032c766da29582068ae2630074ec8d41c4d53a73773
ac7a2d43da192df88b772d5f18ad2fbfff501236b4593c0e608474fedde91508
a0f0d732fb63ac2e8801fb5f3a7f969952a7fbdb8b2a782c64cb1c1c14bda72c
4528e9b7d05236ab6a225911e8978af4a7d49bc0221b5529d40ee85b60b0dae7
0be718f7b7a74c02cb6e13cf89c32e36e3385d3c8d6bf11459e8a43afafe4ab4
35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8
93d8f58337eb1309d7fadafe6707dde3a7d20d65870d05a689b3c2f264e61193
74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde
e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708
165b528fb02e35b12a59a311102a8bef74ec2f0bf908864fd7fa7ed8f917261e
bf68190a743215ba83339703d99ecb3507f00182ca1fc4dce9a472e4b0c5f757
5659b4ea8582b110707f84728ceeb09d22e72c0f729a02d6d73dbf268b2397bd
b4e1932f23a54390bc8743dfa8a7eea4c3e446eae0c97625d780988688274bf3
1f9e7ccdbb6aecb1c353461b5bc162a24c3df9acb5493d76aa0e8f1c6ec1190d
6419d74ea82b7c45bac56aba550a556791e76110e1af3c07794773daa8900032
4ffb20e1a907ba09b16385b701c037d5f8d62f3153be1ef80260e8fb7c6143a3
15890e027eddc1d4216eb97e3700de9069187fed0526047a148cd67705b1f8d6
651859b30c796cf59166ca018a2b4f18c996af4e688d302466ae56a5712b72a7
36271b3690553ed6d67f3b4f789686c6addfe0704e3852c7173aeeb62ae99402
75bb652c901a98ba61bc0baae6b7e6b1e9605ae11b8e9af441d0636751ac89a1
d54f9aa94e3319c4f55a5204e210bfd81e258ef0aa789b372e4516d3683a3e8c
1603ebc35858fe5eb23519fceb18edc6566022ec9d6393a0eb61597fb70e3df2
4b3c7e98f64622c68cd4d61b313b7a07523e1276eb0e66fd1187e8ef2ddec23d
85bfd7c03d84af32087ec4bf003fd32f970339800345620a8cce138f3847b9ed
f72965f2590970749410784883b637e42f6b05466767232fa4d0b754d4a0054d
e401c37dcfe4433d2b0fdbe449f905554b5449d397eb18e2c78cca0b10dc113b
a0f0473fdc61c805b124ed9b8a2e7dc17a16116118da16b7650f04936c38f184
c87794c2fbf18de86169adc7b50d5b828d8e7ec24c483bc24d429068e585762a
3a314ab3e162a1d14105a5a2f6116c461c8a69d9cf614f79521aed9effa61385
3a279099e6b83675a0f1b4ad779734a1c718d6b19a9ab225c54be70c78108ab5
b1cc11582118c8e46f487673a2d0bfc8ecd8c3703aae25195dff8120106b4277
d4f7093db94b0587b0d66fc2795be733423564739109468222cb2560546e230f
6fb8d03893d2eb011b8ec0de9b4d276528047a6c8b833cc8e7f1398ecc1695b8
70b4895b9344e87470809850e75fb9355d3d46ec799221c1232c4d6128b814f7
5b3cc96740f0b6d508064e77b919b7f26e0d4d63d1541fbae0ced67efa83a668
4de3da2145094b2d623f289bb59e0315edaa2a4820603e1b0384d96da159484c
f239532b415d0769dea6827221c226555e1c4bda21ecd050041d829021c52d52
32f152c9fe6debe129b961dcc4e158e2d0329de2793a15f26e8d4ed5bbe2ce62
d463661f048c60c88a16d49f9578d5eb57262c2c60ee06ab5b3e2d5832183542
2a985f28930a096549702d1405257ae47f8503973abaa406fde72ec086d2a546
d6f0f38727c762b36df15c44ef60ca77e766fb4f961634b21f4a2c806c481038
9d1638b1dd03a382ff17a517be8a43281799bdc7af7b485a5e3c494712663634
5a0b5dc86cd2a408434f885be7c44ae25ac4e3b7320da9737119f81183be9dba
a7db6df5960231b52632b929d91f56f275347d1af9b18326d1ebbf575eb5f2ba
dfba3d114561074b5379a1827a895a01bed990ceefc70b74e8031c791b1ec4f4
82a4425f807c071dedf43a2c116cf0d7ad4f0945adb47dc10378365cff8f9c8b
36d699808361bcf77a1147c09dc4df6319b7bbf670814ab1f882bc2668fc11c0
1a895996e3edf28787c2076049c1ec3ce137824bfbdff3dc6e5e020077762c85
SH256 hash:
93e85ee43c87a7353f94f57cb383c80fa66b998f66fd8e559c535c8f1fc70c5e
MD5 hash:
0725edf7f85f621d24db0b4d0dc0228c
SHA1 hash:
3fd425ce197f19e9d6f4ffd71685a03314725e6f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f62cd336-0025-4c33-998b-04a1251967a5/
SH256 hash:
0fd81528c151cab8ec12e609f49bbc486e90104c6bf9bbe930a30805c5cf5ccc
MD5 hash:
e95741036932605280ca747a562c13b7
SHA1 hash:
86f282ecc644e8d9841ddb18ec54a1a6c615d1be
Detections:
win_agent_tesla_g2
Create hunting rule
AgentTesla
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Agenttesla_type2
Create hunting rule
Link:
https://www.unpac.me/results/f62cd336-0025-4c33-998b-04a1251967a5/
Parent samples :
409dd82ae03009f32397ee056fcf698e7ea1145184fc4749f00b5ed2534de2d5
e33dfce152f0b1a0fd298f630bb284cc064c2d10d2c69f3e84b308895e1f69de
0f747da7bfb26e1f8bd1b4009036d2eaa3c5431f73bcb599027ab37f1c151061
ba38ba94dc7746ab451cb686df8d8f4cec03db581ae095c5e1b959134db30daa
b900f083db24811988658302c8db25549feda1814fd677a0888465355c3bebd0
a9c310861b7b0eab4b5f00ad0c69d6adb3526d9e9be7cc46ff392ff76ba9da7f
e8595c2e05c63c73af98ce3b55593d4210936a347ef99087d90b18fcbcb0dd74
2497f324ae5abfa05c6910d020b362d445fbca42cc1e320f0c34ae9851a7efb9
54c7016e2d3e49460764d54a465f36f72808382cfef49102446c74d4de9c464d
e864fd2bf5133bc27cd3b2b35dcdb71626128f2c28e24956bf83a1706c2f5bad
cb6c1619615d5947e12e576b93b171902218a8a108fc0148a06078a822ae4211
dbda2a0e7980e112602a69e8e0b12e1435c591b8436aacc5905bdcdca12dafdb
d3cdbd21fac606a9f43a12bad566f242ef59fac34206069528fa9e285e4005d5
44e2650ff2fc7ba8efcbc0a975b2d5ca2ecee228c6ee27df07b215ee79f5b320
8e537ef5b6125fef6449de923808b92122edc8e2d6cc887d49c8ed5510760848
664c0c690a791c1a863702884b3b3bd0aead7fabbd3ff6e46cff58f53c1cd3ff
1c9240b747d01e77bbd4cea63699992b29fc24581021c9fc2a96c75e9e60cc1f
96a1656ba39abe013fe75a41eb52d9b698f723aa7b5f2ba836a8bc3dccb47e2f
7ca9c170757e7f0f9092fcbef7d2830c2393373bdd00648e76e3437ca5a2169f
9f0a3a5caa4240f1aae236ac243a17186e5200983749966cb6b07f311a660302
1873c4b2bde16da1d2e923d66d20eea2536bc824e5134b60f3df4b770edf72d4
55dd72206a4adc304bcae93419f75ff9ff992724d13e92d4e7eaaa550ada4316
0f2abe41f47c8287b81f6f5be7983b8486b298d7121bbc8435ccd334a5f7ce70
0f1b66752dea36f9ad237a452b4bfb2950ab3ce90fcd920c6708f69ee8ce8c9d
6cab1f7e8d015b6db4533050a29b43a62292dd20c0a567d5215eed2d75818937
f673e1b0df47036fa85af6860c7cb98b5319baa42688dd5d97533fd53057dd97
6e7b4c60277416f97aa221245e0f1aca462a4594c621574b65f69e62f88477e0
d07ef403a4d320147704c1e188dfa93e140ac148489d60ee564f710e2dcd7550
824c2de7f889a628b7fde1b4c64837e48201b158b170c2f270250e82642e564c
1f3c2092e06e42ed7dd425ee68f826ad344bbacbde3dfd1cda112eb6af3a4627
d7928afd0b6864968e44f9f0ee807991b3a620f30e57048863ba94a40f291caf
402099326202da95a3c10fba47d836d6f9af2ce39f11e405da6027adcffb4480
3be7372f7dc6f8dbec2b12f15922aad92a022dfd930344fc076ef616d303f869
634a2665a39d9361917d4baf34b157a5bfe6f8712e6cfc45d9f57205efe23b9c
a6321a072d7fe8790f12f68fdb8c2e6fd91b212233fd3c98b9169d6b48ed15e2
d81f1cfc732280d0f92df78433544b467d837f60cbfcfdbff21c5f987eaea942
dcc72f90c1d3aac382ba8965c68109986771562f49d4112c5be1a0e9b645f621
abfb108ffb2021d7851e2908a6ebf23b507aa2cbf36628f9f30b9eada587de96
450cbaf3ba2178d2ecde3158710066ad71a7d1b17130f29bac92b3414679d46c
0007503c902cecf201946832a5c157cf6090efb2e3b1c8ddfcb4c8e150fb7b27
b237b86e8000dc30c0f5316bb8116946fd569a5065e965f9e276cfb48e600a51
ff9dbc074c9fedf0906cdebe94a4ec7b438df3528db6dc3a649c29bb4414c365
f7b17ea8d0bb38c5760528dcafbf354618a643056f04dc110d743bbbf8e99079
95699b4df332139d1782520df7f136a413313d5b1dc05be131ab53acf355909a
9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43
d0063dabacc1569353b846cd664cf979784b4855d03e6ed4fc0ef7f013a0bad9
5eabc2ee89814722a4e157224e042211e7780ab450b8ed1f9311f72eb80f4262
9565e0e3358341d167b1adfe5a30b957aa028e19addb4427af1bbd41bfe67e6b
8c25a42242f041b0ecfc47164ef25a988b37735dac00a6990f7babd80eaa2487
f482d607663a330b6a2393c8c9850bba8eddc53a4f80012c17dfcc416df05880
87d0cb2cfe6bb9f82dd6a1ab3698892c5866322bcd4a598544aebc560d5fe01f
39c15e35f0b21b2680c56f0f281feffba42f17e437e4234fb2f575678e3afbd9
b17505955e2436a83dcc3b4a213f10fc2b827316ba2d40a5d6c2415feb34e623
c65e44ab50c876191f4c648500e7bf3d6986a7c6941fae19ee55d752aae2e523
c64cd755a3b9d9bc23e8b0654820c719556cd630198bd3ba147e5dda26474ea1
c620d711c48043d706ee5bc200e6087db4b9d46b854ad8d8eb8ba47c9c770662
b03db0564666573fc8c78762884386005dd29e7f39d76e008e36dea70bc7f2e7
ad7e3733334f727508954b7fddebe16af8fb5499e28e243ed42286da81a2da15
d2196a161741acc9a33cab7859e04c625ee492f31dc96a17c57cacb2517f61c7
72a1ba2aaf8d724372e2592797580d085f48ccdcc9f3985eb01b108a49fe5779
e6285b91e58a7dc662833fdf6b8a6574f871287308146d920b4e687a01974e4e
3f700fd41c6cca501d50cc2f62afd8e0d951efc1a918aa65ab3e84ee563ff1d6
595d3b670b05d0e45b48b7f6eea396ad268a02f42c80ae20cbe7cd02890e05bd
c081e4ae35d4644933b0b3542c569d7dea9b52e276ff7c0d7b8f4c4ccc235290
3b6632b43aa88d79aa9bdcf19f38f11fd3b0a86915cef4408e390a4d70f068cd
71fb09d88849f446a488c86f0fabb3a4c69b6c559ecc2166fa2d878d64837bd1
b5ef79a4b0b11a1d8546b1ece86049b558b21205228b8ad98f26e0a475795f7c
47890d0675f690a1ede57fd5619d2ee6acf90648268f0f5538c4b65be53b18e6
36a5e24f66a8e3059682f75bcc74832ed2a29767768b968e88452f0626dd2b97
13cafe220f24b118aa4bfe7ecc489415c8b593de6552a692ba87b636d04610dc
d2cab43a622ed80a2a79ff9266a25fe00175692204a5b022ad34787e39b578c6
806564d7681d2ceeea860949993d5d239949473548ed78fc45f351e7584276f6
c4004e409a21cc66cb6c0d77e72214349ffc8339f7cfa38585f5dd7e40636c31
6dc9d0fa317804195eb9e6f6970f746fb01d91b9758964dc722f31728f88d548
7b3756fe271e48ce86861ea41251320e986f26f51b71f0c917e1099d027c9235
e2ec8b7b5c0cb0461cbc9bde55b79c1da6219c87552b94c0491409c9c8988e6d
cf874da7b8afee07bfb3f9711dc2b1e3eac8c96e177ad338a5918260fe11fb3f
1a642dd77d6b7be3538a906db63abfab9fa008507efd3ce04d4aefc7acf1fdef
b1e435ffd9f5ca69e21beaf2820465fbf1efdf5ac5c691859f1f7957795234b5
1c2f2b8e26c9f1b700df8d0b069c2bfc07d8e4ecb09831e9c402c2aa6a92e2be
36d73dad1a1d20a3555e2206290f750426a6447cf2afd9163ac4764f7fe33af3
c69d5ba2cf0568ef7eb820943ade84ac38f9755b2216566301e7104b8e718796
224c1dcd9fc5ebc03058e8f271abf111c93b47570000615090576a79276b7dbf
1d1f60b21fe163afa6fd4342960a5f524039a603611cd5dcc3b20632c394220e
d2ee35269d6e4f6ffefaefa53d126ae88f6be5d79ecd3894981f844012b01ef2
de6caf2bcb90334037743c21d52d9a9707ddc9b992524abd45c42eb58b85275f
dc77100a6f5d92b71dedb82e431de0d31e571a4b216d44047e44fbb1e5b59e5b
1b169d86759603cf2c5524c535be2cae744a43914fa2b6f78d35c8e27389c7d8
bc6dcf0fb81a1212fe388d0f4aea0b7a213a45664e806236f3fb4e2ee2a64551
26d87f27a9ec64a426d4be355ccfea2671aedbf37545cf13529c04555ffc534b
bb906ba8bafc258a36d21d4fc1924334daf0e5a50c61f244d214ab312297e97d
dc303cf927f0dedb0cc934cf5f8c54b3fe5d0c0952f7d2a34082b9f0434f2346
cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1
069393dd8a507d9cc76baffc122ee772fa281d078a95ac7cf2826d05ba251ea3
a25be9533b9bf7feb8ab371e69cfdbc40cdf7a9d6f9041e8dd04d5f7755d43d0
297659c9c082dc0a4b302a2d13189c9f85b5795c79ca3526cbce006b29cb1690
af3714df64bf3a66c27d6e4c718c6da0f770cfbb1cb33d10f15721246b2d717a
ac8248066dcae6455d379d03888b2d618e49e0715e6c11fa5e96ac44faca7208
03fd8790dd182915e617edd7273911a0bf068ad55c83bcf042771975cd6cb85c
50a91256ad1710681ad272b85b6eca0c4ada089ef954b4f48e18e188c482fc59
89c911723b05c5bce8bcd4dd0ec42f190763afc166e85e0fde944e2e752223c8
a5c02fd74ba332b6e1e77af7e15e9828b7371780a2930a1c6034fa99b6690320
f5d4ecc25c69d82f7664ca00768df241cd4fabb9d6aeb8edfc988b2a6f83a673
74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde
5b3845581328e47c8c7d31c599bb312430df760d88ff4ef6bccf641ce4fa30f8
2fbaa4e57c7164822096fbbfaa7a6216e24d1e3b780d4bf8b3e00fc04d133005
c60a7b0e526a31793afddc2ebae966aac426e2e9d7e3ce1dc3d9e91660668771
2e1f9fa5a6c36a0d70fae41f3b47733bb26ef51dd8d8131f948b2273aef1811d
4d556a59b4fe8dae91ba5192a59501efa2761dd28dd7f683a99f10384a8e0109
57993a7af1eb33d9ca444b7c030d73fe67c32dec183ebc27b68ad1092c104b33
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74ace00f7315/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/41674/

Comments