MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
SHA3-384 hash: 7d5b583820d0ff688d5f21473f12beb59ef764fd021f88e5d4b5e19e22d44d7fb9441d7fd9e0503fb428428bdd0ee44d
SHA1 hash: 3b41aca9c2823a30611522c424ffb408d850188c
MD5 hash: 6d59e320844353e2006021b4f44598b9
humanhash: east-papa-venus-massachusetts
File name:TEKLİF TALEP VE FİYAT TEKLİFİ_xlsx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:770'048 bytes
First seen:2024-10-02 08:21:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:9Tv+zZK/vEXpwLvrKC5j8BWE4w00q70S/D9tNvk:1vGKHGgvrKX4LV/5tNv
Threatray 2'434 similar samples on MalwareBazaar
TLSH T10DF48BD076792B05D97947B09429DEB043B52D29B019F6D60CCAFBFB35A87035A08F8B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
380
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TEKLİF TALEP VE FİYAT TEKLİFİ_xlsx.exe
Verdict:
Suspicious activity
Analysis date:
2024-10-02 07:19:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b964427-04e6-4dc7-a612-9a051ff2e606

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fd02ac780a9b632d227331
Tags:
Powershell Underscore Lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8df178e6-0e02-4eb5-94b6-a142622c4223
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1523945
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523945 Sample: TEKL#U0130F TALEP VE F#U013... Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 46 cp5ua.hyperhost.ua 2->46 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 10 other signatures 2->56 8 TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe 7 2->8         started        12 LuYBkKnuHvp.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\LuYBkKnuHvp.exe, PE32 8->38 dropped 40 C:\Users\...\LuYBkKnuHvp.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp28CA.tmp, XML 8->42 dropped 44 TEKL#U0130F TALEP ...#U0130_xlsx.exe.log, ASCII 8->44 dropped 58 Adds a directory exclusion to Windows Defender 8->58 60 Injects a PE file into a foreign processes 8->60 14 TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 4 other processes 8->26 62 Multi AV Scanner detection for dropped file 12->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->64 22 LuYBkKnuHvp.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 48 cp5ua.hyperhost.ua 91.235.128.141, 49733, 49736, 587 ITLASUA Ukraine 14->48 66 Loading BitLocker PowerShell Module 18->66 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->68 70 Tries to steal Mail credentials (via file / registry access) 22->70 72 Tries to harvest and steal ftp login credentials 22->72 74 Tries to harvest and steal browser information (history, passwords, etc) 22->74 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-10-02 06:58:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qecdbs4auk2nbt5xcots3s2ayfepkskk4bvzatv6agpi6ynxtvrq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
0dfe79bf85e9cfcbcd5ffa2cb21370eaf78d80d27ae4b4b0c5087afad5c6ebb8
AgentTesla
1cbf1a11cb59b7a4135093c3e6b11be6b81ba57fb30707de145a1d41506760a6
AgentTesla
5ea66e4e338b5ded7b00ad1575010d7c1149341323a646069f3b00a518f300d5
AgentTesla
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
AgentTesla
c6ae41874ccd5d6c3e6da49cae6d0a0e8eee20e7037896b38f1e4523dd9543c8
AgentTesla
error
AgentTesla
+ 2'424 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241002-j9kdzawejp/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3d7aa9c7-231a-42d6-9b38-baaaf5dd3bb4
Unpacked files
SH256 hash:
d2174ddc2b6341b898b939fa0661d2a1cd8d485f5237427331f0d889672fbe7e
MD5 hash:
221f891053c35a694d7b442b7909d086
SHA1 hash:
81cb6829a184bae91927dc8b57744e895355b281
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/75423d98-473b-4778-a90e-3ffe421c38d2/
Parent samples :
509070cd30eb4cb05c29fe8cb222166c1c7db0f6084ea5b91e37bac79c14ac30
7ef4c75ee4a5f3b7f2ac44323d9ba15bcd24f5d0b9e3e04dc330dc6cde421b7c
97fb0388618e3d977b390696f4ca19e38f0e706d70a40726bab9ed8dcdcd036c
6b8c990c92c37f014fc93efd79c6fbb3a22e8da7961e9333644bfeac353a2ae2
49a6d4dde10788e5000df6a0fad4be9ab17567fd1314b64c3d7be0257adcbc65
72edec1131f38fb1e1753c90814de040ecf70515a270a1f1d3481c9194f6b949
9ca5a71321522f47140b36e5f1983cff7455dd124caa231d97df29cd654c6893
85e703636c2e5c837b37714c02a838dca4f2ac440d45c0bedfbf56b8e01c4820
c7ee9124f10a69564f9f096cc641aaf1c005a5270c8b62781ab71ced91a941d2
5ea66e4e338b5ded7b00ad1575010d7c1149341323a646069f3b00a518f300d5
c89c37f0b5dc89251da6c37aa8e1071c43d52c80fd2326f1e6de8dcd5eaf0dfc
c6ae41874ccd5d6c3e6da49cae6d0a0e8eee20e7037896b38f1e4523dd9543c8
08d86feee2707af5c57b4ffa8663c0e447c7425c39a103906cf15eae7cf1df9d
a433aa981a5cbfd5fae678c523b088d034f61f57dcb61232fbaba73657867b36
2095af004e76f0cf7243b68e868eeb3b9c8c157d632aa785a87a93addf3b75fc
9bcc5591013f066f47701388e95202aa53483c1b73321eecedafd30de2eb381e
822e06191849b35415693155a46edff39c41db14f3dce949120456c1b7b55892
79bcad797129c0be508de0fe7b0462b1aaffbafa74a4e7019a4561deb674f4bd
0dfe79bf85e9cfcbcd5ffa2cb21370eaf78d80d27ae4b4b0c5087afad5c6ebb8
156b1cea1a2f649e332be482047de3d368f5f7b7e93eb4821692ada17a69fc75
b31cbc6ec2eb2b790c422f0f960bb1436106d92958703cb005ccdef38887e310
c01d1b77062d28f497480aac1c2ad019d88b9f12a8db4405065cd2a9f3086191
362207c53645346df6f36cf3f7792e5fc4655895b35a6e3477e218e0e0007be9
3e26ebdfbd46dadcbf46c199970362689fa6ca0e0abb65ec703ca21d08b7269f
3279f79164633c0881c50971c98ca39bc9367111410f77582700468f2c0e3dd1
38f275624c634801c164c2c8f3294cbeea49b47e8e8d83bda53a0bc8aa7f7106
1897d47010a97079de62b957827fbecbdb4690ead4a51417fa6f1dccfc19f6c5
ece8d193afdcc6ec2c024e2441f7c0ce25801143573cacf71cf059de9a337275
b92304c2e680f54345fa77f77b0c507f93d05d43547e819d2ebf53a31e48ac97
f25dc80bfc742a0e8091d216ecbc033d93e71d43b31bbefb3ec9ef6cfc637cee
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
1cbf1a11cb59b7a4135093c3e6b11be6b81ba57fb30707de145a1d41506760a6
6841176c0e46732c3886f7908a5adf77a6d6ce1327268a9fcb7f2c0262132e41
d55b00b7cb5305371e1cc170179e7025cc517b810e57992adab16893b410985e
12af745dd8353b25857dc4bd3d3282f21c960ab55d3dece7e62d7a10a9aae810
60712b6d9bb023934b8d27fc6f54b3543a5ebfcd229cd1c4cb8f8dbaec08dc99
520fe428b0afdaf20673224c5004c004ab1d1dfd492cc54a37e362af8a844005
8f49d498d3ed3ff8f66d7f22a4ab6b7747e2e799662ee75b2019304e5dbc6dde
884c0261a0c4ff07790fa549a0dc1d752bd97ef3e0635536193c585a291a7281
368305c8a62f4edc3ab1b94d1242e5438b7d7c14a6c65f7beb4aad32b1984821
c387b91dd56a4b66da4582e26ebc0c5a473e37251fb44650fc62d6d4749d5c8c
27ff307b514230b2363e2284e1d57df50bc8a59b5cf8c732dc32d5587d472c64
407df9654a54792ee72730f5dae8bd303d7d92a24a5fe0a5bc83f634bab7a235
8b528f3a173e7e40394c21bb0cfa0304ef12b58ab185de1da8e4b4e5231eee8a
afef519b2380d9483a1b51eaccf235593140a75641e5a469d130f2d48ffd5268
a327355ae6e99929d1303a762ea8a936d8e4884f45d683de08dba6882c1c016d
ddad2801522370c2ca5c4ec41663b36a88ef6be171867f23f084c0fa6ecb1055
5a227bf354dbad129be8c6e1b82eca5bbe6f27587a522fd5fa9e30bdd61b8618
02abb1d01386d7d7ffd8debc2c0fb09baebb82d88b8f758e4de3f0deaaecfbf9
65b4919d036f5dc3a1dfe9b62510ed4e578a87dccf862df6fbb8524894c2965d
a77754ef6de4a61024e443178b88e50be8b1994f87b323ed7fa5f2f197acdab4
780354ea81fa066b085767d98d878a9b891f7febea281d2e09577b424a6ab47d
b9f4537fa4b470f09cc62c1c706004604498c9405e638712eb4f2ea6a6b1876d
4ed81a9a25e52a99d76805b081679cfe3628756be4bda6a47e365506c7df3a0c
3376b495c19dc3e179dfb2ef072a362c2d26ed59b06266dd7dbf080a80a005f6
0ad205b2d883bca56250246f308228379c27f6114d8b740014deeef53b3412bb
01ab4d20ae687b065b10fdf3f3243a46a320dcec4b3a9a8e0cafcc0878aa1800
bf4ab91b352744a5ac16ef96f4c25405b993ded0aeaed9c09efbddab513877b9
b1fb20d5857d1ca65dbacd6cb100dc2d7da8eb7ce54d4faeebafb2bbb212beca
03b5cfab3f0ffdf96e415006004be9a0c05e6365e1d5834984cfd5cea9df85fe
3d4bfc47bd88ef39e0780482a1b0fde1cd85772ddce25d9905d88d48b5b96a4a
e407720bcc7f5845bb9cf84c1c1209ef6e2afd339518359f86944c5f6e019b09
e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633
20f9d4cf5cd85fa7cf0d58b55409f75f9af0b952d3b573bffdd21966d9a3f396
SH256 hash:
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
MD5 hash:
ec5e9334f65168cce67cd57bc6391d0a
SHA1 hash:
4f2ac65623e89a9457cdd5fc51dc5d747b4830e4
Detections:
AgentTeslaXorStringsNet
Create hunting rule
MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
Link:
https://www.unpac.me/results/75423d98-473b-4778-a90e-3ffe421c38d2/
Parent samples :
be91f662c6129ebed98724e3bcc3b1756f34ae703ecd0c2d1b7b24680a911b02
7c8f766c92bb04f1a2ea22e8a3fa91909bbb2c918c67a957aa956cc901488e56
8fa741885aa3008210667909c5dc93bbd695bfa9f10b808f329e70a87dbbc262
3fc2adeb47b4f9fdf134587dc79fc696f13852e509b883e9ed7b308b77846016
73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac
bf4eb25b59a0472448b5efed8a8b5286867ffcc99751f2aee8c2b5e208800b7b
0de129849e28a7281cd7d6e6ca69f950a27efca7d1b121b1635e6c34b76ad167
ba2ca0c5ba29b90d2ce55292293642c9f6b3b931381db8221d529452d04a5189
c93dc9b3ec14e0e1d375ee919ac40ed95eb67eddc6cb9b7508b4f64743ad8804
0fa983b67dc6abd6cce03b0fcebd96d1bb78ffbbc65b8a0f5fe7ff6c79baa109
24952a927387b2cfbd99c117a3b7d74fa69dce826f70767765622a5aab3db707
6f417ed94d121bb0379a9ce8c0465c503b998bcd2c0df5021c0ee595901aebca
f79e68687f0f3089b125964c398199c04e5ba690540d213ee014eabf29e8eeca
fd272b82f6a8bba4cf146ca17e16030eee6bca8df4dc58330a3721dddd79a43e
87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e
3f53c498838571bd3333fc44bda24180a57a37a5a1268f4cdb1d204212c29858
4518d27e5b9109b044c8dabfa242bb224be62ed58111701c1f5e9fb7ed189f11
e75f34f2f6cbed8eb31dbef8ec7d031fce2feacd74f3a516e777923e6170b5f5
e8c89752942b8011820e9d04753700eb70f77a8701796ef7e826399cf889f9ec
d98ed54790efc6d718d719228e2bdbf4295cc23c94c22c6d77b55217337f860c
6d304e636be69bafcfae9423e629770fe3499d352e2a2259b9dc8f428b9e7cbc
6dac7514d424951b1e3091f61a94441b718c5e64e9dba95cfff15a51d8cde370
a4ad4601041ce6d58fb2468be1a3570c6d4e8c0914762972d3ea9a7e66fb85f6
ac32a3b616e9fb1f37a3f8e84db8475dfefb5e3ca56c6eb5580fc6f3887d8744
129467623307928e4bd892bf6320cd2f4c791e5d91d374036469ed09127dba45
a84d6a658ddfea2bf155df47943d616f4dce09d55bf7abc2eac1f1485be7bb48
830eb8430c1b8ce58ea1e6fef98794ef5dce3c485e244adc2e8ad310f2fe2bc6
48b23bea4cdfe0a7e79bc5ebde6eb2d9c69485e14694c48c13f0aab452b60d74
a5888a484f812f66cd39e16dbbcbb0891fd7f88e28a02660acfbe95635055696
96703bd16fbb6ebb4d19bbe99956cc74bc08ef7b8c05d258783c970e7c300ffd
810af925d95b0578d0051b1c49ed2a708c6b8057445794020382560315e611df
527bd1688c686cfb6d7fe4b85e2456a5a80c6995cb8ffc5aea8deae08877062d
cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
4b6bdd2b172adc692eb97dd87b5a6bc461e24ba6e714096771dbc3c45168b600
94459db0dd7ef2cab3fd0969b43bb53680c55bf2ea9d03e66bfdd6ba9af65fbf
62ddf21940294964b888e9370713e136b014b8e850ce276d94e9b410a498e739
8f49069af492e2a87edd3a35aafec61b4640c7759917252d317eced01bfbe25f
f42ecdadfc4ba973e68738550d4346e1ca67f0574c7a88a0f8fcf24fd9317cf5
f735fee6c67843c3661810ddde634e99d4eb301e4b298ec06e55d5f58b2a9351
b2436df85bd09d9aeac01c9f7e9b0ba093ad117b8444c99fed71db13ce86f95f
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
9e4960cd3423e643c807c5ac464331fe6844040bcddd39a1b373769ef2b13f6f
bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817
598fd9267e154c9fd5a5d36f5cf153a570c3265bd131cf63082b64cb4b4e7861
2b6f9aaa250051acb504eb782e963ef4bffca581d26d7c632b405f130ee5e09b
ef8e672ff4f30d2630ddebcf804c67d572e9979c949e4803654572479f486db0
061e29f834b607e0f56113f3318890231346ac04a7fe24673989e10261fe55e1
7d83a92926f6caf31b31a57f3fd55bff1105f3dac0d686847556149067897e55
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
3717f0928a99c81222dca1d74f568e2f92584b5bac7848697bd3913c01742baa
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
SH256 hash:
1ba46e17dfb88958721db7479eef9eb26fbd317cddb448225c5c74aa5cd87e10
MD5 hash:
6f68c447ee3b3c0a09caaca49b7883ae
SHA1 hash:
00868b076533ecccd5dc4c4a40a69eed8681e48c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/75423d98-473b-4778-a90e-3ffe421c38d2/
SH256 hash:
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
MD5 hash:
6d59e320844353e2006021b4f44598b9
SHA1 hash:
3b41aca9c2823a30611522c424ffb408d850188c
Link:
https://www.unpac.me/results/75423d98-473b-4778-a90e-3ffe421c38d2/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/810430cb80a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments