MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6732e706f9a2046e8bc17f5874e62369124e3eaafb3985164dc62ef288ab0db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 20


Intelligence 20 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6732e706f9a2046e8bc17f5874e62369124e3eaafb3985164dc62ef288ab0db
SHA3-384 hash: 55aea4e8728fedf1d5b514295a4acdf7a9ea1e415dd24db06493ca77d09a5b30d8d1840cb082cbc81867faf64bfe7cba
SHA1 hash: 76cc96dbbbb48fb3118cf4f017f9d47bedda1112
MD5 hash: 818259160d46e7a42a9c7d09cba38dd7
humanhash: leopard-comet-jersey-yankee
File name:c6732e706f9a2046e8bc17f5874e62369124e3eaafb3985164dc62ef288ab0db
Download: download sample
Signature AgentTesla
Create hunting rule
File size:733'184 bytes
First seen:2025-06-06 13:17:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:B8qer3Y7LTLtlI306F52pkE96PKgptwN9Be5O6gF5nM2NwFNInK4BznQT/15Odqo:BMrybMF5wL9yhtw30IMLDWzg2qo
Threatray 3'408 similar samples on MalwareBazaar
TLSH T1CBF4014532A59C03C97517F805A1E2B80BF41E8E9A12D7DBDEE6BCE778F2B095641383
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
366
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
c6732e706f9a2046e8bc17f5874e62369124e3eaafb3985164dc62ef288ab0db
Verdict:
Malicious activity
Analysis date:
2025-06-06 13:57:53 UTC
Tags:
stealer evasion ultravnc rmm-tool netreactor agenttesla
Link:
https://app.any.run/tasks/5beb8e36-2a70-4b47-9aa8-fd0df613e4cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/7701/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6842eabd8bd5d68a12e5f0e1
Tags:
micro spawn lien msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Setting a keyboard event handler
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6842ea9b171e01f9593841f2/reports/bf9f926f-5fd5-4d88-b62b-c47453e130f9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c6732e706f9a2046e8bc17f5874e62369124e3eaafb3985164dc62ef288ab0db
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d88825b-af26-4e3e-9543-e599deca377a
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1708181
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses threadpools to delay analysis
Yara detected AgentTesla
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1708181 Sample: 6eWrk6V9Hf.exe Startdate: 06/06/2025 Architecture: WINDOWS Score: 100 55 mail.iaa-airferight.com 2->55 57 api.ipify.org 2->57 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 8 other signatures 2->79 8 6eWrk6V9Hf.exe 7 2->8         started        12 eQZiKcnZXU.exe 5 2->12         started        14 svchost.exe 2->14         started        signatures3 process4 dnsIp5 43 C:\Users\user\AppData\...\eQZiKcnZXU.exe, PE32 8->43 dropped 45 C:\Users\...\eQZiKcnZXU.exe:Zone.Identifier, ASCII 8->45 dropped 47 C:\Users\user\AppData\Local\...\tmpFADE.tmp, XML 8->47 dropped 49 C:\Users\user\AppData\...\6eWrk6V9Hf.exe.log, ASCII 8->49 dropped 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 8->83 85 Adds a directory exclusion to Windows Defender 8->85 17 6eWrk6V9Hf.exe 15 2 8->17         started        21 powershell.exe 23 8->21         started        23 powershell.exe 23 8->23         started        29 2 other processes 8->29 87 Multi AV Scanner detection for dropped file 12->87 89 Injects a PE file into a foreign processes 12->89 91 Uses threadpools to delay analysis 12->91 25 eQZiKcnZXU.exe 12->25         started        27 schtasks.exe 12->27         started        59 127.0.0.1 unknown unknown 14->59 file6 signatures7 process8 dnsIp9 51 api.ipify.org 172.67.74.152, 443, 49681, 49683 CLOUDFLARENETUS United States 17->51 53 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 17->53 61 Installs a global keyboard hook 17->61 63 Loading BitLocker PowerShell Module 21->63 31 conhost.exe 21->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 WmiPrvSE.exe 23->37         started        65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->65 67 Tries to steal Mail credentials (via file / registry access) 25->67 69 Tries to harvest and steal ftp login credentials 25->69 71 Tries to harvest and steal browser information (history, passwords, etc) 25->71 39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c6732e706f9a2046e8bc17f5874e62369124e3eaafb3985164dc62ef288ab0db
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c6732e706f9a2046e8bc17f5874e62369124e3eaafb3985164dc62ef288ab0db/
Threat name:
Win32.Trojan.MassLogger
Create hunting rule
Status:
Malicious
First seen:
2025-05-19 04:16:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzzs44dptiqen2f4c72yottcg2isjy7kv6zzqule3rro6kekwdnq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
a39ada8e971d67fb725632144587cfebcbd96da06f29ae39d69214f7a5d79234
AgentTesla
aac6ec56369f80f32eaf0971b9af6b24dcd9a32a4a47e84527543e44d62c8ff7
AgentTesla
cbaf21eca02826ae4c3a6b7e4771a0d35b95e68faca9da32ba9dc0206e6ad174
AgentTesla
dc3c5b7993046434bbbe259da9c49a95022e7c3a32bd859485dc47217f57fe4f
AgentTesla
eb157afe45c88449ca1a85887d33e8ee0c479a943abb96f89843a399bf1afc9e
AgentTesla
+ 3'398 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250606-qjkelsfr8t/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/969f0a9c-748f-4c09-9c04-5f40d21e0338
Unpacked files
SH256 hash:
d27669acdb5b3975bd9b3a4099d85ac0e0361b6d1389273759354cd5e5a8587e
MD5 hash:
20f25c09bab2633790332e25d0cd6b90
SHA1 hash:
458cfd7dc1fdc63b329f5f361a87acad3593da4f
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/dee34ef7-8f6b-4b78-a465-b747231a9332/
Parent samples :
5300d530719dedb6a72a1cdc2f7f1bcee476b089ecdf61efabdffa563cb7f677
dc7ce5b3cf200b892d1c189340459cedba99d3a7d37a4aeb9060330e30957ed8
be535ca266042b0e45a33715f5a1b7a3639cc18a445a6e6bd7cf967bc6cb588f
64e521b1aaa4bd2be8a49cb4e0072f41fc01511111bc8ebae05b47db97597282
f2cf2e30e5adbd28df56d9b640ac94dc8fcf6ff6cecc04502af5664e3afe82a0
bd9d4a2d5627b27b2e43afd37b07ce6c6b2d64a7017def2020c2c1434eae1a2a
a1b6fa9e588243668944849e127e349c783fc334dea9c2bdddcece2ff34dd7f7
5aca8a1675535db0ecee6e6c9253eae33a1729644097f882648e0eabdbb9d07a
5538bf66572560a066e4187d013e458a2af4323a7a5de87ff87968765e466ab4
2c0b6ae87cb80705150f9b3bf019a9033d5e841b8256397e8af4c162d0fae5a4
df898007e1517349ff3254eee2650fc870569478eaba486d3dff939e07fda9c7
9515b697030a6361fee15cb76079d448d0a754ce2552ab74fc690a73f5b602f9
c001d7f3f3ef024395493979bfa740429035bbb41b2586be826a0323c1ced030
e81120da828bfc636cb5cadb20a4e5418bfd3c66b8211a30510d686c8bb02bc5
7b62e2e0e51bc3923d80d98a074afdc84c8435c602f7d419c785d1907252312d
0fa26e0e12d79f68c5c3bccb9cb814fcbc6bb9ca50d05fe5cead8869db88887c
98eff3a2a7ca393f91baea68e96e2747cdfe01d3cdd8c3025f4d3467f0b3dacc
fe8482db209db0df28466076fae6bb2dec09aa8d4dea74e083d0aa2ff7d943fd
4ae05d2bba8d46d53a9c5bcce0471849b959c7fda03f461dcd33cb972683fbd6
95b82aa50dc25b6d67b4c4368411e8f82bdf1352b830e57e5899ab1cd427a1d2
c86d7196fef21b7e20ec36b6cad6d24629f975f3bf7b7bc1d0d9c6a269d23400
d29951ed6ca3422a3ae5e2290a755571354f8d17ba3512a3b64275386ab08c6d
ca58ead25fcf95690d903e455bf82ea743c5b899204f4c8b96b9837b62557e6f
a39ada8e971d67fb725632144587cfebcbd96da06f29ae39d69214f7a5d79234
a6c286bfeda980d98802ccdc481d8e0d22ef3d3a302cf6febbc206069a64f821
27cc7ce2c2328a5082ce11cc27fcc2240c48e013423269b12fca82d5797e4d1b
5ea0fc5f67e7259de6a90c985727e2758e5ab65536d23eac0561b328477f1c80
13cbede450e1c06e03ef174fd85e1007d4a8bc0b039fb37c99176a8aa73c229e
c6e7f1dfe1147b82aa1a3f872cbfa81183d777911edc6a4623255b7db6cf0d86
6cbb096deab1c0c40f9f1fdbe309833b82a00da407bd2bd515194c68a8b82127
90de8c395fd4b0a2c0cfcebff04f087535c025bb838fef8c3f20b734e2334f52
3e8619539b467a07851e0bb29967dfc08938a2a99f0617ba732c04a2468a2ded
3c831d32919d82c5b30e3bbe158dff4d2090803e5553248eabdedd95dd085736
e69d7fa2b55a9c5b632015c4cbc2551b1109e99f7773f4fe7def0aa8a91eca11
b3d2f41b5704729a419d9e83bfa59a94ed5169ab4f54d03145683a8d7dbd9d9a
3d0b896f48f03df06736eb64f46fea7e163fd750a01c232a0484e7ce302777f1
3961987dda53c630bbff8bca5d0ed8b6dae39c77a448aafda0a67c2db173e8c8
960e9c3e54dad1225bdbdf547efe031e0b45d5ecb7cff888a93001174161bfdc
cdb1354002555ada87956b8f0969543e171e7e5299002b2d2f55006c86dac026
d505aeb609922a84eee0643174d65e2bd43b1d11d70cca975f401f7900d5c267
63b75ca07d4c9bccc01f641a0521139b30fbda1ce268a8db0b98d03c751a0bab
8c4a4b649c366c2d0f1e0d8fdf1b656e0211f3f85e3514dc0fe1beb55badf5ec
1d1f82425838d2a940335c24e7c3e1abd269f413886818cf6448765b9a7b95c5
0aba07d01429aed2703c4045ef036dcad9b7f93ab2eb9f8f416f940934fa970b
0504c370ae5534a38818114100bc4c1a320931e320b2fd729e36ff58b875c546
a91cb8f0964b26c9063a3c3ced42a52ef548599b077d1f4a569f41877320c60b
5db250fb2ab758b4a3eaefe43070c2bf4be8ccd1fef3094b537ca602327220e7
6496f9016e966f55155171cc1518eb36ef88255adbb7f878dc2da2f87105c781
cbaf21eca02826ae4c3a6b7e4771a0d35b95e68faca9da32ba9dc0206e6ad174
8a93ef79c8277df11cb0ddcbd599d91628b51c4e1e2ae1b3a6577455d099f068
a6efa39536c28ce7c13801e1dd750d1e2a355a9fbf5b6f8ec234df50d8e93927
7183c81fac07b1c9a8ecc1690834e6a43e139a4cfd456713e62ed1804e1c19f9
c7ff164c5514d4163a06d218d458bdd52190a8d9d9f74a03f5d169570684a2d7
dc3c5b7993046434bbbe259da9c49a95022e7c3a32bd859485dc47217f57fe4f
280a6134113df4030679a57174accffb38dcbbe4263c149b1464fb3ef6eac0c8
051e5a94a6c94d57cf8231fbc78a1e33ae444bbeba7ffeccaaf1f0549a8e7e90
348d96514ff4a0006e2209eaa1e6e07cef0f28dfacec3aa4e69741a8b9637db6
617a4e7ecf0aa360735368ced0894f2c6676931888e3dc9b8a9400c3d1fe6cf4
b1f74a3da6549a5a2f17264da736756d47be4f4d815248815825cb5f997f9091
479eca3c180a3a97910bbea2cccd959fec8a3ec0419f4475e389dbc6b0dfbb91
68a1b863890521eff813bfb64d5b951e54a881b3d4474dea78cd72a24825f79f
63e9c56ece51abcf78da3653ed4b03355f36982fdca931043a4bcfca7caf145e
4c1ef22eb44128c908b57c9a8d5cd8755360a1ffab38372571d2db570852e3ea
5b5f9ff4df3c30e75660a3b1a87df600a738bf8ed4f6aba3b2f947bd029de864
f23224ea557cf148c03d5a2bea56890775022a159bc51792a8566bfabe65aa69
a87d275ebd05d10612525aa2cc02e4d54a2a77727e32e63ea5e3e10fe0c906f9
2a0c0c4c8709b5cc6f1043c4ad67c0dfcc96304c85f445e2c61a94fd14a1d688
bb2a41c1af77ec24270822faf43681073d9d9ddb6011265130c5c9af91d68356
eb157afe45c88449ca1a85887d33e8ee0c479a943abb96f89843a399bf1afc9e
ec018c564b8e7cdf15fe86dd50da2a8bd0ff20ca78948e89a31220eb8312f4a9
3bf577746fd479f9a7b91d7731999f2a3a2b8b8c6687f0df3d214dc1a871a5bd
3a323ce49e543bc089f489f3148b3d2c55b65bf210083830cb144cd15fed499c
b8a32448db879eb7ed511462a39d1e3116b02c3479a0ee04924a6cb9b8a167f1
7108d6a322392785eabb6327078ba9d4f9025a3a31c8f53e1253654d482a1655
a44fd93d26afd4ff2cf9d2bc47b5ec6eb123d69ec7824fb5e1ff097b6b5ec1cd
b2649a80ffb6315161f9b79bf651c31eb950d82ef77083aa3c03367c485851e4
c98d82d45df5d5a8ced124ef90869c7259a40f333d05f00fad4ce784569690bf
73f172c85028274de1decad7c80280cf39068e3437696b0750a0a0cb6894612e
16e98f38ce60581b593580dd757e715ae01e5127bfc357d10848542852ab8a5e
78e4582e6f6efb9def82e467566458cf71b8a150f7d6ee2ec5d5a6f4b828b8d9
9c4dc3b1c2f30fe23b0c7474d4f031baa894bab164bed065d72368d03aaebe80
cc198cc6d2e8efa770bba7b238fc2a25e425dedefb6387ba57674e9df10470b2
0c7ae10f72c07314a0f572acbc889401fd63af29f88dbdbcc30012ed4fc841aa
ba553640d08259f9cc3c8a3d118fb445ce452e6f50c0f36b91e51009eb2e8f8f
c6732e706f9a2046e8bc17f5874e62369124e3eaafb3985164dc62ef288ab0db
3e10b4ceecbc52eb03e9b82a300ac1015e319f29fe3bf055b1ac762c7ce9b9ce
bdb7b7cd3368224c457242baf24c2235e60d077f13741363c2307f1fbccfe5ff
b98df0093f704af1aca50d1aea978288d7a038823013706c7ce5a06072121e06
ffeb6132a9b624f6cc5ed5eb0c4819fb50658d966741d7774f2af530a400e699
e9dfb235c43655fc7f5ca74800a2c61218953b1f8e8d537cf4b435a9d1ac3d06
1909a38fd79f2a646233e19288ee195167336c4afc266c0c852476af1df931a9
9b80a8c7bd762d18e429725dc2520d7526b71d89593b49139ea7432170480648
e2f0b9dd0b78dd0a118d56c3606ba1643e1b4f63e7286bee0bb4f37f62266e40
c66005d3c7cd89f90c4280c7e99d6cacb96519fe21e3bdf72fd4c9223a27f8d5
768c64556f7e99ef482f6667d36082b5d88e42627d3961e2a1c6d50f6261954a
14c1b644e15f38f65b958fa200c9e40c1012b506022acb628613a6cc82c6bbac
d622c6e2e12e98681dd35ba906d735f0b60c178bfbcc806316bcad0efa7795fc
44e5228cfda6b52b192d2cdbce315ff517d43a087fb4bdde35b33ab197244bc6
9f727554346a304f9f045faa9349376067ba77a67cb072c10e7eeab246f24912
ecc0fb5ac93d82276ede030c7dfb846bfb345e631303224a238e782f1f37bbea
647ec8952063d8eec38013263de81895915cd407644c3ad0ac299d6e0f8b92de
2fead9e82b6b80508b3277e3d42a6a2c6a840fa4d307515ebda7364ef66185c6
6924b42d5d4d864ab365ec7b61078283e1fa5baa7f1ede0be94e2230eb060a77
a31db956d519b61be6c114ffd0bc069f72023e4eb332b783b13f2236107bef9c
4af6e14b66a0133a768976c94a605fc9fe21bc9f4f2928821e360ead69fdbb59
83ead02d86f49c956f10aa4f5c6f5d2d8aa5d46c12a82bbaf5d82c0390ba3044
53a9b2a14405c08c826397d20cf2946376fb576a8d251d9358676b925dd09825
ca14309813d292e3856252b6f4722ad9557f83c78b682ebf4781d31d38dee5f5
568f2488fb16b814b7b9a935a103e84df90f57f172a064f0dc34c25c73061f63
f654b98ea2e66b9f5ea9966f3da47442d3d4d71d3ed14a1a909f9cc4631b40dd
0ebfd6beeae72ae9f0a77968d90714146f353a32642c957a4b6774a57dadf287
7cc82c5d9605714ea18ef8dde14682831c53fbb8ae9c4ac09de2bd97d71f025e
0fb73562c769bfc935a2bfcc89f5c749f30212d6125b1ade665ff19bf5279bbd
8303a238f47b067289c1d0464e7d1c576288b0cc62dc43e7f563506804d4e5ba
1b90fa962c8b4ae6410c30cdd4af285caa2ed2381541572cf61a8cb20bfb36ce
0e9f2b852a6a060d1a741443659edeeed4a787f0b64f29a4cb6e5ea78d8d2a23
765d7485fb6cc4f939dd400802dfc6416f9e3ca1cf64ea9fcad08b97d2f206f8
46820e1a1693cd1fe29d27e442d488e6f7b6b9c422bfb4df76f18472488f1554
9313c29e84753f2904ac18f2e066b83ee91fca205aa6822ac90f89dd99b8805a
ac3262aee85b44738f7274ad207272a5da88060813a3c61284addf5f8ec7a767
6e73b55524c54eff5ebf588a7a964b1242047703d1a23ec6a83278470c5b3b74
701675ab87965d75ffac1446792e2504288377fee593bbf0aa3a3dd5d0aab031
c3287e8fd9e29c8818bbc9d162989d7d42095f7703c084162fa89a750218660b
a1fdcf3ccbf0d0f72ec62d632ed0cd750f58aa2c99c9eefc53133a7142f52d5a
527702a449a96ccd0ea26f5891680429057e866a18568edd43d3e705e01a336e
e39b8e8e04cf05907dd3bac8c172e0c2e3b06f169fea9a52e0e414e3dd0c5942
676d3c0fe0073ed133dfe2e2f0563d16e388b9b46ca436ecc580b7c07dc9b842
7afa072ab9f7d5260d1ed990ecce3e9e5f029c299ab4356f927af55d22051d3d
f73fab97f18b4700229b7eb9ded13c97fc99145057b1c6abc58f80272e3e21f7
2f064bf632c0821d2e798a66f51364fec30cd5c7d88367eefe1fe310c61e1671
1d99ccab2f2e70d66f2cdff40ed6fe6b638be63b9465fb2bb0790ad19c30e7d2
5f0c1e6643531444cada92f54702c1f60894484cce980f70132f04f753a398f9
9efaf32c5a406442430af9d14f3a4a85715de8b0f24d3f01753e145ae0db84b7
793a7f75c0979fea7f27ab5fd968416c19b1d8fd8d285b4b73dc67a850c26ff9
dcf87640a659f4dfa0ce7bbe7edd97090d02286262664ca581f18c954f96272d
f4e01d4d9834914db9621a06d4d567b48274ba1a30aeb0b12ddb8e7f39bcad44
1651a7b68f3468fdd53cc4f61e652491e4eb9ede675eb10b728a8e96e00a9581
5be644bc72d42d2b65547a369515bddcea970999ab0946a3e968311a365de425
38d76806484020d16c7e5113221089624e3b7917251bc5cc8224885563eb2a7b
1c4eecc941d8ecdf577063e731a5f506fa23fb951a7f34dad50768e0b6503008
8d9e4cdc23217573230ac18c77993958b28794bec8d2ab4acbb624030d50faad
4408732364104503053b4e5b48a431792fe8f4ecff83d073b93c0cf067ce6219
9c2d96d79e1975f6bc7ec20fdc8e7b57f4a8a8747ce5158d12b3ec4a6c7e63a8
7f3d5c371b6c14ed1010d3a130371974fa58c28dddef241429af3395dde56c9b
dc55c5c1535fdf16c7e36ac490fde1fbe20bdda6fe4994559246772cd03ac4f1
35f474f7310edb04f7fa82b60f56f4008ba725662628206dfc656a98c017601b
c9e8e3c92669d9191e42e90d879f53b9386636d8ad0fb2178d1d318bc241d662
584c4ffa608653ad21fdfe0ed4208b82aa762e01dd79d761889e0f7d645c4c5b
d735ac4882c834ba0a6f321dc6a2ea620a2916e85275266ca5e593af2132a2f0
4fe3d56a5cb89bdf31145b7ce1c17f22d8d1616dd491fdf1462bf623ca8b3a10
a8c91a43ab6ee2de15fe46e35a211b3c1c8e7ae4a1c4c28131618944ba8dab64
03e19460e77b9a239ad58dd9683cf49f3c79e485f90aa04f569e7e40a1924898
6a0acc5498eb90bd314b5148feb8ea698763b847ff5e6c62afb1eb361a386ea7
0df0feb6d8f0322c3bd6d7c1ecd0e7042b03bb16edff78acb7569e76821a1b36
0740c327a3fcd947256f351fba7b164d90b162fdfa873cb8041436a2c41e99d2
93f03eb8822d0770e3079b835a7d06c4685e9b489bd0aea32a416ad50e81ebc2
c11c368b82c5705b3d768ebbdc5d61415961233fa06ec08d915ebb240ff0c663
75d436daf3a4884c7ac1e12650cc105232a2778f769028e50a837ef14034ddab
ee8cea3c0570686d2ad7f38269d0d25e43cd9627be5c063aa7405ef86c679e23
b0dd31d246f2137e1315e3d93d1479e34b23fe9d2546b8afe4ed94cc6a30c879
5467ed9d9ca270411cd5fc7d60bf02dfc593d72f7b5673779787c0c0d8961b41
SH256 hash:
c15ae9e28cc9f140a4ac41555022ac0a346a87eb406f09864fe49437d0c9f258
MD5 hash:
bc96b3845489373ccdbf5694f3cb81e3
SHA1 hash:
746c64db97fec3dd6e1b0132a2fbb9a219f53bd5
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/dee34ef7-8f6b-4b78-a465-b747231a9332/
SH256 hash:
3109297f390a7b155a8b99fc71ba270211899a2cfbed9290c7a475a6c549bbc6
MD5 hash:
ca3eb964a153ee205b42a58827ed7121
SHA1 hash:
a09386b0c516ec830e01887ffa5571056ee06c5e
Detections:
win_agent_tesla_g2
Create hunting rule
AgentTesla
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Agenttesla_type2
Create hunting rule
Link:
https://www.unpac.me/results/dee34ef7-8f6b-4b78-a465-b747231a9332/
Parent samples :
836130d92fa30a6cfdef9e8b66289d99f89ab55dbc3dbaa3cc409f565db5457b
b221fbbba9145479c60a63b77da5c52785a2f11ae697a6eb7224f930bbda9cdf
6f3ee68a709242ec89c66deb3a5c7fa9e3a96fcde560096d1c8b7962df8a058a
e1a7994ddfd57c0e0e5640720bab427afa0d0ca11f5b09d50b4fe8c9d030c726
006266f9eda6903e064e94e834d9513ad3a85c2d9964b50dd90d03e2b784ce2a
8bbfa40764eabafad6f90d973784f343b8d7146689f4fd4384da26935b2bca5e
50b5eb20f116100571a794e5fe30953bced95340d1a180108806cfe9e04da768
dc09ed4ade0b108f9774523d064a9a074f46248f1fd42651ba6fb17820e6a417
394b16c1302ab448e7c5c81f7ad92c185a13ac68e585b661d2513a69f7d01857
0e30fb9a51c158c0d9a3d73562e99aff6e9ed61ab56ab18b5288d64c1945e9ae
2ec1db87eadd4126bfd104899d0e7a6c94e69ef80f7022f4388342fa6164e761
7b49be821f82c0045d96a26ce306ee9a65c862f7311efddb54c30bcd27ad94bd
a8970a4e1980b60ab0c3944cc63f4e32935dfee5166164c4fce000188957fa7a
aeed87f06c1d73acfe30d7bed14be7929caea7c5011582b8a807c8c72e88582f
68f60db69dd7b37366528129904a919dc09eef98f604447337da74fd757c5e15
3109297f390a7b155a8b99fc71ba270211899a2cfbed9290c7a475a6c549bbc6
6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
e3308f1dd36bd61758447d5c6eb6e90adabc65e1119bbbe78537c3e3b622835c
f71c34128bf5c4a4ecc05e5aa4fbd02740b96c4aaf075124f3a4e33f36c17c92
0a9e932f64ddd0e3292064029dbc66987f28484dfceb705875b92403f40da037
676cc88d18585152438aa593970014f0f661f98b427d454627513cea119f0777
f32fe860e2a32304024771ae67f2b8190056aad488c7f128ae86f876639b70e9
4e25695bab3ab85fc29d5ec8858b9caefe193916eabe0d7bfc18059cb23c6757
7a4d615a35c88c224f8e4c3f71e1670673ef41d30c27892662a8c44074983df1
46ec294043413ecec9c6a8fa2c8a70d99abdc0d00003b6d31d795a76e50c7a60
8bb52d0be263f9a7841a7a7537f0ac85fe5fe4b5bcc87d94663dce56ebad90dd
457b6241f125cd8c4f030e7b7f05829b89a5e831f624225cb70ea272ecd88876
e46f2d7b2f17430fbf6670db5f785f22a38cec22cf879259032b1edb1d074c41
3e3d796025df4a863c3f4220bfacbe1fce38f67318524891218180857200ecb2
018b23732bcac6e2ccc7d8130259b5085d10dafdac74737e1456b5f38ee2c81e
6f4bbb5aee6549053ab218b1d564cdcb6b07144dcab1dd3e92683d640f3a8b60
76144b7c900168c9893aaa223a1ec8e8081cd827c99eadd3a6695efd0ad337dd
f564c332d78b12de556bd32e8368115f9375f37b00fe07741d8d6214bf6c3998
23a0eed35d69811a38633d41868a1fd6a20faf3912bde628eb556124fd6e5447
978c433d464e5054730c8003bdea37d3e8c9a0b0e254a8eacdbb57fa543da44e
b071d89b6d73e8e71e636ea4f769293c079ecd935e98eadc0b6dfaf71e55368c
c6732e706f9a2046e8bc17f5874e62369124e3eaafb3985164dc62ef288ab0db
c50bc28b5eeca0a3340e4755de566a2712e043aa3d487cdffda72de617610cd7
de9c905c7d05ee8775d644ecc9354ca87a1c74fe5eb23537c0bec8784e7dfaaa
a217672d528e4ecb21e3e93d0da10ea3c6fbfc04483ef457c748f78fa4395400
634e140524f023482bdc5754c81245f02c004c4b8c30e9a9071f7d0a239a6b4a
b56e8431fa939f346a93b8e6178fa2eddeaa734c3e53b42cc7cd2edc087a07e2
422402851019bc4421161c525b901d326acdfff9b33e026256e5de20a91ef0bc
SH256 hash:
c6732e706f9a2046e8bc17f5874e62369124e3eaafb3985164dc62ef288ab0db
MD5 hash:
818259160d46e7a42a9c7d09cba38dd7
SHA1 hash:
76cc96dbbbb48fb3118cf4f017f9d47bedda1112
Link:
https://www.unpac.me/results/dee34ef7-8f6b-4b78-a465-b747231a9332/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6732e706f9a2046e8bc17f5874e62369124e3eaafb3985164dc62ef288ab0db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/7701/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments