MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43
SHA3-384 hash: c20879ad109b7e8517d4a69dd51eaba4d804d525d7c67ede5ab07dc409f2f5704b2e459762f6a16965d4e3f5e5f5c95f
SHA1 hash: 65d79942fcc89adca579223ec8d84adbabdb8da2
MD5 hash: fa00c5e8af643873a2b1f21a2ad37e53
humanhash: august-march-wisconsin-princess
File name:QCP6Umel59hDYWj.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:884'224 bytes
First seen:2024-11-10 10:50:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:uqFKqbdlEmbGq/KVtfLky6vXhcmAv++ii31whOGYgOdc9RsODSBfiuMn:uq0qbkmN/K7o/X2NZiifGYgPrmBfXM
Threatray 1'449 similar samples on MalwareBazaar
TLSH T17615CED03B756B09DEA957B98069DDB143A529A8B004FBE61DC83BD7398C3519E0CF83
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 0070300898b37090 (2 x VIPKeylogger, 2 x AgentTesla, 1 x RemcosRAT)
Reporter z3n8z
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
385
Origin country :
ID ID
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dokumen Kiriman.pdf.rar
Verdict:
Malicious activity
Analysis date:
2024-11-10 10:58:17 UTC
Tags:
arch-exec smtp exfiltration stealer
Link:
https://app.any.run/tasks/8b56cc9b-e56d-4ade-a20a-9835011678c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.15832.11732.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673090276c614f3030a3fc85
Tags:
infosteal virus shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Setting a keyboard event handler
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/673090177af7816143763b01/reports/dd265780-b0f1-4882-ac5a-1ac67ae21365/overview
Verdict:
Malicious
Labled as:
Trojan.PasswordStealer.Generic
Link:
https://www.hybrid-analysis.com/sample/9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/260d6fc1-e073-402b-9c44-401b28b46601
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1553099
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1553099 Sample: QCP6Umel59hDYWj.exe Startdate: 10/11/2024 Architecture: WINDOWS Score: 100 44 pgsu.co.id 2->44 46 mail.pgsu.co.id 2->46 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 9 other signatures 2->56 8 QCP6Umel59hDYWj.exe 7 2->8         started        12 KbvTYlDJ.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\Roaming\KbvTYlDJ.exe, PE32 8->36 dropped 38 C:\Users\...\KbvTYlDJ.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp4465.tmp, XML 8->40 dropped 42 C:\Users\user\...\QCP6Umel59hDYWj.exe.log, ASCII 8->42 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Adds a directory exclusion to Windows Defender 8->62 64 Injects a PE file into a foreign processes 8->64 14 QCP6Umel59hDYWj.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        22 QCP6Umel59hDYWj.exe 8->22         started        66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 24 KbvTYlDJ.exe 12->24         started        26 schtasks.exe 1 12->26         started        signatures6 process7 dnsIp8 48 pgsu.co.id 107.178.108.41, 49734, 49736, 587 IOFLOODUS United States 14->48 70 Installs a global keyboard hook 14->70 72 Loading BitLocker PowerShell Module 18->72 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->74 76 Tries to steal Mail credentials (via file / registry access) 24->76 78 Tries to harvest and steal ftp login credentials 24->78 80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 34 conhost.exe 26->34         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-11-10 10:51:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ttluhcky5pbp2vfwtfcoceiwlkmaakjxvwtt2sljz4nfxeknznbq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
unknown_loader_037
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
1a9b0e1d73f7686b25b45d271edba4eaf6c93ae114e6805d5e39440a7e927353
AgentTesla
3ab5cfa98e47af08a289ebfb6bfcdb40b109ac077c1b655b47798cb559931724
AgentTesla
9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43
AgentTesla
error
AgentTesla
fd80ef0c4a88f9aa002cb779a52d56a5b0bbaf1061fc2885fc35559ec3d16907
AgentTesla
+ 1'439 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/241110-mxtcwswakg/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/86ab335a-448b-41f2-9784-2cf815293635
Unpacked files
SH256 hash:
77f40a5b957f9cd4ec858fda1e559372df8f7688cff656051c3e7668560ce0ff
MD5 hash:
606189fc0633b10674eda2b2ad7f3a6d
SHA1 hash:
e3caa412034fdbb749cba64bdabc3dac5de0ced4
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/20696af1-9047-43f3-8a39-0c97f5ae84b1/
Parent samples :
2fd41cfb7c7d0653a396e538166b91db7ddc56cb008701a437e8cd92d63156b6
cfbea36edccb76c40ccc6f01d8cbf2d467533ecb1f3e7c7c709532998518b8d9
4db566fcdc413fe50153dc8431ae86192241f0e1e86071f80d42eb6e0fb5baca
b8d4c86463b945f866e0396ecf65af0e67e55224eecce97b033e25e816eca01e
29ce0132efcb5e1aad146065672d83b6b4ced076f1c91a851c8b34a30e7e08eb
b07790927beaf1cc2d81cf76f0081c7c264c3133fe71437ca4bd26e220800d43
4add5ca245ca6982f07f757d4f72086c45b831f6fecc1e3e4bb122b515ffc027
e19cb4af6c2d4eb1ea729a345b50c2fe5a902f7f55f79ced44da366da44471bf
9909337f624a1c2eb7aef7670b4ee0aff10baf7cae381b373c9463d68caa5a06
ba22a1fd5ccbbc56dd6c30c556637865c156a5e332e6a718c336b9d591b86a9c
c68ac751c2b84e31bd64a9d318fd5cde9c1fa7f9f9090940808fef7989b3ade9
2d84e1e52b7502a8704c99e4a3f0e48ed31904c885ab2577a2b8cbcaff1c3620
2e83d1ac06f006f6e7cc461eb6a8098d5cabfa6caa4f5af55737690a47c1f47d
a66fd780dafe112e8ee95dd63b7d6138fea1e5273b961b2774e3be95a677990d
96bfa7096fb76234a5774f70dc444d719c7553ac83db00fdbb04c1eec318d4c4
dc9e448e51f4504726d8fdccfce805dfb4c228091f12a194fef40b2a86aa5eb2
058e2c02b8cfb93b480ea8cfac08e967b39631a579256ebee27fb7472194c1ea
2d34439b88bca48219791ac13393ba7a2a7c7b3d80d6ad25fa7fb1967ae4fd44
1682ee7703dd036cbdf6ad6daa38ddb7a4e7ab567b273f9ee209672f339feb2d
23fd85e7d0e1f372bd11f594fc1a64ac020f4a8c5adce87a70f5e9f81a66da44
325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b
0b0b2ba32fb5312ed77ae6925fbbdc872810de0e3566d5b04dbaace7e2f0dc68
dd9e683eba0236ad1ab942e817163a69ed449c17086613b69f5baad174d2c0c5
8e19bbaa0d533f50d2b7c9013955c07772e752b0751ec30e73a36b792bdf4adc
b3ffba5da1500b5a2645ef162fbfa00f4fb4020d539022daef7b9c49e81531c0
f5de23b1693c6872f53f4925775cfeac355a619a0813c603929221aa69513b38
ad1ef89e6394ebc77be2471679667ee5119f451dac3134d98f80a922e9bc51c8
11cab98b080d59753d1be6cb00fd03e1d575a2c9b2632c66df888cb3143b52f5
f6b09208c3523be3a490af2fc305d4574b38d95a435c8a55402fca38597e6dac
66c525114240093bc408138d4c93c51e7c09a235e183fca73ee66ebd150e4fe1
b207c12c675b8a8186617610cdaf2dc63e655f40662ee174d9a4d9c637c890ab
b4809d12158679aa7f01db86c54fa984305c8521a499b405ee130c5d91ed6540
a920dfb486d57b7d60d6bad4643d4f425802ce9ac8c520f9771d6689b65ffe80
59cbe4e681c4371b18a5f6d457369560ce9e4f0eda5a39de1acab8b5bdf73bda
2634af4fb7d0c056e1f96809592bfcd3ee9f3fedf0ad52f9340b67d3b67d9f0a
c51ca12f5158ea6d07f3def983ae49f6127696f23244cf0a857da46a6d640b25
5aec55bf10e81eaddb865b7a91339e137b25b681a768caa914c608d3cdf51449
3aad3c90b2113bf011c93db7987cce596fd1b0a94a3c36a9bad8d058effc33f5
aa02aef2c851348c873186b8f6648dec854ba7d84b9ea9119a80fc4b9df2acc2
7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99
63ac85fa66152f936244088e40eb124a6888336a4508f8d3d63d818ad30e4280
67605bfe77b822b7256723089082b0f15b23bb69e6de86191750b660c0a438e3
426c094d1d8f9823b46ea2ef18e052c6363608290a4b98eb84e5ffe01d81ccbc
7c67cb0dd0e62da4a84525b91f583e7e433a3c1c6e9404a2927cd32b0d5096a9
5975fc05d280bfb5071a38f28a7925f709f5323f609256a138d700afdd793880
680c2a3691dc7babcf16daad934a2fe8efabb3214bf36f60825b708c7f736015
90df3fa2c8b6470115f4f8a4ac955bfa35b07ac6d4d796da6f99c89dbb1820a0
f5a51a5492d785c8e485251c34b7ccef2f676bc507794c219403e750c788fbe9
e897fbdf22b9f02edf6bd659f74cae0dfbe79245a58ddb7ca40be5c44f50ad33
d682eeadb7f5d9c10016bbe8ee8f8f16938d3f7c7b33b9703225efd552df6d5b
cf7cce1b83e67375808a6c3732f6894e263b12dcd6954c4b67f1af5508d05986
25d5929f0ef894bf532d5c21e03474a7f7db7cc0be168a2d618a40bb47de9643
248ffbd7ceb70f0a8fc98a93dfde21283489b926a757cc499191d2f43931a093
3dddfdfb08f93a00401bacc404b23826232436b872231ab1fb5596ec224efae7
6dd0bde064dfa14d38008052b9f3121565f86d97f6992d10720225192ee57f99
5e04b80012352f7c3a13f013d39a25aff09413f895217784859ba424dacea181
2986e457399c8f73e94332ba214f9e1a9a562a9932f4196f85036f63d673213b
aad2ef87a40be1648de42e22dd1b492526e3c64183034c72efde4d0e5a350c88
c80986ae29269ced5ae5d3c62833734693c71efbc0dc760aa4ae807f76ef7461
2bcd91a51b87daface2c741fe568e3f8356598ad50a5d4c423be36a5836c2f72
a2c0537782a8c28077337a873813db9211330a95725e641db956183db3252241
8311884c536e402615c44c0010553cb85718a79a82fa59f90bbdc79321cc60c5
bd749917837b3e6a48c15277cb0d5b39fd0c89e4f52be26a72e30b11816fc895
9e49f5122ac42ba8a4619dd7ba2252da4118b9fd1755d2bdf17e2d179a3f5128
7ba7fe2d75fe74beedef97bee52008c4cf99e84313750b821c5202856d944e04
9f3e9756a14a38c92ac520ba9a1e74e8eae13cc8b59797d20b261f3a0add4cc9
49917f413cbf883715a5f6e5a30cb13abafc693ec296751ba8b1bdbc3142e8c5
2c34e04c20abbe2a2879ebf8360bdc8f4acbbc6b966859d312ebee520a019b8c
79ec5e64332e4f22497d2299b42a2f8b49d13820144ed6921274fecbae5acfe9
9e29fdeaf847390ef0ac52a24dca3803eb3b7527e3ecb8c2c18bc337c7425a5e
bbea0c056d01b506a9a6d37b6aca9147466e65a962f4b140887334e6f4a23b6c
db404ec3f27d0e9173f55db560ff6777560226f3a52bfde901897f637a24d89b
97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64
07888aca315d288cf934104bbee91f5a2d6cec258f9e8052adfb496cc7ea1f16
519e372bb8026c5aea93a6d44aefb4b08eb23731f2f902ae35866c5d6cc3dd97
5f87ddc2603dd15acf16958efa6dd40b484fc483f4a496714fab4adfd1ad1318
5a8467ab773f458f57d5942d6fe612c5048c50b19e7d63c82ff1eac99a324e2b
4624ef5fa24a2459eb8c1504e9bdee4e61e762680ee5bc5f2f52c77f197648fe
e49189557147abb38b584bb167b436947cde7bcea7ab44815ebc44c4f21e1870
ff58fce3cca0cbcb18d3be37f8bbb6fd507d84723de229fb1522b84ff029170f
4c325803ce0762bebcec3327635377a360e221480c99e1a95b708ed224b22cea
d7e680c7e06ca19deae4e677096a243daedbb0fe6d04e02deb3955f7326086a9
d9dc8cf4f0c34bff044cc82267d7480d8c565c5299f1e5c35547f7eb866fc49b
e3aec20d29a2691e607ad989939708b9f30f2c94ecf07d6502f432f8ced2b44c
668deef3724b32f255013a251ec96a2b18e6dc48031ae1138fae82cac04d0231
35ab0d5f86d42c280b4d85b71900392d2d7ba817c59f55d902a4c33cce689567
e18db2a079a2f7c4e47e676e1a252ba3f09efa95fbff3efb6ef738df96fb5ebf
6a1c2df0bd6aacd1b69d3ab82b88b71f5552beaec7c452c36af1a3fed04c5bf2
af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c
94f858ec5529f4f52ae1bed542d9a38b2ab7e4be0446c4d9252f0de3d7cf2dce
4d45f8bd3b436a2ea84ea90bfeb028603b8118933688d07ecd3f7bc1d518da66
78c64fae4e08a3d998cdc688338437dff344b49e9a8509116640dabbd156299b
9a24b197698ebde37702b2993ea2d1d4b7d2ad327605af58a4b8b266d7d9e827
19870017af38aa7315ac6e67d6254aa0946c8264a9828f20627eac76297879c1
24229a62ebbc2cac8ac3a7e7a6da78b179d05541dc7ffc9aac472775e2e6cd11
4bec8930b1157e64e7d785c62f4fcc4d5d144daeb954144ee3f3a5648820a9a2
69dec355a88f71f9880052143f091580cecd4c6f301c1c6fefe931d44bf8c77d
bcd2af5fd6fdac5f0bdfcc38acbaa7d941a30cc75004c1f10731d6ad9efa7632
871768e4f3d4bc1e473bc694b4d5b39a52b1d3b9aa74a580083f3162ef425441
a1ba76a8c187d43080d95acfb939a54d1b1c83546bbb4547990bbfcafd88c307
e42abe36559b21170e153807df0fb9cf9191d45fecfa496363932168b096976f
c43f4d0f453155a1a2b83f793bcaf83429cc7c6452f430a1763eec9a31fd70a0
9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43
056604624998c531cc1a7cc40a64527e55875eb18fa47f59ad6c3678778956ba
955cb8de75d1143a7094743387ce5f52afecef4a07b22040d1da54050fed13cd
5de328c7851881e333be2850a1bd9760b94f8a5f300ac745603816da405b14a5
a2bcf903e2e35f9d43de040568e1bd0312dd0943a29f8b87861ccf50e66e9957
d8a9180da33ecaa39821ee77065c78cdf428a2c83afdbfa923e4db651b859961
8fd7b8dd8031bba418ae41089854aeba5cf9ee3a171d2cc8db05d95b692b83c8
1091372b812b70532f2d29f18f41f1618a0d72ec9e03caa5bc02dda877ff04f9
9b4391946e6ef750cd4790bbf6a35a0f2c43d10dd0475827e50946d8eea893b6
5c5722b380bf669c5d2fda7000c77a46513f5d107bc3e2f2508321df17313774
b6ad170d197d557e308b9356d0f87653eb463cf74a48cbb50ce74c7260c315c2
SH256 hash:
8bac672a3977e1a30966b867699ee7292d9dbe69e360206c325b216979dc4da6
MD5 hash:
b07f93fd835507cfd4a830431f0c3d9b
SHA1 hash:
b60076a578110b59b27baebd6f0c9ddd0e2a11b4
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/20696af1-9047-43f3-8a39-0c97f5ae84b1/
SH256 hash:
0fd81528c151cab8ec12e609f49bbc486e90104c6bf9bbe930a30805c5cf5ccc
MD5 hash:
e95741036932605280ca747a562c13b7
SHA1 hash:
86f282ecc644e8d9841ddb18ec54a1a6c615d1be
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/20696af1-9047-43f3-8a39-0c97f5ae84b1/
Parent samples :
409dd82ae03009f32397ee056fcf698e7ea1145184fc4749f00b5ed2534de2d5
e33dfce152f0b1a0fd298f630bb284cc064c2d10d2c69f3e84b308895e1f69de
0f747da7bfb26e1f8bd1b4009036d2eaa3c5431f73bcb599027ab37f1c151061
ba38ba94dc7746ab451cb686df8d8f4cec03db581ae095c5e1b959134db30daa
b900f083db24811988658302c8db25549feda1814fd677a0888465355c3bebd0
a9c310861b7b0eab4b5f00ad0c69d6adb3526d9e9be7cc46ff392ff76ba9da7f
e8595c2e05c63c73af98ce3b55593d4210936a347ef99087d90b18fcbcb0dd74
2497f324ae5abfa05c6910d020b362d445fbca42cc1e320f0c34ae9851a7efb9
54c7016e2d3e49460764d54a465f36f72808382cfef49102446c74d4de9c464d
e864fd2bf5133bc27cd3b2b35dcdb71626128f2c28e24956bf83a1706c2f5bad
cb6c1619615d5947e12e576b93b171902218a8a108fc0148a06078a822ae4211
dbda2a0e7980e112602a69e8e0b12e1435c591b8436aacc5905bdcdca12dafdb
d3cdbd21fac606a9f43a12bad566f242ef59fac34206069528fa9e285e4005d5
44e2650ff2fc7ba8efcbc0a975b2d5ca2ecee228c6ee27df07b215ee79f5b320
8e537ef5b6125fef6449de923808b92122edc8e2d6cc887d49c8ed5510760848
664c0c690a791c1a863702884b3b3bd0aead7fabbd3ff6e46cff58f53c1cd3ff
1c9240b747d01e77bbd4cea63699992b29fc24581021c9fc2a96c75e9e60cc1f
96a1656ba39abe013fe75a41eb52d9b698f723aa7b5f2ba836a8bc3dccb47e2f
7ca9c170757e7f0f9092fcbef7d2830c2393373bdd00648e76e3437ca5a2169f
9f0a3a5caa4240f1aae236ac243a17186e5200983749966cb6b07f311a660302
1873c4b2bde16da1d2e923d66d20eea2536bc824e5134b60f3df4b770edf72d4
55dd72206a4adc304bcae93419f75ff9ff992724d13e92d4e7eaaa550ada4316
0f2abe41f47c8287b81f6f5be7983b8486b298d7121bbc8435ccd334a5f7ce70
0f1b66752dea36f9ad237a452b4bfb2950ab3ce90fcd920c6708f69ee8ce8c9d
6cab1f7e8d015b6db4533050a29b43a62292dd20c0a567d5215eed2d75818937
f673e1b0df47036fa85af6860c7cb98b5319baa42688dd5d97533fd53057dd97
6e7b4c60277416f97aa221245e0f1aca462a4594c621574b65f69e62f88477e0
d07ef403a4d320147704c1e188dfa93e140ac148489d60ee564f710e2dcd7550
824c2de7f889a628b7fde1b4c64837e48201b158b170c2f270250e82642e564c
1f3c2092e06e42ed7dd425ee68f826ad344bbacbde3dfd1cda112eb6af3a4627
d7928afd0b6864968e44f9f0ee807991b3a620f30e57048863ba94a40f291caf
402099326202da95a3c10fba47d836d6f9af2ce39f11e405da6027adcffb4480
3be7372f7dc6f8dbec2b12f15922aad92a022dfd930344fc076ef616d303f869
634a2665a39d9361917d4baf34b157a5bfe6f8712e6cfc45d9f57205efe23b9c
a6321a072d7fe8790f12f68fdb8c2e6fd91b212233fd3c98b9169d6b48ed15e2
d81f1cfc732280d0f92df78433544b467d837f60cbfcfdbff21c5f987eaea942
dcc72f90c1d3aac382ba8965c68109986771562f49d4112c5be1a0e9b645f621
abfb108ffb2021d7851e2908a6ebf23b507aa2cbf36628f9f30b9eada587de96
450cbaf3ba2178d2ecde3158710066ad71a7d1b17130f29bac92b3414679d46c
0007503c902cecf201946832a5c157cf6090efb2e3b1c8ddfcb4c8e150fb7b27
b237b86e8000dc30c0f5316bb8116946fd569a5065e965f9e276cfb48e600a51
ff9dbc074c9fedf0906cdebe94a4ec7b438df3528db6dc3a649c29bb4414c365
f7b17ea8d0bb38c5760528dcafbf354618a643056f04dc110d743bbbf8e99079
95699b4df332139d1782520df7f136a413313d5b1dc05be131ab53acf355909a
9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43
d0063dabacc1569353b846cd664cf979784b4855d03e6ed4fc0ef7f013a0bad9
5eabc2ee89814722a4e157224e042211e7780ab450b8ed1f9311f72eb80f4262
9565e0e3358341d167b1adfe5a30b957aa028e19addb4427af1bbd41bfe67e6b
8c25a42242f041b0ecfc47164ef25a988b37735dac00a6990f7babd80eaa2487
f482d607663a330b6a2393c8c9850bba8eddc53a4f80012c17dfcc416df05880
87d0cb2cfe6bb9f82dd6a1ab3698892c5866322bcd4a598544aebc560d5fe01f
39c15e35f0b21b2680c56f0f281feffba42f17e437e4234fb2f575678e3afbd9
b17505955e2436a83dcc3b4a213f10fc2b827316ba2d40a5d6c2415feb34e623
c65e44ab50c876191f4c648500e7bf3d6986a7c6941fae19ee55d752aae2e523
c64cd755a3b9d9bc23e8b0654820c719556cd630198bd3ba147e5dda26474ea1
c620d711c48043d706ee5bc200e6087db4b9d46b854ad8d8eb8ba47c9c770662
b03db0564666573fc8c78762884386005dd29e7f39d76e008e36dea70bc7f2e7
ad7e3733334f727508954b7fddebe16af8fb5499e28e243ed42286da81a2da15
d2196a161741acc9a33cab7859e04c625ee492f31dc96a17c57cacb2517f61c7
72a1ba2aaf8d724372e2592797580d085f48ccdcc9f3985eb01b108a49fe5779
e6285b91e58a7dc662833fdf6b8a6574f871287308146d920b4e687a01974e4e
3f700fd41c6cca501d50cc2f62afd8e0d951efc1a918aa65ab3e84ee563ff1d6
595d3b670b05d0e45b48b7f6eea396ad268a02f42c80ae20cbe7cd02890e05bd
c081e4ae35d4644933b0b3542c569d7dea9b52e276ff7c0d7b8f4c4ccc235290
3b6632b43aa88d79aa9bdcf19f38f11fd3b0a86915cef4408e390a4d70f068cd
71fb09d88849f446a488c86f0fabb3a4c69b6c559ecc2166fa2d878d64837bd1
b5ef79a4b0b11a1d8546b1ece86049b558b21205228b8ad98f26e0a475795f7c
47890d0675f690a1ede57fd5619d2ee6acf90648268f0f5538c4b65be53b18e6
36a5e24f66a8e3059682f75bcc74832ed2a29767768b968e88452f0626dd2b97
13cafe220f24b118aa4bfe7ecc489415c8b593de6552a692ba87b636d04610dc
d2cab43a622ed80a2a79ff9266a25fe00175692204a5b022ad34787e39b578c6
806564d7681d2ceeea860949993d5d239949473548ed78fc45f351e7584276f6
c4004e409a21cc66cb6c0d77e72214349ffc8339f7cfa38585f5dd7e40636c31
6dc9d0fa317804195eb9e6f6970f746fb01d91b9758964dc722f31728f88d548
7b3756fe271e48ce86861ea41251320e986f26f51b71f0c917e1099d027c9235
e2ec8b7b5c0cb0461cbc9bde55b79c1da6219c87552b94c0491409c9c8988e6d
cf874da7b8afee07bfb3f9711dc2b1e3eac8c96e177ad338a5918260fe11fb3f
1a642dd77d6b7be3538a906db63abfab9fa008507efd3ce04d4aefc7acf1fdef
b1e435ffd9f5ca69e21beaf2820465fbf1efdf5ac5c691859f1f7957795234b5
1c2f2b8e26c9f1b700df8d0b069c2bfc07d8e4ecb09831e9c402c2aa6a92e2be
36d73dad1a1d20a3555e2206290f750426a6447cf2afd9163ac4764f7fe33af3
c69d5ba2cf0568ef7eb820943ade84ac38f9755b2216566301e7104b8e718796
224c1dcd9fc5ebc03058e8f271abf111c93b47570000615090576a79276b7dbf
1d1f60b21fe163afa6fd4342960a5f524039a603611cd5dcc3b20632c394220e
d2ee35269d6e4f6ffefaefa53d126ae88f6be5d79ecd3894981f844012b01ef2
de6caf2bcb90334037743c21d52d9a9707ddc9b992524abd45c42eb58b85275f
dc77100a6f5d92b71dedb82e431de0d31e571a4b216d44047e44fbb1e5b59e5b
1b169d86759603cf2c5524c535be2cae744a43914fa2b6f78d35c8e27389c7d8
bc6dcf0fb81a1212fe388d0f4aea0b7a213a45664e806236f3fb4e2ee2a64551
26d87f27a9ec64a426d4be355ccfea2671aedbf37545cf13529c04555ffc534b
bb906ba8bafc258a36d21d4fc1924334daf0e5a50c61f244d214ab312297e97d
dc303cf927f0dedb0cc934cf5f8c54b3fe5d0c0952f7d2a34082b9f0434f2346
cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1
069393dd8a507d9cc76baffc122ee772fa281d078a95ac7cf2826d05ba251ea3
a25be9533b9bf7feb8ab371e69cfdbc40cdf7a9d6f9041e8dd04d5f7755d43d0
297659c9c082dc0a4b302a2d13189c9f85b5795c79ca3526cbce006b29cb1690
af3714df64bf3a66c27d6e4c718c6da0f770cfbb1cb33d10f15721246b2d717a
ac8248066dcae6455d379d03888b2d618e49e0715e6c11fa5e96ac44faca7208
03fd8790dd182915e617edd7273911a0bf068ad55c83bcf042771975cd6cb85c
50a91256ad1710681ad272b85b6eca0c4ada089ef954b4f48e18e188c482fc59
89c911723b05c5bce8bcd4dd0ec42f190763afc166e85e0fde944e2e752223c8
a5c02fd74ba332b6e1e77af7e15e9828b7371780a2930a1c6034fa99b6690320
f5d4ecc25c69d82f7664ca00768df241cd4fabb9d6aeb8edfc988b2a6f83a673
SH256 hash:
9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43
MD5 hash:
fa00c5e8af643873a2b1f21a2ad37e53
SHA1 hash:
65d79942fcc89adca579223ec8d84adbabdb8da2
Link:
https://www.unpac.me/results/20696af1-9047-43f3-8a39-0c97f5ae84b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments