MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99
SHA3-384 hash: e57f643abfdcf5f217e49a4a4d956f311b1c8a992077531ef77bffc20558d5db76ef10903e42a127b22d3afeba1c752b
SHA1 hash: 6f63137c9a20c05c04b53eaea60eae9355022a97
MD5 hash: a0dadb7997e2b13144275b1c164f1c84
humanhash: utah-tango-low-table
File name:Payslip_October_2024.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:800'256 bytes
First seen:2024-11-04 20:23:14 UTC
Last seen:2024-11-04 22:17:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:hM3ZJZEkrV/BUNWGlWblcCSU+gXsT3Srkezl4VQRv7P9vZPqWeQh:eL5yWEWbl5LcT36zuVm7lvZPVh
Threatray 684 similar samples on MalwareBazaar
TLSH T1F505DFD03B36B719DE695A74D659DDB582F11AA8B101FAE31ADC3B53388C3219E0CF42
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon 4848d4d0d4d4d4c4 (4 x AgentTesla, 4 x Formbook, 2 x SnakeKeylogger)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
424
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Payslip_October_2024.exe
Verdict:
Malicious activity
Analysis date:
2024-11-04 20:25:14 UTC
Tags:
stealer agenttesla ftp exfiltration
Link:
https://app.any.run/tasks/7d8dc909-ec1d-4913-bdf6-faa707028075

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.AgentTeslaNET.37.1429.29921.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67292d658d23d9049133715c
Tags:
agenttesla lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Connection attempt to an infection source
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67292d6d71d9bf499cf948ca/reports/616535f8-8d2d-4882-bb4f-45ba71511921/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b049b551-779b-42f9-96cd-a9130ea62ad1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1548796
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1548796 Sample: Payslip_October_2024.exe Startdate: 04/11/2024 Architecture: WINDOWS Score: 100 32 ftp.haliza.com.my 2->32 34 api.ipify.org 2->34 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 9 other signatures 2->58 7 Payslip_October_2024.exe 3 2->7         started        11 sgxIb.exe 3 2->11         started        13 sgxIb.exe 2 2->13         started        signatures3 process4 file5 30 C:\Users\...\Payslip_October_2024.exe.log, ASCII 7->30 dropped 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->60 62 Injects a PE file into a foreign processes 7->62 15 Payslip_October_2024.exe 16 5 7->15         started        64 Multi AV Scanner detection for dropped file 11->64 66 Machine Learning detection for dropped file 11->66 20 sgxIb.exe 14 2 11->20         started        22 sgxIb.exe 11->22         started        24 sgxIb.exe 13->24         started        signatures6 process7 dnsIp8 36 ftp.haliza.com.my 110.4.45.197, 21, 49239, 49734 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 15->36 38 api.ipify.org 104.26.12.205, 443, 49733, 49740 CLOUDFLARENETUS United States 15->38 26 C:\Users\user\AppData\Roaming\...\sgxIb.exe, PE32 15->26 dropped 28 C:\Users\user\...\sgxIb.exe:Zone.Identifier, ASCII 15->28 dropped 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->40 42 Tries to steal Mail credentials (via file / registry access) 15->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->44 46 Tries to harvest and steal ftp login credentials 24->46 48 Tries to harvest and steal browser information (history, passwords, etc) 24->48 50 Installs a global keyboard hook 24->50 file9 signatures10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-11-04 17:23:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oybatctlfkk4uakerdhhyz5sootbrhl4ytnkbh5whhbs7qq27kmq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
1bd8c28a74a99cc6eb115161fca392e4dc6b424bf3ff6814f688e470209b0825
AgentTesla
ae56de5b8d4d89c0644b5dca19f74228561188657b2c6b034837c6c51572ff8a
AgentTesla
b94b1ae5c6ee0f58d7213505a33dd3a2c125ca4ec2f8f370063bdb7befbd0fdd
AgentTesla
ba22a1fd5ccbbc56dd6c30c556637865c156a5e332e6a718c336b9d591b86a9c
AgentTesla
+ 674 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/241104-y6n1bawkgy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
agent_tesla
YARA:
n/a
Link:
https://app.threat.zone/submission/165b0ad7-1bcb-4d21-83e8-05d9ce9fabe4
Unpacked files
SH256 hash:
77f40a5b957f9cd4ec858fda1e559372df8f7688cff656051c3e7668560ce0ff
MD5 hash:
606189fc0633b10674eda2b2ad7f3a6d
SHA1 hash:
e3caa412034fdbb749cba64bdabc3dac5de0ced4
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e9a00e7b-96ad-4eb4-a776-4a76a5c4f2a6/
Parent samples :
2fd41cfb7c7d0653a396e538166b91db7ddc56cb008701a437e8cd92d63156b6
cfbea36edccb76c40ccc6f01d8cbf2d467533ecb1f3e7c7c709532998518b8d9
4db566fcdc413fe50153dc8431ae86192241f0e1e86071f80d42eb6e0fb5baca
b8d4c86463b945f866e0396ecf65af0e67e55224eecce97b033e25e816eca01e
29ce0132efcb5e1aad146065672d83b6b4ced076f1c91a851c8b34a30e7e08eb
b07790927beaf1cc2d81cf76f0081c7c264c3133fe71437ca4bd26e220800d43
4add5ca245ca6982f07f757d4f72086c45b831f6fecc1e3e4bb122b515ffc027
e19cb4af6c2d4eb1ea729a345b50c2fe5a902f7f55f79ced44da366da44471bf
9909337f624a1c2eb7aef7670b4ee0aff10baf7cae381b373c9463d68caa5a06
ba22a1fd5ccbbc56dd6c30c556637865c156a5e332e6a718c336b9d591b86a9c
c68ac751c2b84e31bd64a9d318fd5cde9c1fa7f9f9090940808fef7989b3ade9
2d84e1e52b7502a8704c99e4a3f0e48ed31904c885ab2577a2b8cbcaff1c3620
2e83d1ac06f006f6e7cc461eb6a8098d5cabfa6caa4f5af55737690a47c1f47d
a66fd780dafe112e8ee95dd63b7d6138fea1e5273b961b2774e3be95a677990d
96bfa7096fb76234a5774f70dc444d719c7553ac83db00fdbb04c1eec318d4c4
dc9e448e51f4504726d8fdccfce805dfb4c228091f12a194fef40b2a86aa5eb2
058e2c02b8cfb93b480ea8cfac08e967b39631a579256ebee27fb7472194c1ea
2d34439b88bca48219791ac13393ba7a2a7c7b3d80d6ad25fa7fb1967ae4fd44
1682ee7703dd036cbdf6ad6daa38ddb7a4e7ab567b273f9ee209672f339feb2d
23fd85e7d0e1f372bd11f594fc1a64ac020f4a8c5adce87a70f5e9f81a66da44
325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b
0b0b2ba32fb5312ed77ae6925fbbdc872810de0e3566d5b04dbaace7e2f0dc68
dd9e683eba0236ad1ab942e817163a69ed449c17086613b69f5baad174d2c0c5
8e19bbaa0d533f50d2b7c9013955c07772e752b0751ec30e73a36b792bdf4adc
b3ffba5da1500b5a2645ef162fbfa00f4fb4020d539022daef7b9c49e81531c0
f5de23b1693c6872f53f4925775cfeac355a619a0813c603929221aa69513b38
ad1ef89e6394ebc77be2471679667ee5119f451dac3134d98f80a922e9bc51c8
11cab98b080d59753d1be6cb00fd03e1d575a2c9b2632c66df888cb3143b52f5
f6b09208c3523be3a490af2fc305d4574b38d95a435c8a55402fca38597e6dac
66c525114240093bc408138d4c93c51e7c09a235e183fca73ee66ebd150e4fe1
b207c12c675b8a8186617610cdaf2dc63e655f40662ee174d9a4d9c637c890ab
b4809d12158679aa7f01db86c54fa984305c8521a499b405ee130c5d91ed6540
a920dfb486d57b7d60d6bad4643d4f425802ce9ac8c520f9771d6689b65ffe80
59cbe4e681c4371b18a5f6d457369560ce9e4f0eda5a39de1acab8b5bdf73bda
2634af4fb7d0c056e1f96809592bfcd3ee9f3fedf0ad52f9340b67d3b67d9f0a
c51ca12f5158ea6d07f3def983ae49f6127696f23244cf0a857da46a6d640b25
5aec55bf10e81eaddb865b7a91339e137b25b681a768caa914c608d3cdf51449
3aad3c90b2113bf011c93db7987cce596fd1b0a94a3c36a9bad8d058effc33f5
aa02aef2c851348c873186b8f6648dec854ba7d84b9ea9119a80fc4b9df2acc2
7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99
63ac85fa66152f936244088e40eb124a6888336a4508f8d3d63d818ad30e4280
67605bfe77b822b7256723089082b0f15b23bb69e6de86191750b660c0a438e3
426c094d1d8f9823b46ea2ef18e052c6363608290a4b98eb84e5ffe01d81ccbc
7c67cb0dd0e62da4a84525b91f583e7e433a3c1c6e9404a2927cd32b0d5096a9
5975fc05d280bfb5071a38f28a7925f709f5323f609256a138d700afdd793880
680c2a3691dc7babcf16daad934a2fe8efabb3214bf36f60825b708c7f736015
90df3fa2c8b6470115f4f8a4ac955bfa35b07ac6d4d796da6f99c89dbb1820a0
f5a51a5492d785c8e485251c34b7ccef2f676bc507794c219403e750c788fbe9
e897fbdf22b9f02edf6bd659f74cae0dfbe79245a58ddb7ca40be5c44f50ad33
d682eeadb7f5d9c10016bbe8ee8f8f16938d3f7c7b33b9703225efd552df6d5b
cf7cce1b83e67375808a6c3732f6894e263b12dcd6954c4b67f1af5508d05986
25d5929f0ef894bf532d5c21e03474a7f7db7cc0be168a2d618a40bb47de9643
248ffbd7ceb70f0a8fc98a93dfde21283489b926a757cc499191d2f43931a093
3dddfdfb08f93a00401bacc404b23826232436b872231ab1fb5596ec224efae7
6dd0bde064dfa14d38008052b9f3121565f86d97f6992d10720225192ee57f99
5e04b80012352f7c3a13f013d39a25aff09413f895217784859ba424dacea181
2986e457399c8f73e94332ba214f9e1a9a562a9932f4196f85036f63d673213b
aad2ef87a40be1648de42e22dd1b492526e3c64183034c72efde4d0e5a350c88
c80986ae29269ced5ae5d3c62833734693c71efbc0dc760aa4ae807f76ef7461
2bcd91a51b87daface2c741fe568e3f8356598ad50a5d4c423be36a5836c2f72
a2c0537782a8c28077337a873813db9211330a95725e641db956183db3252241
8311884c536e402615c44c0010553cb85718a79a82fa59f90bbdc79321cc60c5
bd749917837b3e6a48c15277cb0d5b39fd0c89e4f52be26a72e30b11816fc895
9e49f5122ac42ba8a4619dd7ba2252da4118b9fd1755d2bdf17e2d179a3f5128
7ba7fe2d75fe74beedef97bee52008c4cf99e84313750b821c5202856d944e04
9f3e9756a14a38c92ac520ba9a1e74e8eae13cc8b59797d20b261f3a0add4cc9
49917f413cbf883715a5f6e5a30cb13abafc693ec296751ba8b1bdbc3142e8c5
2c34e04c20abbe2a2879ebf8360bdc8f4acbbc6b966859d312ebee520a019b8c
79ec5e64332e4f22497d2299b42a2f8b49d13820144ed6921274fecbae5acfe9
9e29fdeaf847390ef0ac52a24dca3803eb3b7527e3ecb8c2c18bc337c7425a5e
bbea0c056d01b506a9a6d37b6aca9147466e65a962f4b140887334e6f4a23b6c
db404ec3f27d0e9173f55db560ff6777560226f3a52bfde901897f637a24d89b
97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64
07888aca315d288cf934104bbee91f5a2d6cec258f9e8052adfb496cc7ea1f16
519e372bb8026c5aea93a6d44aefb4b08eb23731f2f902ae35866c5d6cc3dd97
5f87ddc2603dd15acf16958efa6dd40b484fc483f4a496714fab4adfd1ad1318
5a8467ab773f458f57d5942d6fe612c5048c50b19e7d63c82ff1eac99a324e2b
4624ef5fa24a2459eb8c1504e9bdee4e61e762680ee5bc5f2f52c77f197648fe
e49189557147abb38b584bb167b436947cde7bcea7ab44815ebc44c4f21e1870
ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f
4c325803ce0762bebcec3327635377a360e221480c99e1a95b708ed224b22cea
d7e680c7e06ca19deae4e677096a243daedbb0fe6d04e02deb3955f7326086a9
d9dc8cf4f0c34bff044cc82267d7480d8c565c5299f1e5c35547f7eb866fc49b
e3aec20d29a2691e607ad989939708b9f30f2c94ecf07d6502f432f8ced2b44c
668deef3724b32f255013a251ec96a2b18e6dc48031ae1138fae82cac04d0231
35ab0d5f86d42c280b4d85b71900392d2d7ba817c59f55d902a4c33cce689567
e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebf
6a1c2df0bd6aacd1b69d3ab82b88b71f5552beaec7c452c36af1a3fed04c5bf2
af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c
94f858ec5529f4f52ae1bed542d9a38b2ab7e4be0446c4d9252f0de3d7cf2dce
4d45f8bd3b436a2ea84ea90bfeb028603b8118933688d07ecd3f7bc1d518da66
78c64fae4e08a3d998cdc688338437dff344b49e9a8509116640dabbd156299b
9a24b197698ebde37702b2993ea2d1d4b7d2ad327605af58a4b8b266d7d9e827
19870017af38aa7315ac6e67d6254aa0946c8264a9828f20627eac76297879c1
24229a62ebbc2cac8ac3a7e7a6da78b179d05541dc7ffc9aac472775e2e6cd11
4bec8930b1157e64e7d785c62f4fcc4d5d144daeb954144ee3f3a5648820a9a2
69dec355a88f71f9880052143f091580cecd4c6f301c1c6fefe931d44bf8c77d
bcd2af5fd6fdac5f0bdfcc38acbaa7d941a30cc75004c1f10731d6ad9efa7632
871768e4f3d4bc1e473bc694b4d5b39a52b1d3b9aa74a580083f3162ef425441
a1ba76a8c187d43080d95acfb939a54d1b1c83546bbb4547990bbfcafd88c307
e42abe36559b21170e153807df0fb9cf9191d45fecfa496363932168b096976f
c43f4d0f453155a1a2b83f793bcaf83429cc7c6452f430a1763eec9a31fd70a0
9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43
056604624998c531cc1a7cc40a64527e55875eb18fa47f59ad6c3678778956ba
955cb8de75d1143a7094743387ce5f52afecef4a07b22040d1da54050fed13cd
5de328c7851881e333be2850a1bd9760b94f8a5f300ac745603816da405b14a5
a2bcf903e2e35f9d43de040568e1bd0312dd0943a29f8b87861ccf50e66e9957
d8a9180da33ecaa39821ee77065c78cdf428a2c83afdbfa923e4db651b859961
8fd7b8dd8031bba418ae41089854aeba5cf9ee3a171d2cc8db05d95b692b83c8
1091372b812b70532f2d29f18f41f1618a0d72ec9e03caa5bc02dda877ff04f9
9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6
5c5722b380bf669c5d2fda7000c77a46513f5d107bc3e2f2508321df17313774
b6ad170d197d557e308b9356d0f87653eb463cf74a48cbb50ce74c7260c315c2
SH256 hash:
ce99c39e74206c05620cdefc0f070ff60601ba36eb7acc920b755d5d5bea161c
MD5 hash:
448ef513ca58a07131e823031cd211ad
SHA1 hash:
7e15f00335d5b8447b06a8f540aaf9c1ebe401de
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e9a00e7b-96ad-4eb4-a776-4a76a5c4f2a6/
SH256 hash:
a4ea280f8614b914a14799ef2c29779bc5b6152b0ef9d4f721385648da0db212
MD5 hash:
f636f2454dbdadec5a1936a8455db489
SHA1 hash:
657d86842a83eac4829596129fab2ae5862f487d
Detections:
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/e9a00e7b-96ad-4eb4-a776-4a76a5c4f2a6/
Parent samples :
b7f92bbf59df7cfb571012b7aefa91bdc9f25b9cbced01e91dec5b0fc1380f7e
ae7c268e9b988e9fa86380095f0a5cbb7d04024505c01dab09feed5ab8551b8d
338bd51d53c8c482447321ad6d1ec585faedfc3b9d5429f3b33bd805eadbaf92
0a58b574ccfb2898c4ee47a8dab29174c2193731573d4578b7b5ff83ad1196d6
fda83ecb5bd6a07dedaf6be0fce7c626e21e9df94d82ddb905460e9d6a25a162
0dfe79bf85e9cfcbcd5ffa2cb21370eaf78d80d27ae4b4b0c5087afad5c6ebb8
60712b6d9bb023934b8d27fc6f54b3543a5ebfcd229cd1c4cb8f8dbaec08dc99
9952c53705dfc353eeaf4262192cc740a066cb2e401ae3ec9e2ba11706f429e2
23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d
be5f3e984fc55b64b4aafb52c1390a52ab94c92a345ba3008df931d2eb5452b5
c68ac751c2b84e31bd64a9d318fd5cde9c1fa7f9f9090940808fef7989b3ade9
a674d532150b92874dc954bb8349b6e66a006f1f7dd9381f751237cc98d38dc2
30f53c188f4ca288bab139778eb5426ee3db92ddc779c8df149b501334dd8dbb
59cbe4e681c4371b18a5f6d457369560ce9e4f0eda5a39de1acab8b5bdf73bda
7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99
af1c4d4509e271497c9eac4c96c1fc5c4e419c6d73b69a5141380589e479c16a
a621353d9ba0b680e8f65d1951b47a74a08c1dc903eb071a64680a7a46793197
123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d
130c869f7ce90b4dd45a1192c8cb13aa8e3f986ab29fb9f446475e2030a2d2ec
e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474
10fd2d2e6c357bcffff543914c648b64fc672861551b5b098ed84a6db04126a3
2d5f57ef41272fafdd56ac619de62e86bf57938c96032cfa90eaa3c48930f012
10559de6aa9d0859f9a8b46c69a4edb950297610a98121a1fb8a3c94de06ed05
43c802763ad10188bf10a16b5bbf7840447d46ec04d1bfc2ef60c58dab38d951
b1d51bc9c016f36486682366f537633a12b95e16e68d7fc184f7a9bf9a48a811
5a673c2139bee9e5deec79e98e0baf1026af44a5a02487d474de76d16b7eddc8
e5ee0f86a7365463f8a0bdd3591624c214c8db88abf861d06d1fbd342a6fbfd1
a641f727fa4566ec19a3a04edcbe7e177aad8fb5f2381907e6c38adfa01f8a7a
6d98593e2de051c5ab3d36ddf4107ab2a0680bdb6bc73bdf9a75c62bb05b124a
cd47f0c08702e38c1ec62ae345136fb824e0ae0db0a8294b97ca9a474edec2f9
a4ce664077c1707b407385c08eb0f4e9299229717ee02b1b1b2f9745ad82613b
819f0be98d577e7949915dfd234c0ac0e0d12088eacab58f83a4418ad3675b4e
0b22914998a25304fe8e6dc1db692f037aa9b2066b43a53f0b24da35e629e6b1
470b09e386f5cd8befb4796af1aec03895b755d4219d6b9fc14e41ae5a400e23
f0c545e288910de036c58dd733fb4202b7cb45daa4e5f0e72e418544c4b1528c
b6f18002487b80c6378f7021d10cf6a6ccad659bb9e4a2c4aa9d016c48b8bfbf
aedfae05284600f51e6fe18a6f47ac68c7971e365d827bed7bc2205f27063c8d
30d5fcd7da81bc0b8d77d5b3547a227bac06bc781990f528c0bd78d696235779
357b3313f39b40d4b9acc1181d3eca642418b945e0b35cc0f3c436b9598fd8a5
353630ee79a8d39505ae091c60cb8352182cccdb9b861d1cf6ff2e19f2cc5b1e
af1593748a93b90fe69835554739c92bc7147611b405e8e93bbbffd65ec0c958
ab713363a32fee4abae9d10b1c18fd58454529f80947c5dc221379545b1c86a4
7a560acc97e0be33258afce759c4c215a91103e7b7447e487d540eca65959f4e
7c9d0d539bd2ffef3dfee864f3f7078937f7c9fe392df2f9511ad2a21be9446e
6c863b2dd3f9e7a690f4ab3a1ec9c7da83d2f20e7b82d58dae4bfae34218a878
156ffbc1adf860198501bf76e6428debdfa847e13e73796ee9bad6e982bf94d4
b7ca5eee2c0af78525e33094a2c1d38f639824b8f051a50216dc47417f426bba
cb627325f51d6abcc61a922937e0d66beb75a7c52f28341178dcfbcb01794790
dfb8ecbf4f52efbf20605c2be946d62bb062edf1dce896a9b45516c7aa90e422
b1f950d68fb3e445f741d2bb7fefbcfe1b1a756548dcc6f88b173cae77495b57
5abfe96f31b8b8e4013501cbd3e7bb332e03b37e96f04cb75f05c04f15bb66ac
e89363fb758ac1d01dffca3212cd980aa3fe199efda522052fc8c3e041b31f70
b456078d0dff3c375378480fb133a340d88ae4b59d6598ead4249d66523f3428
0707da3b9e454ee6ed7fe3bbc1e61811fa9907263ed843c98ef408f5f741690c
c368072750d355e8b4139efdc6c9007ce31c2989067248ab9312a4d7479015ff
efb452117b9b073d0200fb4ab2407615a33e2149fdebfba2881e711d187ed514
57752262d1f2b530fa014b31fe3d836f47d0b8ebcc81e275a9bf173b42f808a3
f9c3b78cce61d4ef1c118287edc5d5d3324bd64df1d2c704c087e7b073d7eb33
0f99bf966f34d5152ee51fd8510a37b3fc0792334c9b8f2475e896bc2ec72a6e
2f835a2d633b2fb81fb9375cefc17313e59a283de5869b7d7f04b42e9134cf25
3a8d95ebd1a116107405f1cb2a7d42e954643a9a0244ceef22a70b656b8525a3
6fa16359905843e294d5f805986bda12aa603775ea7db1eaf10beff3493c3b93
bf166be918695404ec2724b62671d7eac13fd67e39433894439d70a2ce534861
99d1f6ce99a8c07c33ee2dafe789299e0a51c2860882a2548c6e612606b1c1c1
ddb4d0771b710a59722707002a175602f29c6d1aeab70c61e0e9dc3eeeade55e
ed27568e72ac6bf7edfb74b5a35ea694d11ca0859753ec5816bf0d84c5803958
54368441d4ed3cdc5b14f8de606c9c0ef111838b10072a6ac68cd58d8b47bedf
c9a5fff84aef8b46605c9414b3d20e1f190e902454757c1f89179c5436422109
44ae98fe4b0b4bd2000ed7ec88e9b7458e04c1abbe64102142c1686ac4ac494b
80e7e263927b11a7f93f188d4e1e4ee34a4751187672e5298c03e6ceaf43d104
dad46ac711be7ee69322bea3f3069bcd644ba55cbbe635a232b1e76fdb08da23
73d81ccb9a09fc6ce1789df05b4fec440ba9aa3c0998da3a843e577a111def96
7b75b7d9e892e63a9fd39ccb87222d7311b6a3e9cba68cd34dc650e15e295796
3249cbb032d6aaf66c01aaddc48eab91417b1f22b97ddb659f2f5a5a5683bfb3
SH256 hash:
7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99
MD5 hash:
a0dadb7997e2b13144275b1c164f1c84
SHA1 hash:
6f63137c9a20c05c04b53eaea60eae9355022a97
Link:
https://www.unpac.me/results/e9a00e7b-96ad-4eb4-a776-4a76a5c4f2a6/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7602098a6b2a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments