MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2
SHA3-384 hash: afc776daedba5a2ed4564131c3867ffbb2298b3fdd802743f4be9f57f472f1ab60c596ab8aec98a70b63a55206fe74c1
SHA1 hash: 8dddcb3f2b7070d66b1eb5fb578a6bcdd99891f5
MD5 hash: cca3b63b7101389add0672dd17daf9a5
humanhash: charlie-four-sad-minnesota
File name:RFQ_071425.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:735'744 bytes
First seen:2025-07-14 09:25:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:5frsJd/3plPxXTwzOX15Cw/8vZrUwMIbfCni7vb0TTjt7tm7uJbPN/lBuVV:VrsJ95lPxXTwzOXOw+ZrdMjw0nZ7wmb6
Threatray 3'371 similar samples on MalwareBazaar
TLSH T1B3F4014061399F22C5BE07F21912D1B017FB4DEEB021E3574EDAACEB7964B841E42B67
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
RFQ_071425.pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-07-14 09:33:20 UTC
Tags:
auto-sch-xml stealer evasion ftp exfiltration agenttesla netreactor
Link:
https://app.any.run/tasks/d7f07e3c-a374-4bf9-897d-e4f674b23620

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14211/
Detection(s):
Sanesecurity.Malware.28918.BadIN.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.3367.20017.5158.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6874cd0a900df8e7f86a8a43
Tags:
underscore virus krypt msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b2864f02-cee0-4429-9e6c-d88a702d571d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1735856
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1735856 Sample: RFQ_071425.pdf.exe Startdate: 14/07/2025 Architecture: WINDOWS Score: 100 53 ip-api.com 2->53 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 13 other signatures 2->75 8 RFQ_071425.pdf.exe 7 2->8         started        12 wKLeJuhYuZwJ.exe 5 2->12         started        14 svchost.exe 2->14         started        signatures3 process4 dnsIp5 45 C:\Users\user\AppData\...\wKLeJuhYuZwJ.exe, PE32 8->45 dropped 47 C:\Users\user\AppData\Local\...\tmp42A5.tmp, XML 8->47 dropped 49 C:\Users\user\...\RFQ_071425.pdf.exe.log, ASCII 8->49 dropped 77 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 8->79 81 Writes to foreign memory regions 8->81 85 3 other signatures 8->85 17 RegSvcs.exe 15 2 8->17         started        21 powershell.exe 23 8->21         started        23 powershell.exe 23 8->23         started        25 schtasks.exe 1 8->25         started        83 Multi AV Scanner detection for dropped file 12->83 27 RegSvcs.exe 12->27         started        29 schtasks.exe 12->29         started        31 RegSvcs.exe 12->31         started        33 RegSvcs.exe 12->33         started        55 127.0.0.1 unknown unknown 14->55 file6 signatures7 process8 dnsIp9 51 ip-api.com 208.95.112.1, 49692, 49694, 80 TUT-ASUS United States 17->51 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->57 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->59 61 Tries to steal Mail credentials (via file / registry access) 17->61 67 2 other signatures 17->67 63 Loading BitLocker PowerShell Module 21->63 35 conhost.exe 21->35         started        37 WmiPrvSE.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        65 Tries to harvest and steal browser information (history, passwords, etc) 27->65 43 conhost.exe 29->43         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.09 Win 32 Exe x86
Link:
https://app.malva.re/file/cca3b63b7101389add0672dd17daf9a5
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-07-14 09:27:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sonnv7xh7u5sssrwhfuvea4jxa4qiew2hbuwo7ju73xniqdcvpza._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
40a689e0b31438b6990afdb225de28913e7aa099cb3966ec8e03fc55517ea8e4
AgentTesla
61823f8b8948aa13ec857248830031280ae6cb0eb0b64254fca74983782ed9ce
AgentTesla
939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2
AgentTesla
9589cd6ddb6b20b15ef6b527a417b2c964dddcd3d79d38d7dbb40aec1c91d431
AgentTesla
cbaf21eca02826ae4c3a6b7e4771a0d35b95e68faca9da32ba9dc0206e6ad174
AgentTesla
error
AgentTesla
+ 3'361 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/250714-ld7kqsgj8w/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d38d2410-ebd7-4550-ad13-d28327968620
Unpacked files
SH256 hash:
939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2
MD5 hash:
cca3b63b7101389add0672dd17daf9a5
SHA1 hash:
8dddcb3f2b7070d66b1eb5fb578a6bcdd99891f5
Link:
https://www.unpac.me/results/226de46a-9b0d-439f-b471-65f02bcd3e38/
SH256 hash:
318a17b4b77cf65ae2b59dbd209a0e7a15a20656727e6317973ba5e0d38682a4
MD5 hash:
c0a58cbef40885d85ea8259b0e6b5015
SHA1 hash:
2cd36e07424dd635e07deff00c226687da44b4fd
Detections:
win_agent_tesla_g2
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
Link:
https://www.unpac.me/results/226de46a-9b0d-439f-b471-65f02bcd3e38/
SH256 hash:
9d65c6d8d7f423a6fe68de2cd3ff67e9481d636a64334e402342253326966410
MD5 hash:
868d866e4331ec9d8195cbd3d10064e3
SHA1 hash:
43789ddd18189f0e321d69f2d9d365af9100494c
Detections:
win_agent_tesla_g2
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
Link:
https://www.unpac.me/results/226de46a-9b0d-439f-b471-65f02bcd3e38/
SH256 hash:
0ad9330f8096b30a282f53d51dfe44664f3ba3251199d25f097c01f43fe55aec
MD5 hash:
cc621595551035aa96c37e8738bfb040
SHA1 hash:
3507953a4fba3cf6df37347156f060e4e9e09ed7
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/226de46a-9b0d-439f-b471-65f02bcd3e38/
Parent samples :
06ede9a79380740bc6717b85c81962911c87ef299c0f9925e44cf66569784154
881666cfb7700551912b6f0b5ed601d61aa0c81576d53f69a43246b573832f8c
c45640db87251995dc06c2ea4ef6ca5c0922df2b54819c84f4ef3477a4cd23c1
371f1cb8f80e05125b0673ba6bcb23237cdfa3c66f2954561ee476b8d6f89e70
6ae17339b8a76cb12268e292ad1bd020e9b02acad06d868472bf00926bb83821
28dd00c9360fc7d7359113ee5599e0d902fdab71305d9f8ac52e97ccdfb1858b
939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2
b37ff76776a38f2a0ded7ae2220a44c0dfcb92ed88f135bb3f4443ad8b98548a
bae9c509299e16792064c4219babb32f5acaf456a067228c77320ae69c678d31
4c732e0d384f492723ed512743084b8d30e75dc836f9baec38435e7f7298a752
10b473d1b8926572686bf2c6b3bdbc67e18a8dbf066d7f392966bccac917c97a
b72158c1c37f7ef6edfe5511acd3c9f7131ee6093688290b33d250871d7b74fc
034376b7cdb06a63b0232f54fb906b95f37fc7f4921e9c6999c37f4aad9d61ba
3cdbdeddbb04d4382fdd85e848bbfbbcc01e3dfa25df1a96c7bc6a9d1f5bbd7f
6d8d665ed1c840de96732ee893e4fce02f684b81491b92291fb99d537cd2b933
71cc18003948de6d70cfef8ecad9a10d842c3c24d07488b7b1c040c39755fd2d
f10f2a163771c5a1a36a9c243b3887caa461b7c6340c069e16735e2ec7d89219
9b77205f51b2a49e9a04f112d14f350e37c0183fe87c0614b597f81c5d57a95d
d2d35b1008ab18a196bf68887081208b475a1a70a74ef2ee8da7fe065cc4ad09
32232a07b736cd0d8e26f355bb8132d736c71bdb01fe2a78e386664cccde6dbd
566ca7ccb9b63e49ff9bbfe0dc46bfc628d8232f7d45097eeb92518203711b5a
a8c09aa5ef25bcd378a81138c1eb67c3e259c3e1e8ab6a25d3f59859d0929937
8f59ab17a29c57035493103d83e22f6f1ee15d33df4164fc69f47918f177cc1e
36a075c198f7bd34a5a7ac2981d644428a32d32efdcb6f5a16ce1b085f0fc08e
d1a0edb84de425f4ab004ef17965b309fce345f682248865b34d9b4932d6f8f6
52f7d9e48e3bd296430db88b98ee848e1d5daec114c1f2afce6d1220a89e2914
a8561c312838771cf9a079cb93b31fe770796853a74b4306fd881e8dd4340479
1f51b1d0df7579263dcf24df5e1c929e697f6d10549086c366f673450b69e079
b11795618dd4c3d57ad342cade637ad1d96006c7d46e803bd9eb3bee29ef2b67
0edf6cb143e229fe20ab001a3807027e15681cf90663407519dacf6f3765c99f
3b8313decdeb72e5bc04326dcb9cedf06c1bcce618e5f65d84fe5f481f9af3c0
af94dfc71a87808a55b15f45c08c816f8c82eae3727760424c03d5c790613d06
d1811755daa3a02ad817f8b136e4c7b8299f8b17af7e38bdab0059986d510a7f
56a52da62bfba5f29ebc4c1ddff84bf2959c84db06fd685220ed910f18074e7b
1d026c14b484d4d249c82b889bab3523f5df51fc5522e482279c2b0d99b6b55a
SH256 hash:
3fc712a5046c3883c22bfc1c680150348b95c407c4befd8fb28b1be93dd86832
MD5 hash:
2b2fd5093f0eb3e92bca549561e4c2da
SHA1 hash:
35df9a03e3235baebca3e0fe5b07d099df78f683
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/226de46a-9b0d-439f-b471-65f02bcd3e38/
SH256 hash:
126f7676bb7ad2299314170d0797109f1e3fb5bef699d50a2c8acb016d36b4a9
MD5 hash:
4f0c43e7cfd3b07291a8ccc033ad38c6
SHA1 hash:
3f1d29ff59d1c0f5dcdf8e1bf37b1b240d071027
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/226de46a-9b0d-439f-b471-65f02bcd3e38/
SH256 hash:
79fe770cd39305f88da6ae2e1d418020be7b17d7ee4357c4e825e295ed9b6576
MD5 hash:
e84624a75bc4bf945c841238e9f8e022
SHA1 hash:
813060e2498c095ca469f51286ab209f63b84a81
Detections:
win_agent_tesla_g2
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
Link:
https://www.unpac.me/results/226de46a-9b0d-439f-b471-65f02bcd3e38/
Parent samples :
a6abc8e699e17387c5ea157f59980f555d6affd4db7407cde362f9e8a5345eb1
8c05d622b2d534ad16dfe3b7c895dad48b3fb9faa5bde32e022a55cef4c2bba4
4ac0bfe8161d9f1cd6e355f8b7d0793b12bf610c9114d6bef8bb9c22ec1497e7
423dabfcc802b1648141066239b54489931e76e087d865e92e319a1eec93fb78
ee21aa4d8c30c0173a668f1fca70e740eaec54e8164f9bee0be3175ddb560b5d
42446c1fb13c386cb1767f330d9d4054354efcf7d5ec98c9f1f33d7bd81f82a1
9b6af259e6eefed01b77627d30a790bd5b78ec1409b2ce9d822a63d73af43822
224a983cf39f1db150d2407badf54a922ee2ea9984cb369cc99bacfda1513378
61823f8b8948aa13ec857248830031280ae6cb0eb0b64254fca74983782ed9ce
fe8482db209db0df28466076fae6bb2dec09aa8d4dea74e083d0aa2ff7d943fd
61a70480f367e92748845613681580625931d857257539438df67cf9bebe1872
4689a42871ec936460f31dc0a096dee67adea3989db417eb64a9fe5bf60aa3e9
027ad9f5a3cdf168389e014fc48b3442e04db65e011c0ace8d529f9035ac9d74
97719ce27cd8169ca0f4db352c3f9c53fd700c55d059e9835fbd451e75f59bb6
40a689e0b31438b6990afdb225de28913e7aa099cb3966ec8e03fc55517ea8e4
91351b629c068a7a43395c58e3e0ddce96e33bd7519bbc7358dc32a3173fd533
bc1257fc1466c1f0b6ec8a6f4ad48fb7704f6e21bb3cb293f856f0d780ab9aa6
88b68dc0403ac015c419e4555f577a06b6a952bfd975501b2b57358fc7c85988
9589cd6ddb6b20b15ef6b527a417b2c964dddcd3d79d38d7dbb40aec1c91d431
9b8128d013706f374ddaab6573aaad7fb1767cc4459716597836d838acf2c80c
939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2
36a075c198f7bd34a5a7ac2981d644428a32d32efdcb6f5a16ce1b085f0fc08e
ffa2ef64753d388a36eef4da1fe88cd54a1f823483445c97c016e984bfe85374
1f51b1d0df7579263dcf24df5e1c929e697f6d10549086c366f673450b69e079
30cbfa02438f1323a65cba36353b3f4b5754480c1a8d53a8a96459063e957c84
ed1b0cbba209aa95d91ce6d8991afd7982303335f96f459ac9b6b10257c6693a
90849d86ac7bae351db2917f30c435f8f55ea15fb78cfd04830e598b3d437611
156aae917468256389912d703f16f156f9089c881dd54265b67dbc844f0cc6de
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:agentesla
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked agenttesla malware samples.
Rule name:AgentTeslaV2
Create hunting rule
Author:ditekshen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_779cf969
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 939adafee7fd3b294a363969520389b8390412da3869677d34feeed44062abf2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/14211/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments