MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fd943a29bbcacc76cd3168fb253b6090f73dd22f63c0459c627236f05f75101. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fd943a29bbcacc76cd3168fb253b6090f73dd22f63c0459c627236f05f75101
SHA3-384 hash: d44601ea302a08b86660a5cb46d0d8cddbcfcd023d2adb6b47002b82e7d21fb360c5ba1b51d3a2b426728a239d7c3ca8
SHA1 hash: 2f82b691c22228df5c3a0ad27710fea9bae9c8ea
MD5 hash: 3253e2ac0b62c9057a1bc7aa165ce75e
humanhash: xray-leopard-berlin-avocado
File name:shipping doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:653'832 bytes
First seen:2024-07-29 13:13:43 UTC
Last seen:2024-07-29 14:39:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:c7SXfK9UEyPRsSO+KcHviTbBsEju3iq1K4Py9jTt5MP0RfJJAhXAnAkR:c+Xf8IyAvCy3iq1Kfh5MPqxd
Threatray 773 similar samples on MalwareBazaar
TLSH T19DD4238AAB54DF5EDABC1BB15661B04C07716210F363DBFF0ED868EE8D65B814488D0B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
364
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
shipping doc.exe
Verdict:
Malicious activity
Analysis date:
2024-07-29 13:45:52 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/f8413af9-8d1d-49d1-b80d-3858d0682409

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a7959d46f80f37dcaaa6be
Tags:
Encryption Execution Network Static Stealth Agent
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/8fd943a29bbcacc76cd3168fb253b6090f73dd22f63c0459c627236f05f75101
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1b82f6f-d862-418c-9e3e-68ced9e8e687
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1484055
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1484055 Sample: shipping doc.exe Startdate: 29/07/2024 Architecture: WINDOWS Score: 100 55 mail.springandsummer.lk 2->55 57 56.126.166.20.in-addr.arpa 2->57 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Sigma detected: Scheduled temp file as task from temp location 2->65 67 12 other signatures 2->67 8 shipping doc.exe 7 2->8         started        12 PACqQht.exe 5 2->12         started        14 boqXv.exe 2->14         started        16 rundll32.exe 2->16         started        signatures3 process4 file5 47 C:\Users\user\AppData\Roaming\PACqQht.exe, PE32 8->47 dropped 49 C:\Users\user\...\PACqQht.exe:Zone.Identifier, ASCII 8->49 dropped 51 C:\Users\user\AppData\Local\Temp\tmp8F7.tmp, XML 8->51 dropped 53 C:\Users\user\...\shipping doc.exe.log, ASCII 8->53 dropped 83 Suspicious powershell command line found 8->83 85 Writes to foreign memory regions 8->85 87 Allocates memory in foreign processes 8->87 89 Adds a directory exclusion to Windows Defender 8->89 18 RegSvcs.exe 2 4 8->18         started        23 powershell.exe 23 8->23         started        25 powershell.exe 23 8->25         started        27 schtasks.exe 1 8->27         started        91 Multi AV Scanner detection for dropped file 12->91 93 Machine Learning detection for dropped file 12->93 95 Injects a PE file into a foreign processes 12->95 29 RegSvcs.exe 12->29         started        31 schtasks.exe 12->31         started        33 conhost.exe 14->33         started        signatures6 process7 dnsIp8 59 mail.springandsummer.lk 50.87.235.85, 49714, 49715, 587 UNIFIEDLAYER-AS-1US United States 18->59 45 C:\Users\user\AppData\Roaming\...\boqXv.exe, PE32 18->45 dropped 69 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->71 73 Loading BitLocker PowerShell Module 23->73 35 conhost.exe 23->35         started        37 WmiPrvSE.exe 23->37         started        39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->75 77 Tries to steal Mail credentials (via file / registry access) 29->77 79 Tries to harvest and steal ftp login credentials 29->79 81 Tries to harvest and steal browser information (history, passwords, etc) 29->81 43 conhost.exe 31->43         started        file9 signatures10 process11
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8fd943a29bbcacc76cd3168fb253b6090f73dd22f63c0459c627236f05f75101
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fd943a29bbcacc76cd3168fb253b6090f73dd22f63c0459c627236f05f75101/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-07-28 23:17:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7muhiu3xswmo3gtc2h3eu5wbehxhxjc6y6aiwoge4rw6bpxkeaq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
4e25695bab3ab85fc29d5ec8858b9caefe193916eabe0d7bfc18059cb23c6757
AgentTesla
8fbf89ff9f1c63329f5251feed90590b8f3bd725e469b5afd25be717f3cb2ca9
AgentTesla
8fd943a29bbcacc76cd3168fb253b6090f73dd22f63c0459c627236f05f75101
AgentTesla
df3325fba80354987645e107d3166cfe0b97c56818903e42bb938ce6bff6675c
AgentTesla
+ 763 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla credential_access discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240729-qgndgstgqf/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Credentials from Password Stores: Credentials from Web Browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/77e5dd9f-3c92-4c6a-bcc7-2486b7d1290a
Unpacked files
SH256 hash:
b5718d47a4ea349efb0ee45fe13dfde84c57224b68f12b75cf134a2fdacd146e
MD5 hash:
106b78a2f9b59a36df341958f34f5a60
SHA1 hash:
daccf37cd688ea8c2d4078f4d3b673308b097480
Link:
https://www.unpac.me/results/0b69c110-577b-4d86-b54d-a2293673962f/
SH256 hash:
49fb751fe9b53df82b5edfa08216566fe96bbff748199338ffa2f6fb15575bbb
MD5 hash:
cf7a22f3cda9dfc235814b44d3c0c82f
SHA1 hash:
e9ea53e64a83b9b7f55650f2f099f031f0c4cda2
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0b69c110-577b-4d86-b54d-a2293673962f/
SH256 hash:
d1b7503d102f7db3a5be41f720b63a2f8ba6e87de5b9231773750710dd90a8c7
MD5 hash:
e1184ed5e43fec8af9a7aca7447e15bf
SHA1 hash:
b7114853ce1bfa8e590445db19d3df91b1d4cadd
Link:
https://www.unpac.me/results/0b69c110-577b-4d86-b54d-a2293673962f/
SH256 hash:
924915fcdcf83d580e54eb626ea55487431b1ab2095ac7144e0bb9a62c3d2079
MD5 hash:
33e0b1386cf5188680b14ec6c3bc2273
SHA1 hash:
738903a3dc2b91d8975c79786fdc16d5eb0e0c87
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0b69c110-577b-4d86-b54d-a2293673962f/
Parent samples :
86d535d54ed2e30a80ddc2c530c330d8898ded55ad6ba35310f14c3f23a19a0d
67a73e526c7ac4e1eca31c3de759c45574678f53f452d0261f6c11ba8dfd16f8
f6acb83ac599ec60d6820c081521a00e3701e7191c8ff2772c3682196a28e531
07a89eff230f0a111d2609d1a5281512c5b4ec5f215415c04304ad605a484541
12d10e1ecc6afdf8f4ec4b08806c3eb3164e83ee258031bf7e292279e8e3ad66
77ac5b15d78e58b7ed803e93aa16e4742ab0b6c1eb4e0b5c8a93f3799ed00e18
8fd943a29bbcacc76cd3168fb253b6090f73dd22f63c0459c627236f05f75101
d85f2f398ac8f75322e24fb142d2be3e0390bda9ac1e605e375b646464d03842
11c37fead8b02d4646499109187b632dc2ec2f49d842e7aabb3bb93d7ce3d538
ff155d8b9a7c9df0c77f203a547157f25b89aec97f2807081c74c7735602507c
552ec910ab15e94277c6211423d6a3f92fd96bcd8d84695c6adf3a36e9d366ba
c75ae9d4a81e584dbdf1d2ffe063a22ad2189b1408975eaf8ef6410edec81fd9
a2494f6dfc0726f3ada24c21185c0554d50f1ecc13bc434a47d0a0bad5d9e767
5223dbf673bce63ab81bbdfecc931ddd6d9a8d3c138e269e479e56167eed1c50
b24eaa1b9bd278aaadaa1c2e7a74a6674b0f604048c5851ae6ae598152bdcd67
a85df9ae1792ac726d8486058b5f1ddb89f232930cb3c7172291fe3adee3220d
b52771878f98cb32f91e9c5eb88b1452b25077c973bf5db1ef3ab356ec9b80e9
4f6abf63121d8ac6db6af1b4aaa3331822ebf670bb70a98720d759cd41ec6a90
788006d305b062dfa22b0acf645493fb6ff8c97955d2cd53c89d0df8383dcf86
85f373ce0f6da2b2bd6b1fba5243ce691997bab0e3d9f912d6d1b4f7c617d103
7aafc2b21a5a3d027eb1762dd91328b5adfb013f5c86fb4da95c4fdce8313535
007848670c9bdba545221e97ee5047081c60af7edf232f04b1f044b03732e323
dc37dbd4aabfd3993ad6c43f35ebd47fecf7c2fd40a3dbfdb99a21e1b6885f95
fd2bd6b337113729beeb74f7446d2b777315abca4d557a5cfd7acd679add2d65
9ca974f315a7980f38671b6668946264198130593006ff0423637c55249f21c1
17d6ce294763506987e04a11ead287e5e3f35459a402e5878b7cf00b3501578b
2a715927f54c42624cd3b451a56f1ca17efffc729032aaec758c5dec6352c4f8
267a95b7715bba494b96ff9d7bf29dfd8ee2c73c5312964b5039962826ce6fc7
6d524f19183002c058639b24455f309f78f225ee0a0210cfd820b83609f132ad
fddb2e3244a031741a1da8a0a5086890cb02ef24bd93b7df8971b42d65b1a03d
efab4e467f93e1f5b3f0fee251844f6e3667b794aff5fde442d7b4db955201e0
d182a98c60c7fe6f8945a4791c365234f519485f7a0e6dd0e95513f9670e0cf6
18dba55b8d1c77f7b0dcf0a2ae3a4a702be887e0fe36c6efca2d9caaaf33fe1c
0808303d5eb0d708a925012674cd6bb3872b8ffb45a1ec501b1188d2c0723bd0
684728d71a1b686e85a2671e253ecbd27da9e028f3160e84408033dc9ec21dbe
da0fd2ccf00f1cae00d3ffeec1f8dccd520b02b1b8953fe7839db61e0f843acc
8961382e3a069a9b64457dc4f73fe9aaa9b927451d7715fa1a4d9be8114edb23
584b6e279cccf8b9faedfbc68242f158f19f881643fc79614f3cd96d4c50cf89
7ecc027520fac0c2341292e6e6cc3389c172399ee0d7a3672b5455ec7f4b775c
7ad4e2e9091d961c63bd8a5de7c884df9c81c6395f35645f8c17befa50fa6bec
ac082f9d7470f51db94b17a7b86f0c680e76a2bbe82382332fa7a8a6d52bb898
fec7c785b5cab74579e38a8b33a3fdfa91ea44356f31c29b793680f7740f663e
03ce36fd07bc77fb8fcb27e93d3e05053a3ac991012891b2fa96370b4ed26784
253bedf2000dc70d54a576b7ef69a7cd990aae9b1734cf65193b7862f47da94e
e67ae0c8bca17f912e1fdcc8dacac7e967ac9dfcfc031d944663043c99f32ea7
680b2535047f66d49243a54b9659a3714a2133daa2f5b8b06c7519e2fa075f64
96de213abe4abd93e28e7a7a3053906e85027b08f6333531f52da2e67b096447
3ba7694dd1ba8f1886339cc90d6c66d518745e0dd837fecd0d67c27b33712d43
f087a9852ad32d54b3691e9d25c081ee806c262c35b4704035e948d855f45246
9e6e07e5acd158d093464bf485f966d7d6ec4a6f5b36d80bc2beb3d9bb07c45e
d12078dbf736a6b4c15d15c12c4fde2586164b70ab09c38f5024321fab1a6b01
cb0a8f0e6440de0c5299984554a8cafa69d326d41f29a477f6536b6934a2b732
d86f8e1eb90204fd06f98aae802410b345b1a2e9b561a933b1980e2e4aad99a4
6aaa71779c919eb439d209d99b8f0f9adfb89f20bd1333658c8f3cd615d054f5
9709b89b130bc2a8b0f8aaf832705d093760bf811698cfe3cc40ff1751bef020
c2c4eb306f16f75c7cc6a4afc6b5161b8f84eb242604b739d172ac1ae1f01d15
ad0f22301dd500e68662a4085fd546d09d7f8d2902369f8a537bd364c04e88aa
3b0bc3f1f71b05a119884770f7c79d236ddf6b6ccc378b30705f3ecb712be998
5e979880469bfba9dc9b850ed945530fc277fcbdd96227661972c89e700ecd1e
36609ed28222d995170a36e1d4df63fcf518bece4a965e5674cc5a03c2d2b324
ec0cb53f3f7dd573b6449bed509234445870faabe3134f554f48ac150ae99de2
158c8861036425f4e7b9df9a610a0e23d45a811c2916aa697cb01491b493e539
4d1527ce09d716a68f0a548a3fab80d2223028460e036f43b579f211b91b0ff3
88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419
cdd7df460178e0239fb3342ac3f97e920069e5b2aac1c9c343923241f1b60b87
4a79a8b83afd4feb2fd2e130d54f667fa9ee6c61ecf7d61efed3753ab2450775
121de22078536795f06ad23e6db6d1627f4cab617a6264b44820839c13e4c2d3
22e07732afa9d6a1c689bd93a3f5b60205310ef8f4225aa00391d8da73d88108
18e5ff8af38bd3bd2a0a497543241be74cf4ce575cc5c564cd34e6e3f41122aa
f35f4d73501f046d2319a9d6284235bad63461584faced48db23d9fdd032a045
ec48091b8b9cc09fd9d73415078622d8b3c5fb2de818caa20814a43b1d1c14c7
a8af52f378b0d8cc71513411d4af5c383147c03064981084c63125b3f57b7f6a
a96c7253cab161d289efdea709091608649deeb1423a4df65d1cd13ad28642ae
d3f2be134599de5203a3eb61863b6da610df012c2fdd6e3b47ac4929132da763
fa2a38ee7933b6eec66fed45d0f14e9cb4009ce04d5b56cf7e753af46626ada0
ec90bcbed4dc9e168367b501a9ac22ce0d53f1fe0b9a976727181f4bbf6b3467
8cc3a57385ce576b1264431f444a0b0178ac53c10b69058b2898373172565337
a100af984853a3c17d51f8aa34d70bb462ce8d760ba278937479ccf27edc3b9c
3e9f3a83f830c41cfec094e86c31a8c79c032814a4f029eba014cf90b7db75ab
b731e1e07da1ab601c2773e2124f60e482f30f81bf2d1d64c3363c5d1f4ec08d
6dd94fe4a5b0297fabec9985a7ef901a1ab05fb75c1284c036e7e79c60321e86
8509fdd176d2cfd177b97085f7aa8a865c38fdc8a004f8b3222a39deaf6bf680
78fdf9c2edfb9f97d16867a8372835563cb6ce1f1128b66ead34f88cbf299dc6
1d77e6b59c60817f9c5b17e620db8c30a6fda1c3ae638961f3a907b78d4e9128
ed94e4340621581cec927c362247b765e8eec9946069d54c36cac2e7ce1236f7
c1275a93bd767e100a37e8bc22439be45698a733f71d1ba5c890f5b1b4c3e034
3f084903c5b689b3d88e36e524bd3fcbda689a2b6d2446b8b10fbd97b145db7a
a9b2c3cfd1964fc818c4ba2955f17482db01a5e6130dcbdc93272c34ddb31343
78c7ff0b326b69836f6b95ccaec73bdae2d33f3ca2a5d864fb1e144b5e6bf2ef
d5033b91615c5b714b92362b7906982f577b7235b0bdc8433a03cbe0e8992730
94b60b83cf8ae31ab9133dc8d689ae1cb34190128ebdfe0502a752113c7fc2f9
58a3d9499f2175456ff0b6f652cb1b0603fadf615b597a59713f23f2ac6350b4
b914e2a5f98b702eefc2ec6474500eb32fd3032032bfdba52fe136898de7c231
5868636d8eaadf62ceeacb1564bb3a8614e8e87471e2475d48f765fad94f3d9f
690f04e5bd79e7410dc886fd084b7c8b1c198d398674a95117dcc6137bdfc66b
19beaa481d4538a01e7156ab1d065d010056be23f81edcc4056629f8aacb46d6
b42cf4d03e50a5913c6a20c9b70ef11ca48890a75adf324754a01fb269182bd7
41445ff8ed7dc3ce3e7f54c5fd7fb93e5a7c8961237bc408b92dc48dada2ba88
523d949366cc9f4ddfa2d9c261bf1f0741879b32cc821e6e654830184ff4815b
5dbbaa22b757de07d0fb4b665b1863811a2e80498b5265ee903c3998a8684b6d
dc1ef9303dccebb2719b654a156860278e36cbd08bfa24cfacd82b640fb640df
4152197ecd541c3b62d3ada6ff29bf7bb90edf2e57f96f27980f802513420897
f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53
023034cca9da6237539371b5b9ed642a7e27586f5908ee9cd400649665c22a40
07d7da9b867a476b6214db42000f3e731e6c83e487edb5828687529898ea2267
ab4593816a20ff7503167fc8fac03e20ab1fd7479c8d26d23baaa12f5df7bbb2
949fd4ab1f31af8e7ca60994be0e8ab1d96f92ccb339d7aab1b5f969ffc7ba9c
472819b55a8804b4d8787f5e45cc9b1aeb1026d5819f06e91bbc022d53ccae5c
7a90335cbe6b1234770e8b182c0940fece9861d793de519ad4ede332f9adb9cd
b0758e26884a064ab95a8d86fd4e17df2e2cf7b38b1c33ebbfa0cf9b9e88b9f2
33f8b2938048a821d1c515daf12ebb890ad5751b0d06cc2942ce976d2d9d1341
f3ac084766855ffecdafc4e214d1087966be4b88edd5a2e729b6e699b7ef546f
0d38a75eaacd1df541127d09bdfae1fd1ccc166a8f8e5f0c8f9566c1ca7cc3ad
5e30eebbe6f8d7fafad37f578848e1800a231e240162ba954ed211766d641afe
a7ba3de84abf4628a7b7096e7f28b4d8b6946429d6f8b1e8f0b5bd05eba3db0e
de6619e254db011cc45ea6684edab7007f3e8deb6f264afa97c002d840858781
3b08f443e9b1999e957fecbe5a3b9b51b666b78b4286350f23e7c618e44e0abd
ec611350a188956ae50ff4b5ebea09f16d61e843b2dd6aef2c15ea82537b273e
f3fe763c0bab8b6423578bbe031190508406459cf1648b47dcba314c95ca8fbc
b1f7d45bb000c3201af5c92b009519206fd4bd83b568f0d360b8603520dc5334
a86f818dee5adfc18c4b4c5e547e5f51afd5eaf6f1208d2c9869018c4d1ddbc3
48189d833182819d27c6ea86addb8364bdb9118d38e31320d80a278de0f0e39b
37cb22257ac282760c92de2ac15d650d56c8964f97e243209be1e0d2b57103a8
d08ee06abae2c68182b162ed5d9b454f7c79d319c9162775ce3c93fed61f7f0e
9c198d45b6b531e823d3f3ed273ea0d660cb05017f1a09b050a855ba9a9166d0
9d948a18acdd4d4ea3c1fbab2ea72de766e1434b208ed78ce000b81ece996874
0b3cc97cc3d319b4b842a03d65dc9043d9eceeac779b85d9843b7665c8f58b22
3e437f5a6aa0fd70c1a8003cd2f09b2747c6e2b15b44508c742d8bc0d1bd4cf1
5f569c72db9c31528daf2e907938b9bb711ea3a050efe5bf5d514dc962c5415c
850752cfce58c44ce5d48735f4d53ccc1f8d12b7e1ae00d367d9c42103d9ad99
745bbe5ba33f2e50be4de60788cb6a685c2dd7f4f78d933e0b99f6be4988b013
25e04a4c87cc29c42fccc7137735bc6e7f5e11d06cc2039493b88be56c5133aa
8e859d5dcc8f3ec9d4af0ccc2f709ad8d85bc3da6995ab9f7084c018d6ebdd72
9ac1813552dfe8f0ffa0197e74c453e4cca936ff667066628a03fe7bcfc69030
66d05735fd8ae285ab3cd24c4e7cd5a8c48e12ba19a315bdc98b9c9652e77934
a1ce25c899ff86db4e54d042569e0a996d399dcc9a701b551999b1edeb2acb89
eb9de075c6c5ac3dae5ec163fe9d8abeccf9edc3bdeed05364dcacf64c9550d2
9a10e3d9debfb494bf65772bcef8c60066bdd7993ab10d3db91f2d7003ba779d
f3dd8124dc20b5dbe2afde3eaa092c05e1eb0fae8fe16aaacfa9e0d5213f4117
eb25536bdb4fbc21cefbd43e00f58424c9458eee4059a9d5fa26aaa1c4842e0f
d1b7503d102f7db3a5be41f720b63a2f8ba6e87de5b9231773750710dd90a8c7
924915fcdcf83d580e54eb626ea55487431b1ab2095ac7144e0bb9a62c3d2079
SH256 hash:
2ae01061251de51af0f6536047a68d137b5a13c7ea6d02c4cf2235273860318f
MD5 hash:
374e512403b6723a5eda9f5fcf0b027e
SHA1 hash:
519e380f45bc17b2cb62decdb3b33c3ad16f19d1
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/0b69c110-577b-4d86-b54d-a2293673962f/
Parent samples :
785b8115d62f971593bacb7ddf5e0f0fa03ad2d3a077b91c88de788ee83f62b9
ad9fd8dbec8d71d3ef7b1ae8b2882b986b1f6b0a9de791d0693ebf551ada676a
8fb777d3216834be1787eb6b32f538983ba82ce75af5925d714036f8d70a2914
2ae01061251de51af0f6536047a68d137b5a13c7ea6d02c4cf2235273860318f
c3fb8862aa52c578aca75ee923448a3013ff97e2ebe3b0dad8d6d708e78262bf
044ce9e194f5194b8d0e12e8e05fc3a3ff3782e60d5b3838351e80ac43663e4d
e0e366834de34a6e93035842b46662c2b1b05d350c1218953f8faab632ead3ae
4a79dca8bc76dd26f46d047a2a1f559208c5a3525b10b5b62d0c1a7ceb80a5a7
05b60524cb82eb522b46db014a5ec190e35d9fd433e7624232b53f142b3ed1a1
364c37d1a5142ecaaeabce403a7809a109348f94afd4fc547d862ed9b0f83bee
d46dd8b1ef453a087501831daa8ceddd875ad06a7f13ad06181f61f92e89d96a
113e56cc0bb3dca13bf13c0e47a25b102b4f8e7af8b156fc7e6fcd76ba40c8ff
13514a511e00e24a199be1643611b83ac2d67713e02061910ccb3c88fd133ee3
944a3229675898ad129e45ef15c62612b23e0fc99b57edd853a81418adbe4431
8fbf89ff9f1c63329f5251feed90590b8f3bd725e469b5afd25be717f3cb2ca9
ce6cf51607a2fd0b3aa61c066d0adf7d659418c4cd78ef8824a46f89e639867b
553ff1a6d805c5bc4001fe69e6bbf70859ebf43dcd6eba63913eb588ec4e4617
553e372ef331a9891f8cada32625bd6491cbd427f1a2a6ad62cd1472ec3f23a0
ba5b16c28def8e5d0ea0a09bf25b4d980fe89e3537f7034d775ccdf3bd9f5035
d2e215628c338bbf51dae9c69864717aa706f767b082ff5713cc6f4869cfcd81
8fd943a29bbcacc76cd3168fb253b6090f73dd22f63c0459c627236f05f75101
ff155d8b9a7c9df0c77f203a547157f25b89aec97f2807081c74c7735602507c
a2494f6dfc0726f3ada24c21185c0554d50f1ecc13bc434a47d0a0bad5d9e767
b52771878f98cb32f91e9c5eb88b1452b25077c973bf5db1ef3ab356ec9b80e9
00e001de6abc566bef2764d860c3d80f7a5907d3e32c23f53cd9d8182dd2e632
8b3c86cb96e0bc77cd80fd68892694cd7f3d899462b2398588c9aa4dc9828ae8
SH256 hash:
8fd943a29bbcacc76cd3168fb253b6090f73dd22f63c0459c627236f05f75101
MD5 hash:
3253e2ac0b62c9057a1bc7aa165ce75e
SHA1 hash:
2f82b691c22228df5c3a0ad27710fea9bae9c8ea
Link:
https://www.unpac.me/results/0b69c110-577b-4d86-b54d-a2293673962f/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8fd943a29bbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fd943a29bbcacc76cd3168fb253b6090f73dd22f63c0459c627236f05f75101

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8fd943a29bbcacc76cd3168fb253b6090f73dd22f63c0459c627236f05f75101

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments