MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419
SHA3-384 hash: aab4d159098e66c35bce0038d57c2c106c40cc173c28b8e15a0002521b811a2ecb20df4d26a8a2d429db50746d675b64
SHA1 hash: e0197027ab678a4558a6fac053051a898ab2446f
MD5 hash: 91463a6b4347b48270d4e9c25445194b
humanhash: coffee-double-mike-oven
File name:wslakcasiepsaa.scr.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:731'144 bytes
First seen:2024-07-31 13:14:16 UTC
Last seen:2024-07-31 14:28:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:o43Ns30LTenC5IKAM8RKVjIQjXX9znLbkrl+stp6JT6GJMvVVp+SyjndCFeQkR:oOs33lKAXRWjJ8RLtpCOGJMjp+SyjdCW
Threatray 197 similar samples on MalwareBazaar
TLSH T18AF42327BFAD4054DC9EBB7B12938A12DB70F943EB76C7191C9021C62EB439108A675F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
371
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
wslakcasiepsaa.scr.exe
Verdict:
Malicious activity
Analysis date:
2024-07-31 13:19:59 UTC
Tags:
evasion snake keylogger telegram stealer
Link:
https://app.any.run/tasks/8bf7189d-f525-4694-be63-aa8350ad60de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66aa38da037b02d0daecc01d
Tags:
Discovery Encryption Execution Network Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade overlay packed
Link:
https://www.filescan.io/uploads/66aa38dc78d5c73fb1c9f96f/reports/93e51fa6-0f04-4f1d-b59a-089135e73bc9/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74d72cee-f140-4133-b2fe-a0dc0adb0966
Result
Threat name:
PureLog Stealer, Snake Keylogger, VIP Ke
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1485367
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1485367 Sample: wslakcasiepsaa.scr.exe Startdate: 31/07/2024 Architecture: WINDOWS Score: 100 48 reallyfreegeoip.org 2->48 50 api.telegram.org 2->50 52 2 other IPs or domains 2->52 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 70 13 other signatures 2->70 8 wslakcasiepsaa.scr.exe 7 2->8         started        12 uucUtRKUEiXuh.exe 5 2->12         started        signatures3 66 Tries to detect the country of the analysis system (by using the IP) 48->66 68 Uses the Telegram API (likely for C&C communication) 50->68 process4 file5 40 C:\Users\user\AppData\...\uucUtRKUEiXuh.exe, PE32 8->40 dropped 42 C:\...\uucUtRKUEiXuh.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmp64F9.tmp, XML 8->44 dropped 46 C:\Users\user\...\wslakcasiepsaa.scr.exe.log, ASCII 8->46 dropped 72 Uses schtasks.exe or at.exe to add and modify task schedules 8->72 74 Adds a directory exclusion to Windows Defender 8->74 76 Injects a PE file into a foreign processes 8->76 14 wslakcasiepsaa.scr.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        78 Multi AV Scanner detection for dropped file 12->78 80 Machine Learning detection for dropped file 12->80 24 uucUtRKUEiXuh.exe 12->24         started        26 schtasks.exe 12->26         started        28 uucUtRKUEiXuh.exe 12->28         started        signatures6 process7 dnsIp8 54 api.telegram.org 149.154.167.220, 443, 49741, 49750 TELEGRAMRU United Kingdom 14->54 56 reallyfreegeoip.org 188.114.97.3, 443, 49712, 49713 CLOUDFLARENETUS European Union 14->56 58 checkip.dyndns.com 193.122.130.0, 49710, 49715, 49718 ORACLE-BMC-31898US United States 14->58 82 Loading BitLocker PowerShell Module 18->82 30 WmiPrvSE.exe 18->30         started        32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        84 Tries to steal Mail credentials (via file / registry access) 24->84 86 Tries to harvest and steal browser information (history, passwords, etc) 24->86 38 conhost.exe 26->38         started        signatures9 process10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-07-31 13:14:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdubwphfvshkonidxwqrhpz6rx4askfxkiodjhs6jt2g2emouqmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03ce36fd07bc77fb8fcb27e93d3e05053a3ac991012891b2fa96370b4ed26784
AgentTesla
158c8861036425f4e7b9df9a610a0e23d45a811c2916aa697cb01491b493e539
AgentTesla
457c61998bb0d3ef729d75719a83c3557febc4e5069ff4f552a0c8aa3823bf91
AgentTesla
731274dfb1a00b9694101c7488bdfa2c9bba0588f75b09a8ade4e6c6f86fbcdd
AgentTesla
88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419
AgentTesla
e1155d89a4ce168dc583b7a38b845115063eb69c4e327c4291424b18b96dbc1e
AgentTesla
ec0cb53f3f7dd573b6449bed509234445870faabe3134f554f48ac150ae99de2
AgentTesla
+ 187 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
collection credential_access discovery execution spyware stealer
Link:
https://tria.ge/reports/240731-qg8dnazbkc/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Credentials from Password Stores: Credentials from Web Browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/efd88d01-755a-45f5-adbd-45ae744f9eb1
Unpacked files
SH256 hash:
f7bf5dec85a3ec02b206fa42e8b3c4857db064b1094ad80a80a4899cb3b1222f
MD5 hash:
65e978693d8b713bb2b96af6f58286ee
SHA1 hash:
fcae99ae09d804e80d7718aa30d2ea220ef340c6
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d130c0b4-d4df-4f17-bc3e-098513b87b39/
Parent samples :
fec7c785b5cab74579e38a8b33a3fdfa91ea44356f31c29b793680f7740f663e
03ce36fd07bc77fb8fcb27e93d3e05053a3ac991012891b2fa96370b4ed26784
680b2535047f66d49243a54b9659a3714a2133daa2f5b8b06c7519e2fa075f64
626ffcb054c33c59e1caa726e5a71f11f2e6dc81a982afbca8820e09ac7929b4
96de213abe4abd93e28e7a7a3053906e85027b08f6333531f52da2e67b096447
3ba7694dd1ba8f1886339cc90d6c66d518745e0dd837fecd0d67c27b33712d43
f087a9852ad32d54b3691e9d25c081ee806c262c35b4704035e948d855f45246
9e6e07e5acd158d093464bf485f966d7d6ec4a6f5b36d80bc2beb3d9bb07c45e
9f17dfb2b539dbfeae4eff938a67da34bf07b6d9617c49963ec4b537449f7520
d12078dbf736a6b4c15d15c12c4fde2586164b70ab09c38f5024321fab1a6b01
cb0a8f0e6440de0c5299984554a8cafa69d326d41f29a477f6536b6934a2b732
45bac0cd4b709400f6801f0b6dfaa5eba1d6125d3a859ade0cf2a1e53b637746
d86f8e1eb90204fd06f98aae802410b345b1a2e9b561a933b1980e2e4aad99a4
6aaa71779c919eb439d209d99b8f0f9adfb89f20bd1333658c8f3cd615d054f5
9709b89b130bc2a8b0f8aaf832705d093760bf811698cfe3cc40ff1751bef020
c2c4eb306f16f75c7cc6a4afc6b5161b8f84eb242604b739d172ac1ae1f01d15
ad0f22301dd500e68662a4085fd546d09d7f8d2902369f8a537bd364c04e88aa
36609ed28222d995170a36e1d4df63fcf518bece4a965e5674cc5a03c2d2b324
ec0cb53f3f7dd573b6449bed509234445870faabe3134f554f48ac150ae99de2
158c8861036425f4e7b9df9a610a0e23d45a811c2916aa697cb01491b493e539
88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419
cdd7df460178e0239fb3342ac3f97e920069e5b2aac1c9c343923241f1b60b87
5c4064658cfc929bb45169b4ea8f237984acd8f92ee45892c1b05bffc61cf0aa
4a79a8b83afd4feb2fd2e130d54f667fa9ee6c61ecf7d61efed3753ab2450775
121de22078536795f06ad23e6db6d1627f4cab617a6264b44820839c13e4c2d3
22e07732afa9d6a1c689bd93a3f5b60205310ef8f4225aa00391d8da73d88108
18e5ff8af38bd3bd2a0a497543241be74cf4ce575cc5c564cd34e6e3f41122aa
f35f4d73501f046d2319a9d6284235bad63461584faced48db23d9fdd032a045
ec48091b8b9cc09fd9d73415078622d8b3c5fb2de818caa20814a43b1d1c14c7
d3f2be134599de5203a3eb61863b6da610df012c2fdd6e3b47ac4929132da763
fa2a38ee7933b6eec66fed45d0f14e9cb4009ce04d5b56cf7e753af46626ada0
ec90bcbed4dc9e168367b501a9ac22ce0d53f1fe0b9a976727181f4bbf6b3467
8cc3a57385ce576b1264431f444a0b0178ac53c10b69058b2898373172565337
a100af984853a3c17d51f8aa34d70bb462ce8d760ba278937479ccf27edc3b9c
3e9f3a83f830c41cfec094e86c31a8c79c032814a4f029eba014cf90b7db75ab
b731e1e07da1ab601c2773e2124f60e482f30f81bf2d1d64c3363c5d1f4ec08d
6dd94fe4a5b0297fabec9985a7ef901a1ab05fb75c1284c036e7e79c60321e86
8509fdd176d2cfd177b97085f7aa8a865c38fdc8a004f8b3222a39deaf6bf680
78fdf9c2edfb9f97d16867a8372835563cb6ce1f1128b66ead34f88cbf299dc6
1d77e6b59c60817f9c5b17e620db8c30a6fda1c3ae638961f3a907b78d4e9128
ed94e4340621581cec927c362247b765e8eec9946069d54c36cac2e7ce1236f7
c1275a93bd767e100a37e8bc22439be45698a733f71d1ba5c890f5b1b4c3e034
3f084903c5b689b3d88e36e524bd3fcbda689a2b6d2446b8b10fbd97b145db7a
dc1ef9303dccebb2719b654a156860278e36cbd08bfa24cfacd82b640fb640df
4152197ecd541c3b62d3ada6ff29bf7bb90edf2e57f96f27980f802513420897
07d7da9b867a476b6214db42000f3e731e6c83e487edb5828687529898ea2267
ab4593816a20ff7503167fc8fac03e20ab1fd7479c8d26d23baaa12f5df7bbb2
472819b55a8804b4d8787f5e45cc9b1aeb1026d5819f06e91bbc022d53ccae5c
b0758e26884a064ab95a8d86fd4e17df2e2cf7b38b1c33ebbfa0cf9b9e88b9f2
33f8b2938048a821d1c515daf12ebb890ad5751b0d06cc2942ce976d2d9d1341
0d38a75eaacd1df541127d09bdfae1fd1ccc166a8f8e5f0c8f9566c1ca7cc3ad
5e30eebbe6f8d7fafad37f578848e1800a231e240162ba954ed211766d641afe
a7ba3de84abf4628a7b7096e7f28b4d8b6946429d6f8b1e8f0b5bd05eba3db0e
ec611350a188956ae50ff4b5ebea09f16d61e843b2dd6aef2c15ea82537b273e
f3fe763c0bab8b6423578bbe031190508406459cf1648b47dcba314c95ca8fbc
850752cfce58c44ce5d48735f4d53ccc1f8d12b7e1ae00d367d9c42103d9ad99
f3dd8124dc20b5dbe2afde3eaa092c05e1eb0fae8fe16aaacfa9e0d5213f4117
eb25536bdb4fbc21cefbd43e00f58424c9458eee4059a9d5fa26aaa1c4842e0f
SH256 hash:
0a0124882ac97d43700ea2d5d8b89215527ac6516646d570acf44fc0ae8fe352
MD5 hash:
92e8b59d83836da347327484b46c6026
SHA1 hash:
7c0428e8ed07c24cb55b4112f8a9e347522ed5b9
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d130c0b4-d4df-4f17-bc3e-098513b87b39/
SH256 hash:
0e281385ad070cc42e92dbf90205e737906f58830184373542591a5f1934fd81
MD5 hash:
1a7ce95789beae82d8dfa4e9df482b74
SHA1 hash:
78b3a3385e0c1284163081d663df41b5ecc5d9cc
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
Link:
https://www.unpac.me/results/d130c0b4-d4df-4f17-bc3e-098513b87b39/
SH256 hash:
924915fcdcf83d580e54eb626ea55487431b1ab2095ac7144e0bb9a62c3d2079
MD5 hash:
33e0b1386cf5188680b14ec6c3bc2273
SHA1 hash:
738903a3dc2b91d8975c79786fdc16d5eb0e0c87
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d130c0b4-d4df-4f17-bc3e-098513b87b39/
Parent samples :
86d535d54ed2e30a80ddc2c530c330d8898ded55ad6ba35310f14c3f23a19a0d
67a73e526c7ac4e1eca31c3de759c45574678f53f452d0261f6c11ba8dfd16f8
f6acb83ac599ec60d6820c081521a00e3701e7191c8ff2772c3682196a28e531
07a89eff230f0a111d2609d1a5281512c5b4ec5f215415c04304ad605a484541
12d10e1ecc6afdf8f4ec4b08806c3eb3164e83ee258031bf7e292279e8e3ad66
77ac5b15d78e58b7ed803e93aa16e4742ab0b6c1eb4e0b5c8a93f3799ed00e18
8fd943a29bbcacc76cd3168fb253b6090f73dd22f63c0459c627236f05f75101
d85f2f398ac8f75322e24fb142d2be3e0390bda9ac1e605e375b646464d03842
11c37fead8b02d4646499109187b632dc2ec2f49d842e7aabb3bb93d7ce3d538
ff155d8b9a7c9df0c77f203a547157f25b89aec97f2807081c74c7735602507c
552ec910ab15e94277c6211423d6a3f92fd96bcd8d84695c6adf3a36e9d366ba
c75ae9d4a81e584dbdf1d2ffe063a22ad2189b1408975eaf8ef6410edec81fd9
a2494f6dfc0726f3ada24c21185c0554d50f1ecc13bc434a47d0a0bad5d9e767
5223dbf673bce63ab81bbdfecc931ddd6d9a8d3c138e269e479e56167eed1c50
b24eaa1b9bd278aaadaa1c2e7a74a6674b0f604048c5851ae6ae598152bdcd67
a85df9ae1792ac726d8486058b5f1ddb89f232930cb3c7172291fe3adee3220d
b52771878f98cb32f91e9c5eb88b1452b25077c973bf5db1ef3ab356ec9b80e9
4f6abf63121d8ac6db6af1b4aaa3331822ebf670bb70a98720d759cd41ec6a90
788006d305b062dfa22b0acf645493fb6ff8c97955d2cd53c89d0df8383dcf86
85f373ce0f6da2b2bd6b1fba5243ce691997bab0e3d9f912d6d1b4f7c617d103
7aafc2b21a5a3d027eb1762dd91328b5adfb013f5c86fb4da95c4fdce8313535
007848670c9bdba545221e97ee5047081c60af7edf232f04b1f044b03732e323
dc37dbd4aabfd3993ad6c43f35ebd47fecf7c2fd40a3dbfdb99a21e1b6885f95
fd2bd6b337113729beeb74f7446d2b777315abca4d557a5cfd7acd679add2d65
9ca974f315a7980f38671b6668946264198130593006ff0423637c55249f21c1
17d6ce294763506987e04a11ead287e5e3f35459a402e5878b7cf00b3501578b
2a715927f54c42624cd3b451a56f1ca17efffc729032aaec758c5dec6352c4f8
267a95b7715bba494b96ff9d7bf29dfd8ee2c73c5312964b5039962826ce6fc7
6d524f19183002c058639b24455f309f78f225ee0a0210cfd820b83609f132ad
fddb2e3244a031741a1da8a0a5086890cb02ef24bd93b7df8971b42d65b1a03d
efab4e467f93e1f5b3f0fee251844f6e3667b794aff5fde442d7b4db955201e0
d182a98c60c7fe6f8945a4791c365234f519485f7a0e6dd0e95513f9670e0cf6
18dba55b8d1c77f7b0dcf0a2ae3a4a702be887e0fe36c6efca2d9caaaf33fe1c
0808303d5eb0d708a925012674cd6bb3872b8ffb45a1ec501b1188d2c0723bd0
684728d71a1b686e85a2671e253ecbd27da9e028f3160e84408033dc9ec21dbe
da0fd2ccf00f1cae00d3ffeec1f8dccd520b02b1b8953fe7839db61e0f843acc
8961382e3a069a9b64457dc4f73fe9aaa9b927451d7715fa1a4d9be8114edb23
584b6e279cccf8b9faedfbc68242f158f19f881643fc79614f3cd96d4c50cf89
7ecc027520fac0c2341292e6e6cc3389c172399ee0d7a3672b5455ec7f4b775c
7ad4e2e9091d961c63bd8a5de7c884df9c81c6395f35645f8c17befa50fa6bec
ac082f9d7470f51db94b17a7b86f0c680e76a2bbe82382332fa7a8a6d52bb898
fec7c785b5cab74579e38a8b33a3fdfa91ea44356f31c29b793680f7740f663e
03ce36fd07bc77fb8fcb27e93d3e05053a3ac991012891b2fa96370b4ed26784
253bedf2000dc70d54a576b7ef69a7cd990aae9b1734cf65193b7862f47da94e
e67ae0c8bca17f912e1fdcc8dacac7e967ac9dfcfc031d944663043c99f32ea7
680b2535047f66d49243a54b9659a3714a2133daa2f5b8b06c7519e2fa075f64
96de213abe4abd93e28e7a7a3053906e85027b08f6333531f52da2e67b096447
3ba7694dd1ba8f1886339cc90d6c66d518745e0dd837fecd0d67c27b33712d43
f087a9852ad32d54b3691e9d25c081ee806c262c35b4704035e948d855f45246
9e6e07e5acd158d093464bf485f966d7d6ec4a6f5b36d80bc2beb3d9bb07c45e
d12078dbf736a6b4c15d15c12c4fde2586164b70ab09c38f5024321fab1a6b01
cb0a8f0e6440de0c5299984554a8cafa69d326d41f29a477f6536b6934a2b732
d86f8e1eb90204fd06f98aae802410b345b1a2e9b561a933b1980e2e4aad99a4
6aaa71779c919eb439d209d99b8f0f9adfb89f20bd1333658c8f3cd615d054f5
9709b89b130bc2a8b0f8aaf832705d093760bf811698cfe3cc40ff1751bef020
c2c4eb306f16f75c7cc6a4afc6b5161b8f84eb242604b739d172ac1ae1f01d15
ad0f22301dd500e68662a4085fd546d09d7f8d2902369f8a537bd364c04e88aa
3b0bc3f1f71b05a119884770f7c79d236ddf6b6ccc378b30705f3ecb712be998
5e979880469bfba9dc9b850ed945530fc277fcbdd96227661972c89e700ecd1e
36609ed28222d995170a36e1d4df63fcf518bece4a965e5674cc5a03c2d2b324
ec0cb53f3f7dd573b6449bed509234445870faabe3134f554f48ac150ae99de2
158c8861036425f4e7b9df9a610a0e23d45a811c2916aa697cb01491b493e539
4d1527ce09d716a68f0a548a3fab80d2223028460e036f43b579f211b91b0ff3
88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419
cdd7df460178e0239fb3342ac3f97e920069e5b2aac1c9c343923241f1b60b87
4a79a8b83afd4feb2fd2e130d54f667fa9ee6c61ecf7d61efed3753ab2450775
121de22078536795f06ad23e6db6d1627f4cab617a6264b44820839c13e4c2d3
22e07732afa9d6a1c689bd93a3f5b60205310ef8f4225aa00391d8da73d88108
18e5ff8af38bd3bd2a0a497543241be74cf4ce575cc5c564cd34e6e3f41122aa
f35f4d73501f046d2319a9d6284235bad63461584faced48db23d9fdd032a045
ec48091b8b9cc09fd9d73415078622d8b3c5fb2de818caa20814a43b1d1c14c7
a8af52f378b0d8cc71513411d4af5c383147c03064981084c63125b3f57b7f6a
a96c7253cab161d289efdea709091608649deeb1423a4df65d1cd13ad28642ae
d3f2be134599de5203a3eb61863b6da610df012c2fdd6e3b47ac4929132da763
fa2a38ee7933b6eec66fed45d0f14e9cb4009ce04d5b56cf7e753af46626ada0
ec90bcbed4dc9e168367b501a9ac22ce0d53f1fe0b9a976727181f4bbf6b3467
8cc3a57385ce576b1264431f444a0b0178ac53c10b69058b2898373172565337
a100af984853a3c17d51f8aa34d70bb462ce8d760ba278937479ccf27edc3b9c
3e9f3a83f830c41cfec094e86c31a8c79c032814a4f029eba014cf90b7db75ab
b731e1e07da1ab601c2773e2124f60e482f30f81bf2d1d64c3363c5d1f4ec08d
6dd94fe4a5b0297fabec9985a7ef901a1ab05fb75c1284c036e7e79c60321e86
8509fdd176d2cfd177b97085f7aa8a865c38fdc8a004f8b3222a39deaf6bf680
78fdf9c2edfb9f97d16867a8372835563cb6ce1f1128b66ead34f88cbf299dc6
1d77e6b59c60817f9c5b17e620db8c30a6fda1c3ae638961f3a907b78d4e9128
ed94e4340621581cec927c362247b765e8eec9946069d54c36cac2e7ce1236f7
c1275a93bd767e100a37e8bc22439be45698a733f71d1ba5c890f5b1b4c3e034
3f084903c5b689b3d88e36e524bd3fcbda689a2b6d2446b8b10fbd97b145db7a
a9b2c3cfd1964fc818c4ba2955f17482db01a5e6130dcbdc93272c34ddb31343
78c7ff0b326b69836f6b95ccaec73bdae2d33f3ca2a5d864fb1e144b5e6bf2ef
d5033b91615c5b714b92362b7906982f577b7235b0bdc8433a03cbe0e8992730
94b60b83cf8ae31ab9133dc8d689ae1cb34190128ebdfe0502a752113c7fc2f9
58a3d9499f2175456ff0b6f652cb1b0603fadf615b597a59713f23f2ac6350b4
b914e2a5f98b702eefc2ec6474500eb32fd3032032bfdba52fe136898de7c231
5868636d8eaadf62ceeacb1564bb3a8614e8e87471e2475d48f765fad94f3d9f
690f04e5bd79e7410dc886fd084b7c8b1c198d398674a95117dcc6137bdfc66b
19beaa481d4538a01e7156ab1d065d010056be23f81edcc4056629f8aacb46d6
b42cf4d03e50a5913c6a20c9b70ef11ca48890a75adf324754a01fb269182bd7
41445ff8ed7dc3ce3e7f54c5fd7fb93e5a7c8961237bc408b92dc48dada2ba88
523d949366cc9f4ddfa2d9c261bf1f0741879b32cc821e6e654830184ff4815b
5dbbaa22b757de07d0fb4b665b1863811a2e80498b5265ee903c3998a8684b6d
dc1ef9303dccebb2719b654a156860278e36cbd08bfa24cfacd82b640fb640df
4152197ecd541c3b62d3ada6ff29bf7bb90edf2e57f96f27980f802513420897
f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53
023034cca9da6237539371b5b9ed642a7e27586f5908ee9cd400649665c22a40
07d7da9b867a476b6214db42000f3e731e6c83e487edb5828687529898ea2267
ab4593816a20ff7503167fc8fac03e20ab1fd7479c8d26d23baaa12f5df7bbb2
949fd4ab1f31af8e7ca60994be0e8ab1d96f92ccb339d7aab1b5f969ffc7ba9c
472819b55a8804b4d8787f5e45cc9b1aeb1026d5819f06e91bbc022d53ccae5c
7a90335cbe6b1234770e8b182c0940fece9861d793de519ad4ede332f9adb9cd
b0758e26884a064ab95a8d86fd4e17df2e2cf7b38b1c33ebbfa0cf9b9e88b9f2
33f8b2938048a821d1c515daf12ebb890ad5751b0d06cc2942ce976d2d9d1341
f3ac084766855ffecdafc4e214d1087966be4b88edd5a2e729b6e699b7ef546f
0d38a75eaacd1df541127d09bdfae1fd1ccc166a8f8e5f0c8f9566c1ca7cc3ad
5e30eebbe6f8d7fafad37f578848e1800a231e240162ba954ed211766d641afe
a7ba3de84abf4628a7b7096e7f28b4d8b6946429d6f8b1e8f0b5bd05eba3db0e
de6619e254db011cc45ea6684edab7007f3e8deb6f264afa97c002d840858781
3b08f443e9b1999e957fecbe5a3b9b51b666b78b4286350f23e7c618e44e0abd
ec611350a188956ae50ff4b5ebea09f16d61e843b2dd6aef2c15ea82537b273e
f3fe763c0bab8b6423578bbe031190508406459cf1648b47dcba314c95ca8fbc
b1f7d45bb000c3201af5c92b009519206fd4bd83b568f0d360b8603520dc5334
a86f818dee5adfc18c4b4c5e547e5f51afd5eaf6f1208d2c9869018c4d1ddbc3
48189d833182819d27c6ea86addb8364bdb9118d38e31320d80a278de0f0e39b
37cb22257ac282760c92de2ac15d650d56c8964f97e243209be1e0d2b57103a8
d08ee06abae2c68182b162ed5d9b454f7c79d319c9162775ce3c93fed61f7f0e
9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0
9d948a18acdd4d4ea3c1fbab2ea72de766e1434b208ed78ce000b81ece996874
0b3cc97cc3d319b4b842a03d65dc9043d9eceeac779b85d9843b7665c8f58b22
3e437f5a6aa0fd70c1a8003cd2f09b2747c6e2b15b44508c742d8bc0d1bd4cf1
5f569c72db9c31528daf2e907938b9bb711ea3a050efe5bf5d514dc962c5415c
850752cfce58c44ce5d48735f4d53ccc1f8d12b7e1ae00d367d9c42103d9ad99
745bbe5ba33f2e50be4de60788cb6a685c2dd7f4f78d933e0b99f6be4988b013
25e04a4c87cc29c42fccc7137735bc6e7f5e11d06cc2039493b88be56c5133aa
8e859d5dcc8f3ec9d4af0ccc2f709ad8d85bc3da6995ab9f7084c018d6ebdd72
9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030
66d05735fd8ae285ab3cd24c4e7cd5a8c48e12ba19a315bdc98b9c9652e77934
a1ce25c899ff86db4e54d042569e0a996d399dcc9a701b551999b1edeb2acb89
eb9de075c6c5ac3dae5ec163fe9d8abeccf9edc3bdeed05364dcacf64c9550d2
9a10e3d9debfb494bf65772bcef8c60066bdd7993ab10d3db91f2d7003ba779d
f3dd8124dc20b5dbe2afde3eaa092c05e1eb0fae8fe16aaacfa9e0d5213f4117
eb25536bdb4fbc21cefbd43e00f58424c9458eee4059a9d5fa26aaa1c4842e0f
d1b7503d102f7db3a5be41f720b63a2f8ba6e87de5b9231773750710dd90a8c7
924915fcdcf83d580e54eb626ea55487431b1ab2095ac7144e0bb9a62c3d2079
SH256 hash:
88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419
MD5 hash:
91463a6b4347b48270d4e9c25445194b
SHA1 hash:
e0197027ab678a4558a6fac053051a898ab2446f
Link:
https://www.unpac.me/results/d130c0b4-d4df-4f17-bc3e-098513b87b39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments