MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9565e0e3358341d167b1adfe5a30b957aa028e19addb4427af1bbd41bfe67e6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9565e0e3358341d167b1adfe5a30b957aa028e19addb4427af1bbd41bfe67e6b
SHA3-384 hash: 1bcba9250b210e695b1fab6df735a674c5f27fc26f89a6c07ee20ea64df7e42383d91eade8378df6a0573f9c529529bd
SHA1 hash: 9d12d01f183927f09ed6b654ddad8bdafb48e3a8
MD5 hash: 8fb83908d231f26f462b5c591a11048d
humanhash: stream-alabama-colorado-alpha
File name:QcgYuePXfjXfcUD.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:799'232 bytes
First seen:2024-11-19 05:28:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:gGgrKo7e7uh5DdXoaWS1pBGGdkM8ipU1m7nMrsIIk6/yA95i+V:gGfo7Ko5DdYaWS1Kf9ipUomF9
Threatray 1'836 similar samples on MalwareBazaar
TLSH T15F05238933965F6AD06B5BF7003122D413B4D4325AB6EB9E0CD2A0EE1E07B546F50EB3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zn03zh
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
445
Origin country :
ID ID
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QcgYuePXfjXfcUD.exe
Verdict:
Malicious activity
Analysis date:
2024-11-19 05:29:57 UTC
Tags:
exfiltration smtp stealer
Link:
https://app.any.run/tasks/65f8477e-23f0-47eb-87ea-2e8bfcda2be0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.8304.15325.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673c22f15107a56eacc7d1a2
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/673c221e7a6ae3d44b9f5482/reports/0971c1e2-38d2-4c76-b102-ae8209096e60/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9565e0e3358341d167b1adfe5a30b957aa028e19addb4427af1bbd41bfe67e6b
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2b60dac-8420-47b5-af1b-1de6c00303f9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1558191
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558191 Sample: QcgYuePXfjXfcUD.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 43 pgsu.co.id 2->43 45 mail.pgsu.co.id 2->45 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 9 other signatures 2->55 8 QcgYuePXfjXfcUD.exe 7 2->8         started        12 rVTHOaxz.exe 5 2->12         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\rVTHOaxz.exe, PE32 8->35 dropped 37 C:\Users\...\rVTHOaxz.exe:Zone.Identifier, ASCII 8->37 dropped 39 C:\Users\user\AppData\Local\...\tmp4DD9.tmp, XML 8->39 dropped 41 C:\Users\user\...\QcgYuePXfjXfcUD.exe.log, ASCII 8->41 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 61 Adds a directory exclusion to Windows Defender 8->61 14 QcgYuePXfjXfcUD.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        63 Antivirus detection for dropped file 12->63 65 Machine Learning detection for dropped file 12->65 67 Injects a PE file into a foreign processes 12->67 22 rVTHOaxz.exe 2 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 47 pgsu.co.id 107.178.108.41, 587 IOFLOODUS United States 14->47 71 Installs a global keyboard hook 14->71 73 Loading BitLocker PowerShell Module 18->73 26 conhost.exe 18->26         started        29 WmiPrvSE.exe 18->29         started        31 conhost.exe 20->31         started        75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->75 77 Tries to steal Mail credentials (via file / registry access) 22->77 79 Tries to harvest and steal ftp login credentials 22->79 81 Tries to harvest and steal browser information (history, passwords, etc) 22->81 33 conhost.exe 24->33         started        signatures9 process10 signatures11 69 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->69
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9565e0e3358341d167b1adfe5a30b957aa028e19addb4427af1bbd41bfe67e6b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9565e0e3358341d167b1adfe5a30b957aa028e19addb4427af1bbd41bfe67e6b/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2024-11-19 05:28:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=svs6byzvqna5cz5rvx7fumfzk6vafdqzvxnuij5pdo6udp7gpzvq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
38d921d063a0fb892086121bb34180b2a930819788a3e34a0d2f65224142d930
AgentTesla
5eabc2ee89814722a4e157224e042211e7780ab450b8ed1f9311f72eb80f4262
AgentTesla
9565e0e3358341d167b1adfe5a30b957aa028e19addb4427af1bbd41bfe67e6b
AgentTesla
c91b31fb14eff751d72b07b53b3d1d71a63dce9cc61bbef4c939cbd671090585
AgentTesla
cbe1d843259a92581d16088969b0ed1758866626b4ae37e7445abe6bf099f155
AgentTesla
error
AgentTesla
faf0e3fa2a040e49e3abeb69849e3a25ff621bc8499c70dcceb577ba89bb5929
AgentTesla
+ 1'826 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/241119-f6j29a1apd/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/66c68ebd-d6d0-4ee0-bbde-4cd094a43ea1
Unpacked files
SH256 hash:
61861a9db693c3bd7605e37332afc02137fcb282eec6e23e81f65ce1a5b21294
MD5 hash:
f593ea0534d7825be79eb5c5cf9200f7
SHA1 hash:
8bf586c27bae89609829f2532d50707b9beb21da
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0c785e47-823f-4fdd-aeb5-9c2f0edf8926/
SH256 hash:
0fd81528c151cab8ec12e609f49bbc486e90104c6bf9bbe930a30805c5cf5ccc
MD5 hash:
e95741036932605280ca747a562c13b7
SHA1 hash:
86f282ecc644e8d9841ddb18ec54a1a6c615d1be
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/0c785e47-823f-4fdd-aeb5-9c2f0edf8926/
Parent samples :
409dd82ae03009f32397ee056fcf698e7ea1145184fc4749f00b5ed2534de2d5
e33dfce152f0b1a0fd298f630bb284cc064c2d10d2c69f3e84b308895e1f69de
0f747da7bfb26e1f8bd1b4009036d2eaa3c5431f73bcb599027ab37f1c151061
ba38ba94dc7746ab451cb686df8d8f4cec03db581ae095c5e1b959134db30daa
b900f083db24811988658302c8db25549feda1814fd677a0888465355c3bebd0
a9c310861b7b0eab4b5f00ad0c69d6adb3526d9e9be7cc46ff392ff76ba9da7f
e8595c2e05c63c73af98ce3b55593d4210936a347ef99087d90b18fcbcb0dd74
2497f324ae5abfa05c6910d020b362d445fbca42cc1e320f0c34ae9851a7efb9
54c7016e2d3e49460764d54a465f36f72808382cfef49102446c74d4de9c464d
e864fd2bf5133bc27cd3b2b35dcdb71626128f2c28e24956bf83a1706c2f5bad
cb6c1619615d5947e12e576b93b171902218a8a108fc0148a06078a822ae4211
dbda2a0e7980e112602a69e8e0b12e1435c591b8436aacc5905bdcdca12dafdb
d3cdbd21fac606a9f43a12bad566f242ef59fac34206069528fa9e285e4005d5
44e2650ff2fc7ba8efcbc0a975b2d5ca2ecee228c6ee27df07b215ee79f5b320
8e537ef5b6125fef6449de923808b92122edc8e2d6cc887d49c8ed5510760848
664c0c690a791c1a863702884b3b3bd0aead7fabbd3ff6e46cff58f53c1cd3ff
1c9240b747d01e77bbd4cea63699992b29fc24581021c9fc2a96c75e9e60cc1f
96a1656ba39abe013fe75a41eb52d9b698f723aa7b5f2ba836a8bc3dccb47e2f
7ca9c170757e7f0f9092fcbef7d2830c2393373bdd00648e76e3437ca5a2169f
9f0a3a5caa4240f1aae236ac243a17186e5200983749966cb6b07f311a660302
1873c4b2bde16da1d2e923d66d20eea2536bc824e5134b60f3df4b770edf72d4
55dd72206a4adc304bcae93419f75ff9ff992724d13e92d4e7eaaa550ada4316
0f2abe41f47c8287b81f6f5be7983b8486b298d7121bbc8435ccd334a5f7ce70
0f1b66752dea36f9ad237a452b4bfb2950ab3ce90fcd920c6708f69ee8ce8c9d
6cab1f7e8d015b6db4533050a29b43a62292dd20c0a567d5215eed2d75818937
f673e1b0df47036fa85af6860c7cb98b5319baa42688dd5d97533fd53057dd97
6e7b4c60277416f97aa221245e0f1aca462a4594c621574b65f69e62f88477e0
d07ef403a4d320147704c1e188dfa93e140ac148489d60ee564f710e2dcd7550
824c2de7f889a628b7fde1b4c64837e48201b158b170c2f270250e82642e564c
1f3c2092e06e42ed7dd425ee68f826ad344bbacbde3dfd1cda112eb6af3a4627
d7928afd0b6864968e44f9f0ee807991b3a620f30e57048863ba94a40f291caf
402099326202da95a3c10fba47d836d6f9af2ce39f11e405da6027adcffb4480
3be7372f7dc6f8dbec2b12f15922aad92a022dfd930344fc076ef616d303f869
634a2665a39d9361917d4baf34b157a5bfe6f8712e6cfc45d9f57205efe23b9c
a6321a072d7fe8790f12f68fdb8c2e6fd91b212233fd3c98b9169d6b48ed15e2
d81f1cfc732280d0f92df78433544b467d837f60cbfcfdbff21c5f987eaea942
dcc72f90c1d3aac382ba8965c68109986771562f49d4112c5be1a0e9b645f621
abfb108ffb2021d7851e2908a6ebf23b507aa2cbf36628f9f30b9eada587de96
450cbaf3ba2178d2ecde3158710066ad71a7d1b17130f29bac92b3414679d46c
0007503c902cecf201946832a5c157cf6090efb2e3b1c8ddfcb4c8e150fb7b27
b237b86e8000dc30c0f5316bb8116946fd569a5065e965f9e276cfb48e600a51
ff9dbc074c9fedf0906cdebe94a4ec7b438df3528db6dc3a649c29bb4414c365
f7b17ea8d0bb38c5760528dcafbf354618a643056f04dc110d743bbbf8e99079
95699b4df332139d1782520df7f136a413313d5b1dc05be131ab53acf355909a
9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43
d0063dabacc1569353b846cd664cf979784b4855d03e6ed4fc0ef7f013a0bad9
5eabc2ee89814722a4e157224e042211e7780ab450b8ed1f9311f72eb80f4262
9565e0e3358341d167b1adfe5a30b957aa028e19addb4427af1bbd41bfe67e6b
8c25a42242f041b0ecfc47164ef25a988b37735dac00a6990f7babd80eaa2487
f482d607663a330b6a2393c8c9850bba8eddc53a4f80012c17dfcc416df05880
87d0cb2cfe6bb9f82dd6a1ab3698892c5866322bcd4a598544aebc560d5fe01f
39c15e35f0b21b2680c56f0f281feffba42f17e437e4234fb2f575678e3afbd9
b17505955e2436a83dcc3b4a213f10fc2b827316ba2d40a5d6c2415feb34e623
c65e44ab50c876191f4c648500e7bf3d6986a7c6941fae19ee55d752aae2e523
c64cd755a3b9d9bc23e8b0654820c719556cd630198bd3ba147e5dda26474ea1
c620d711c48043d706ee5bc200e6087db4b9d46b854ad8d8eb8ba47c9c770662
b03db0564666573fc8c78762884386005dd29e7f39d76e008e36dea70bc7f2e7
ad7e3733334f727508954b7fddebe16af8fb5499e28e243ed42286da81a2da15
d2196a161741acc9a33cab7859e04c625ee492f31dc96a17c57cacb2517f61c7
72a1ba2aaf8d724372e2592797580d085f48ccdcc9f3985eb01b108a49fe5779
e6285b91e58a7dc662833fdf6b8a6574f871287308146d920b4e687a01974e4e
3f700fd41c6cca501d50cc2f62afd8e0d951efc1a918aa65ab3e84ee563ff1d6
595d3b670b05d0e45b48b7f6eea396ad268a02f42c80ae20cbe7cd02890e05bd
c081e4ae35d4644933b0b3542c569d7dea9b52e276ff7c0d7b8f4c4ccc235290
3b6632b43aa88d79aa9bdcf19f38f11fd3b0a86915cef4408e390a4d70f068cd
71fb09d88849f446a488c86f0fabb3a4c69b6c559ecc2166fa2d878d64837bd1
b5ef79a4b0b11a1d8546b1ece86049b558b21205228b8ad98f26e0a475795f7c
47890d0675f690a1ede57fd5619d2ee6acf90648268f0f5538c4b65be53b18e6
36a5e24f66a8e3059682f75bcc74832ed2a29767768b968e88452f0626dd2b97
13cafe220f24b118aa4bfe7ecc489415c8b593de6552a692ba87b636d04610dc
d2cab43a622ed80a2a79ff9266a25fe00175692204a5b022ad34787e39b578c6
806564d7681d2ceeea860949993d5d239949473548ed78fc45f351e7584276f6
c4004e409a21cc66cb6c0d77e72214349ffc8339f7cfa38585f5dd7e40636c31
6dc9d0fa317804195eb9e6f6970f746fb01d91b9758964dc722f31728f88d548
7b3756fe271e48ce86861ea41251320e986f26f51b71f0c917e1099d027c9235
e2ec8b7b5c0cb0461cbc9bde55b79c1da6219c87552b94c0491409c9c8988e6d
cf874da7b8afee07bfb3f9711dc2b1e3eac8c96e177ad338a5918260fe11fb3f
1a642dd77d6b7be3538a906db63abfab9fa008507efd3ce04d4aefc7acf1fdef
b1e435ffd9f5ca69e21beaf2820465fbf1efdf5ac5c691859f1f7957795234b5
1c2f2b8e26c9f1b700df8d0b069c2bfc07d8e4ecb09831e9c402c2aa6a92e2be
36d73dad1a1d20a3555e2206290f750426a6447cf2afd9163ac4764f7fe33af3
c69d5ba2cf0568ef7eb820943ade84ac38f9755b2216566301e7104b8e718796
224c1dcd9fc5ebc03058e8f271abf111c93b47570000615090576a79276b7dbf
1d1f60b21fe163afa6fd4342960a5f524039a603611cd5dcc3b20632c394220e
d2ee35269d6e4f6ffefaefa53d126ae88f6be5d79ecd3894981f844012b01ef2
de6caf2bcb90334037743c21d52d9a9707ddc9b992524abd45c42eb58b85275f
dc77100a6f5d92b71dedb82e431de0d31e571a4b216d44047e44fbb1e5b59e5b
1b169d86759603cf2c5524c535be2cae744a43914fa2b6f78d35c8e27389c7d8
bc6dcf0fb81a1212fe388d0f4aea0b7a213a45664e806236f3fb4e2ee2a64551
26d87f27a9ec64a426d4be355ccfea2671aedbf37545cf13529c04555ffc534b
bb906ba8bafc258a36d21d4fc1924334daf0e5a50c61f244d214ab312297e97d
dc303cf927f0dedb0cc934cf5f8c54b3fe5d0c0952f7d2a34082b9f0434f2346
cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1
069393dd8a507d9cc76baffc122ee772fa281d078a95ac7cf2826d05ba251ea3
a25be9533b9bf7feb8ab371e69cfdbc40cdf7a9d6f9041e8dd04d5f7755d43d0
297659c9c082dc0a4b302a2d13189c9f85b5795c79ca3526cbce006b29cb1690
af3714df64bf3a66c27d6e4c718c6da0f770cfbb1cb33d10f15721246b2d717a
ac8248066dcae6455d379d03888b2d618e49e0715e6c11fa5e96ac44faca7208
03fd8790dd182915e617edd7273911a0bf068ad55c83bcf042771975cd6cb85c
50a91256ad1710681ad272b85b6eca0c4ada089ef954b4f48e18e188c482fc59
89c911723b05c5bce8bcd4dd0ec42f190763afc166e85e0fde944e2e752223c8
a5c02fd74ba332b6e1e77af7e15e9828b7371780a2930a1c6034fa99b6690320
f5d4ecc25c69d82f7664ca00768df241cd4fabb9d6aeb8edfc988b2a6f83a673
SH256 hash:
42845ecc42abd302d832179057f11d269f8c7ce4bf324d256f35f5bca1ca45b6
MD5 hash:
0da34a44ee4876dd5e35939af02f1d32
SHA1 hash:
83109ca5bd5178b9f409a2eeb14dc0763df57729
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/0c785e47-823f-4fdd-aeb5-9c2f0edf8926/
Parent samples :
6968d52cfb23011d71a62b5b5f7a58f98bf287503af1dbb9d13d21998d1de6ed
ffc6b173f9b255702bdcbe65dd606f6154865c7fea2b2488305ba8f0d9ccef58
990e32f2b58b0c11d9998695169ab6a6b0825fc2c4c70d366eb2197360875edc
f303f80350d34a05961ace4456cc3408510a36852b94a75e0e9abfcd75f803b6
60fc7c50aff42fbe59f51bcec55bd48ef9e78025d471f26051907572cced5ef5
acbd111f6e01f7a02777bf50b95d61a352d476f031e7421f1fb356454a81e4e2
8d8c12c1b96b60a434c003d013e5bd8e948ea049246912b545fef1d3574819f4
4362b2639911cd4589bc5704aa5dac8f47bed2ab7d893b375cb74743ad38c3e1
c169a73ca29094fb2cb53c32f7cddf5fb633494a8e498ef9abb0057a19293155
38d921d063a0fb892086121bb34180b2a930819788a3e34a0d2f65224142d930
d709e53e4afc4e29076812e41282fe82bcf2f3d73abe7016f13a41f432f4bd75
5eabc2ee89814722a4e157224e042211e7780ab450b8ed1f9311f72eb80f4262
f8651bad204cbf1299c8143c5fafb19346e11203273b76483aba23a0c91a6bbf
eaee2e889db67e2b31b9297c371542028cab1b572270e85757a0a4849cd004aa
c997ad9cac5cb1cfc050a066e275aae6a540443075b2641ca19331b3f065ee29
2a2625e85758dfdc4ab64036bb679f519b8802ecccdba37eec44fb99e68e35a9
8e63fcd9e5fcdd993a7535a3990f28a4c95740d801dbfde8fb0d338bbae22d4c
5e8880438f921f4bd81f137cc9b4c44f1ba12b321a178d4d50a0601d75aef049
4bffa4186f899e3474a07b07fa5caaec795250cfe89d4c24b9369e2da967238f
b22bdf76891cde5dd78a3f1dbc7ad67543f9d66db4a959bf3dc70536d8d1903b
9565e0e3358341d167b1adfe5a30b957aa028e19addb4427af1bbd41bfe67e6b
901f5ee695e32164bd5fa37b4d6ee86680c435aafdb9d504864b5d70d3da9983
e70f87d5f05ff21f16c25173755ebb71a2cf2b46c047aa9ad9bbf1e13e2dd3c4
f3246d0ca5ca8e69f98ca33b2c17813d5d862049dcfa9931dbcbaaaf7543a1f7
d6186fa8bede1688696983f91284af10a7d8db6f28387d08c3d125853a0c93ab
76ee39157442dc28e64f089260ca42ec5374ae2fccb99d0940b9717e48e6dc86
43504fb57bd1ac94288d4f43963b862b3bcd530397bd7584f14ade877a31a8c8
6f5c8e04089a2db3aaa4d9447de589e5df8899292fbc70a5ad852d7abc7f174e
d4c86776bcf1dc4ffd2f51538f3e342216314b76cdba2c2864193350654a9aca
05686f0f36d10b7c3056592eba7b16959f1940268ca9979c2312c50b8a73e045
f03acdb2a846f8060d76c3d81651949b5699a5dee5b2b26ec238872defd12252
01921eaf53c9afa578c6abce6daf8fd661d8be6467c589816785ff39f3545503
f69515024de365946c3a58ce3315898196dcca5a2d5a9ba3f5b257818df4055a
2efd54686c3942f7778ae4ad63c002e50d1fd2a08fac36ac770dff40cb3e3788
7bd9596f753e58ba917ba418c191af8fcb9b537e73ee6a86989960099585394f
6474ef699648b5f34d8739a9a102836b27e4dcfe718404fcd09a428d2e89a973
50603d9481c76ac7052a18320666f9206f6729c78fdb779c0e7010952eaede26
819453cf1ae051083e60fc82a6125798ab8f94385d65bb2c1920cb7579df6772
2f5f280877cc85b590b53a0b6c2d061b34a6d23629cca5ea0e0aeb0591ef3b0e
89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c
5cce0ced936e5d9c13d6a4a8a3c149371c92236eb4c465e0e422142946509cea
a83b6e776af937398296eb1b06b65e9ea8226693b5a8337f35c8b8e42bebb23b
3f233256d32f8c33884510be0e50b614a35642f6ed7cb76b1f480373b548b295
8c25a42242f041b0ecfc47164ef25a988b37735dac00a6990f7babd80eaa2487
11013cdd71339c3aac7041ef80912c8c03786f5967d58c539af0d560687089e8
8dd1167ef29a5c350fd3004da6a685cf48c6c587dac25fc4786f9fd90284b5b1
402dc87138121e2ac00c7bc65bbdd39a9ab0091c3a1b163066924887a20ab361
7292590b86e83ca5c6993b8c56578740d1f066c91baf3d95bee2bd34d9153f15
c35b10fc350209ec356b48282d85b18d9b9ab5c0167dc88461297906602e3d61
429e0fa9706ee65774188e538bda0b69a15fb93e97864cedb88e33c650ed9538
10f6d70d363d93fce85e92f2ea94a36eda4c755606581cd101652afaa97a91fc
f6b094d042f1ccc79ef5060b18495c6bee55585630fac2c3d3f32a8c9c174de6
a36c66fb7fdfb2639cc0ccdeaeef4e6c1a1cd103ba76309ed32777b3f2ab069d
c6324c508e3f4ca77de6321a2ba98faec3cb40ab4b9d85a2eced9560f24f6eb9
4aa26829657bbdb5983129321451365832a69fde42f22687b9a7c598f2e04301
ad3517d5640b93e40bc1e839f6616222801d06dd83ed5887462a71f3858f5b40
e115d3bd2903d9d663a7a69edd08b0ba5f2528c831d17530bbf621648b44894c
bba1825bd893328442cb891a35420a5da41a5431d1ade643f085c5992e763d3a
0b06f6a3a4102c27376f21cbcd09d3c0bf5e6cc7e92f9b9a3810fc386ac8184d
bdf6c1caee139afdf9122554e47a2b1f56dd5598447dced5cf81cafac1dfb7a0
c8d717bc9d9c2bd335a79ac5e189d98f36fcd7ab0c62475a7aa7da5fd5ae75d1
941559a78b6e1caf39212048e7f62723e5f283d1942858cc07a339d6d6b24362
cd60ea86b574b6b511ce6a6aff1314ce71b1953e169792e3e76a36913e85ea23
d5d8c33957e90d1caca4b5207d8da5ab1bc4caa9f702abc0ec006d0518ea9aec
096b33571e80d18c1763a3bd5d019e3177f1547b3ca6e6205a349075ce2fec18
efbc15ccbe9e7b1f1648d94c5e38e3149bff5d33ad93c0a56e68db648050509a
98ffb783354435168540dc2e8eb4570f865f324169d553ffbad828bf9f33acd3
59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3
2e64ed10f0c61a872dbc4cc8ac023e947db0c9642044dbe33af671cff97135a0
5618efb4038198984ccca27de0dd5850a697038d9f0c2a9ad26b17bb26cc0f7b
9c9405332a044a5f3222dfc59bc8b36a4cd6fc4542c8651667aaf2101bb54ea8
e588a098e9ceb33f2616e11a3faf28162e5f4b7f3800b22ab3023bc376aeb18c
04620fd6c4803006181800a7c9dd8748e37e688d197bc22fc580f6d8400c4d13
744ad803081f6ad2d85f3c667c537c6bc3a47bf95c07f496315171790a1b05a2
b3af9675cef7e3a371e7a3d98d141b2bc6cbbc5da2df140dc09cf918ee3c62da
cc0fdb6946afd11917588ce448b752e3f49debcd09d2e4d6c6d04cc1dc774e92
1070bf3c0f917624660bef57d24e6b2cf982dce067e95eb8a041586c0f41a095
f0430c66223a7084799e61e0cb4541d034da240965e9aa62f2d6994ece64a5da
fbc1981c8c4b453464e63ea2155aa74d2e6e6da1fd3268fd8b45e16c1d2bd0d2
f57e0e55aa4691d0502f6da67d4ecb2823c98bd319c5208ae44a518a0a17392b
0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e
ba5fae13322d5151dfb348ac1a2abc92d021617c154ef9d1e4efc70bf7fdf03b
5bda0fc048c68899988ae1d18bffe618d76edc0e02abcf3289018ac1038ff420
SH256 hash:
9565e0e3358341d167b1adfe5a30b957aa028e19addb4427af1bbd41bfe67e6b
MD5 hash:
8fb83908d231f26f462b5c591a11048d
SHA1 hash:
9d12d01f183927f09ed6b654ddad8bdafb48e3a8
Link:
https://www.unpac.me/results/0c785e47-823f-4fdd-aeb5-9c2f0edf8926/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9565e0e33583/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9565e0e3358341d167b1adfe5a30b957aa028e19addb4427af1bbd41bfe67e6b

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments