MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 20


Intelligence 20 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1
SHA3-384 hash: cb2786db0db36ff8594489d71299acdfb5acbaf942ea0c4bc32b4a160b0b8a714deee8d02d53eac15fc5b8d835ed32d1
SHA1 hash: eb83e964b7e5ecce552b02e8ce48217e9e60ab14
MD5 hash: 15e1339f52343ce8e1b302b5ce278529
humanhash: mockingbird-item-oklahoma-stream
File name:85fXeE8MtrqsWMh.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:670'208 bytes
First seen:2025-09-01 05:42:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:6kC0OW77k7AgooAnI59QG8/sYYR5QCyhUAHxefRqHKqoGBGrXw:hhxq9W/UX4xAEHlVGrg
Threatray 807 similar samples on MalwareBazaar
TLSH T154E412982787C903E5F35BF41D75D33467A82E9DB812C36A5AD9ADDB383A70068806D3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
85fXeE8MtrqsWMh.scr
Verdict:
Malicious activity
Analysis date:
2025-09-01 05:48:00 UTC
Tags:
stealer auto-sch-xml ultravnc rmm-tool netreactor exfiltration smtp agenttesla
Link:
https://app.any.run/tasks/87bd8b7c-0833-4d3f-b4aa-f99f5805944c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24416/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b5324feb163e0ec183e0b5
Tags:
keylog spawn lien word
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Changing a file
Setting a keyboard event handler
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed vbnet
Link:
https://www.filescan.io/uploads/68b5324e1c81c34281da11e6/reports/212cf639-0690-49a0-8277-88f9dbab4da9/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-31T23:22:00Z UTC
Last seen:
2025-08-31T23:22:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e2e75645-2403-42e1-b5e0-920730258389
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1768679
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1768679 Sample: 85fXeE8MtrqsWMh.scr.exe Startdate: 01/09/2025 Architecture: WINDOWS Score: 100 42 pgsu.co.id 2->42 44 mail.pgsu.co.id 2->44 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 8 other signatures 2->54 8 85fXeE8MtrqsWMh.scr.exe 7 2->8         started        12 CIqpgcI.exe 5 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\Roaming\CIqpgcI.exe, PE32 8->34 dropped 36 C:\Users\user\...\CIqpgcI.exe:Zone.Identifier, ASCII 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp2458.tmp, XML 8->38 dropped 40 C:\Users\user\...\85fXeE8MtrqsWMh.scr.exe.log, ASCII 8->40 dropped 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Adds a directory exclusion to Windows Defender 8->60 14 85fXeE8MtrqsWMh.scr.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        62 Multi AV Scanner detection for dropped file 12->62 22 CIqpgcI.exe 2 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 46 pgsu.co.id 107.178.108.41, 49687, 49688, 587 IOFLOODUS United States 14->46 64 Installs a global keyboard hook 14->64 66 Loading BitLocker PowerShell Module 18->66 26 WmiPrvSE.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->68 70 Tries to steal Mail credentials (via file / registry access) 22->70 72 Tries to harvest and steal ftp login credentials 22->72 74 Tries to harvest and steal browser information (history, passwords, etc) 22->74 32 conhost.exe 24->32         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.41 Win 32 Exe x86
Link:
https://app.malva.re/file/15e1339f52343ce8e1b302b5ce278529
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-09-01 02:29:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zsifg6jdq323mw3ghlh4jj6ea5w3fiignew5atymgdbuta35ptqq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
4824c73de2a144d3e4fbca50cb9fe2a81dda794258c6c9de45caf3572d17e145
AgentTesla
52bd274cd1b0ada7597a4d72e78190d7b5574f0819204b4a3c0ac488256533ed
AgentTesla
7d94bdbacd3f8d708adf1709753d2370493ba125a9265a2c97ac36011faa1a44
AgentTesla
946a35262c7946b1314dfdda75f9f95f08bc35253b3cd070ee8561d8a4d27831
AgentTesla
cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1
AgentTesla
error
AgentTesla
+ 797 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/250901-geb31abl8s/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/59e5f5ef-bfe2-4fe5-a710-210999b24c06
Unpacked files
SH256 hash:
cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1
MD5 hash:
15e1339f52343ce8e1b302b5ce278529
SHA1 hash:
eb83e964b7e5ecce552b02e8ce48217e9e60ab14
Link:
https://www.unpac.me/results/6e83e783-39aa-4552-9dc3-f4cf741d70af/
SH256 hash:
a280d28c6197cb1b3785ed2b5c6bc19ff55966229da64c48257d3c9c734d1bd4
MD5 hash:
98f2ecc980f6730ae3590eba29628a9c
SHA1 hash:
3397e62dcd55f2537e2a64f8ee1baec88502fc7a
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6e83e783-39aa-4552-9dc3-f4cf741d70af/
Parent samples :
f179047bce749b1e5558cc83fefe1364c9e7a8b3bdded23e80c3c7bd3b79235c
8dcb4d425919ced69671cb2f6aa8e304f34a4dfa2c0c2ec7161bd19dd0ae5b09
2e776ede29053c0e90a6ce90cf97eefc9a5c8bb31c53e50b50c484d79add9301
992566058d79274af50ccdb71fce3d8c9672d855d19d5b809632d20020780657
fb0e6001dc8c00fd0768162baf0af2786ad2ba8da5f0d6a470cbfdf8bf5238e6
7a29f40dd40b565108145331b7ead5d6a17b46a88dfc4c58c013462683f8c75a
1102be281ceadcc5966ddd8ed9fb1fe436d920bbfcd376dd9ba252ab03d84c7b
f45a08004e83115a292abe23532991b07eb50bd08a19217ef4fa09420a6dad10
44f1a67e4a326b1f751b8e0671a46ff65acd9c8e9c515c764c41c87c3bf9cca8
04eca2d8e55732a9c4d49d7fc90bd2e9996903df22bb76e77797b08252c517a8
13824be7378d454cf0da9481048b1ad869e2bdbe05340a34792674debef6916a
eb93a2c587001ccf2607575c3639b8229d112347d870dfdeec97876f7e0ad8e1
0bd1c5cb9f1a1f2dd30a3fc2188b542364a4cd051c48a1c3ce816bb4ea75c512
e59670071cfffff991781690eb247ba893808bc8a6710e6f1097b53c3e1d121d
493b6a86546ac79b7647bd6f3c3523dd910e6a56e427c45197e957e268df8df2
7d94bdbacd3f8d708adf1709753d2370493ba125a9265a2c97ac36011faa1a44
7e2f600443bbc2848ee277e188f5b7095d6c203d8e023a84224ba8dbb3532234
fb51ffcffd134849ebc6114eacc45a0bd9f2430188fd33064217df5b4cd41508
f569cdb6756554284367297ac45ab98bc87c32a9b0e05a7d6d4001c390dbf102
6f7ec2c8d3c0ef2d5d4e5ea824c0af4264cd08aa0580f04499df5e4b69bc8066
a75d855242b6c93a5788d28047a6b3874dc3c5420dd60e0edee177cf37c66f0c
cb2391d06743d76e0f5494daf21a381c57a6f7f824796697edb50a4424f3fcfc
842dc19cf33d84748f6d47ed991f212b19c04e614b1fdec55afa8e7a428e612c
3d488c7e2ce30c599303d4fc4bdc43692f80cc7e5e6feb1993197d97503f7dc3
9100b0b6f9841dac7febdc66401cf61fccd63f126fa6769945c5505575f00cd9
a2d1da157ce873841a4b6aec36638f2b0b9349730b67af3b2e866607587cbe4c
bd58b37d8db7fcdb3da5c5633598df6d0908863b5050b6aec25b67c566a6137e
946a35262c7946b1314dfdda75f9f95f08bc35253b3cd070ee8561d8a4d27831
82fb3f98f9a5a3c050c3027605199400a80c204611173131096006bb8ff7204d
1c7ed36148366d23b3e54066575bc2ffc1d33bf164e0dcb0b81cc9052ac18069
bc16ea0319477e9b3f88c99b56dc71baf4f7f21d69274f391362f37fb763cf19
102a8536a3b1ba08ac040c2a231ed67aaf22fdf12db43c7ba063a82a30e60030
12c5ca2e49197d68123a414657dd0cfba63ccfd3e388e9f23f9a646b5f36660f
25ea77d8e6b16dd4ddaaf05665d430a0c32fec89901de0596f537a3aeed7e8bd
75a4146af3520c8bb236cfe21ef507eec5f8a082ab20f4dfad55765b6fc04049
95ccc5f493bebfa0e6e8d8239958b7a05bf4921d9822c80ef2173625cab5210a
67f8ffb1f4fc84db43469e598a686406d32dae656ea8939f57d04f5d354666a8
48683dcd70ee544c499f8f810d9e999596277f2033c05596a809e5237c376176
d674ac095490af3430ec4ec50b1be905b1e7f690117da522c447332d78d25bb9
2975357d5c30a76123dc34b14bdb66cbfe1b6413ce16b0f0a95ed4ef2bb6944f
a7bdab2286bade8325d6379938c78a841434f18092089d9487a80a89496548ad
7d1c422b2743f416f59d03c602919838f52503ca8009033bf869f5dcec9278b2
6c0a5cce7cc821d81636aca89eeb21950f7006aa8edf26e67087f86813a1d66a
35789622f4b1e9cb6638acba0fa26ca51e517f34bbac5dc876e3587392dcb6bb
048dee7acb2d6fd7e7e24e4f3d3b825b8277c704c6c71fec66acaa3bff770cfb
fa979f3180a7bd67615f665bb629c70209c5680e2163750362bc94fc1bfd9e73
259ad0de4cc1f77279c2efb6c3d3f5fcf7655013c8f116d25a18c697faab5f45
24e06184fc1bf5b257407c973ab141ea9b4b4ae88e8bf2ba2231f20539491b0f
4e59c60c8ce4d441d9c5dc4fa1b4e510aaec47ce44a0b862ec00cd739a9b8e14
4c9768aebe51831c5f0403e5b4757dede1c53b6395cea328920267b23eaa6280
3ed8b3080fa1952404c1940f5013c4f5f45307e186f55518bcafdc36c3604335
cf473160304d369b5b254d3b32299767da9d51b1e9e8c726d65c08ed1f2a136b
a639bef963ed0809c13a259cd4335a5eefa11f7a9a932bfb403de793ab67efad
4824c73de2a144d3e4fbca50cb9fe2a81dda794258c6c9de45caf3572d17e145
ed68e937c49334eb99ff5ca7bb6b7c45645c3335c11f344f460378a5991323a5
026f6b81acb81bef3b445c2f1adcd6d6f747942ea61c28be6cc007cb3fa297ce
7460ba04d926e4f139afab3079f51b4b5f4ee6cc4963a20e21e0dd0c0873f2ab
e83387eaf804e1f901c10a215a2323211f36a4697eed30486e7018f62bf710c3
5c790bab5210fff2bb8a07582bf833c4653795d1d54bcf2df99274e85dbd7e96
e5858931d0359e9ca3d4c877c84229dece01066ebfabc238093df4ce539dc873
302d72d36d36919ed43d1bd9027eaf3e4b5765f2ce21c513e2b5c78dc392207f
52bd274cd1b0ada7597a4d72e78190d7b5574f0819204b4a3c0ac488256533ed
849402cd1e4eb903a5fa5916c2942a9515191522d555bb367d3cfe733761997b
bd231e1e461b363b43a36d85b6afc39ec93ca892feaad685f6e373ea40ba39f5
2f202930f8eeacaa4c09b516511f28c60294351aa61e499af19112d7f17f7794
0602d4287c73ec32f73636d2b3636867a484ac664fdf0ebd4560bcc282640eb0
605731e94d81ccd5f10b32a0d95f6cfc0a49723fed2a1f83b685c667c9bbab77
255f2855810e99bf8b6f1ff7cd5b5920737ee19210d53e01f5de4302d75b3ade
dc303cf927f0dedb0cc934cf5f8c54b3fe5d0c0952f7d2a34082b9f0434f2346
cc4eec67af1c944dec3427e604e4e098cce364ed1138469d51b264687ade358f
fe7823ad1c068983e2dbe14c0e39c1231a96731d1eb142e8ba7e2fcdcb2b909a
d1e54c22764dbc9a243d2c71d2ba5984d2930a4f5964605dc62245c147263b3a
6dd876657514ae7388426ab3bc2523b4322f581dbde93691d9e388085fdd0ec9
5011b5f7f22afc5a07551fe3bb74078558222f7d8ab643ce10e9e84ce0721dfd
4b7f0e5643becb7682232952d7dec1e9c8b52ddcba5dadf9a42a832638f644fd
53110ae1884fe96541beaf414465711166bf8860261d70bae9d4aa740e6b195d
240813e71ac58f771ec0c63af47acc02ba25d77f32326b121d876ffb751b9e63
853e05e2643a66918b028e434a49610a4588c91144b7969cfc40dc2fb55aa897
cd8484bc36f1b71b38d2484a693b04cd58f979dd3ce9ae5cac5722e28b45500f
c5632d6ab65d267d13aacabbb8c23b65d1745a9aebbc64955a157efd1e2ea352
e2d9c7fe499e4021e120a566d0ac0420a79d02ae4eead559390d053c7da0311f
94108630d716276356f19d0234acadd67b10b6aff76cd124a19850f37b2e121d
cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1
b020144dfab196ac6ddaa6442884f16734746cf346b859cee50660fbb938271f
515261ba7c77ffd970a3bb7e09d3f54fc5184d72ee48082fd3ac145f004f6e6e
739cb53f9ab48a779c7f0a9aa7829202f2b397e91918a5689b93877b40eba61d
6307f6dcb83c11e69ad410e3d95d49834657fe2124f19c3c4e840d618bb53067
d1f7d720167c082a602177134934c8669fa9fa3110e50a2f03a336a78357abcd
27ca89e42083ae8b80f5ebbf9fd9882630af96303f262b7437aab1b2fb8d256a
8b46306d3f70de4144c7e987d4e488969d3b4521fb9cd64d3722a2de53024bc7
26f160d2d097219dd2b6ffa650dfe0d67b854a53fe5bc23e44aff7c0d7559c37
72e6257648e70a1400c5458cdf405c74cce4079226453e864f018c00147b9624
eb1594e3ef330befff15be4cf913f287c866af3c8a08528bcfc317ec79c7bca3
d6d543741f22a6a4ccc7c66a73ddacbe7918818dd0717f004c3216e180e4da99
bd3cc153f4b3087bd7b7ae80996644097955b6ab7277e2a83165bda8554b8a91
47979229e85fb2c50554534d795075be54dcde94ff32040d3adfe5a6b7475384
f5bb2c09472d5b68f7b1bfae1eadfa4391d4524031497161a2483869300ee70e
1b114b61f4a2313dc924eb4ff2cf26fd0c66b0a4127901d5be4531f1a201928e
5868c11dade3d2e362682b1c5922e58c2adf30297d4c35a9fbb446401510704e
28e56de6f4c2baa3bb15a0887ed66f1e2360d7a4261362a26d91b405ab25df3a
55d8ae2d11aeb76c2214d735c46917541ac04febc6b2f8ac998d1173b838b5ce
2c7e7bf4cd14456572dd850552354b46e89d511300f5dce48561a4f347f8d4b2
819524e650df7f7050d41834f4a30b370e50d99add64ace080c2b57df5ba1997
113138bc20beb3622e945f91d907f7ba942f49a5debf19bd6bed394fdb053533
70edef5a9165f8776f6bde6c60108c0bbcc33e7d10e07d16024bfedf70ec008b
bd1c7fec482e5cae6c29f196953329ee39b3481542738f0b1395392fb9c3ee52
805e59d142a1b2539d79732417912388b5ceb70cedee8f736d755705c9ae977a
0ef28af627a20a5be581f8dc7bff948415a909ad482ed18fdc4554902d20091f
5a30c4e68c8a9e2fa23d7176efd9f712624fb375d443c25b8829dd307e8b030d
68ef29d9bd6e88b4fda357fa69b156376a0a611d287e909285bebbc0d6afc059
49da12598beb3901e854a2c105e7e31d820db9b1f8becf581043fe4c30b1d589
4df0ed007f7b8dbb52f37facd1bef7638fc216804045167f2af37b32c68a2d71
cad1738a30123d36693ddb0531b3b0ac14d8f9eb577609b25905ab28c4e9a3eb
459e3408113537088a5825a91741e4a1de346bdef172710437725554ee90b04c
d41022d91ed5c237cbcb1cfaef080005bf5dae114f06418c873596c6c0149a11
911d8e4c53b4226bb2e1ef12bd7aaf32e88f4f025cf630ad6b02b39261b9dd84
deb7e1610fc03728b90b589440b5d042dc4a38c6a55920211602355f44715e2e
d52658fad02bdbdd90eed0d9029e15b6359efe630f786e3ab5875e2a7f3d5056
f0511e0567f253276f92a19579e7f0e133a28e6ccc5f2b626a623b5e80073b81
08b026f7abf7574f2c01bdfb97e78b406200a874f2638298c489155b84fcb1b2
bfd5c1ddd57dd2cf89518b5524ed3319502860bd876eba635985307d8042a0d1
dd2973ad690eefefe9ac0ca783447c62aa7ccfa814fa57fa00e1ae9ae51d0171
087d88e3175f91f7e9faa287f4c891b367677f61bccfbaf8b75b7e5825e84aab
70ffcccdedd4cbfce9d10e4bf42f9917f33c055ba2078b76976827f3d604ccfb
b3117e84343f3296038c1f2bc91ae2ce0a1eef33855b535dbc0a6110c541bb6d
0973bc15da79ab1527648f46d39016824140c56a2b4204eac047bdeb10bb7960
4f8eb431e07cc4c69fc41ea1e564f99651dc65931073429de3e532a904fb0ce5
268b6fdc221050949a2b624983380cd3fb268fecef2f5bb3a15d91611f3d8092
9cc0ec6a21bd5a6623933e5d35f40cf3d5f3bc9465c0e848b6b39fe8fe1c7038
09197780e4de9aa1abaa44d580b3102138c6d3a03ab46b518f88f8c40dc882df
5e83e874c9e9531fff2a59c1d5c5c559901a6d37bcaaebafdbb915392d1cfb30
413f7d00e03f5dd9362c7d2c8e5ee71de5379343db934bc87a4dd15e251b488c
3f1e1bc2b3ac94cbb03ff9942c8753b0a6ea0ce3e6b682727fb013ee873c3d04
928f36967f7a7af841021d4833479ec18178d48d9c418e772d0b3d32da7a2e6d
e1d174ef5c3d4baad0d5a9a9a6dc782fb666bdc311d4b8fb60d31440e6a34153
c387e0b0e9f50043143b28faf9c15058689c2b3e7f9fb533e3b2f2be3ad95a0b
56ed50dd056f2f5af93e66ae83d490de9b7b9b9fdd490c309b83c31778948184
dcb691b089fa29be68bf87b37c40b0ce085b8c406eb78ce8e80ec80bf524f1e3
f8591a5b43f62cdd88b1e86812b7360ba8e9b41b2780f8df5f276fd4298f4db8
a5dd168a825506e616ba3601e4511e6348f52b7b3168dbc8d3d199fe7a3b84f1
fe805a9919d5721043c3395e167a1c5f0693feff210825d1fe99a240a2bb16dc
2377f0192b7d29a70788442123094080803af5eef2e618c73ce8604f0222a478
c2f71c006d57414ecfcc0a9718779ae6f19c63ff7ef6738c4a5aa7c38e28d77e
fd85a4e75158f628b44a723f2bffc2d6bae956051fc2495256011b9d552d9164
1f116fc881ebc63e82da31c51e4748961f138b2b8f83f948c6605282135ea6e7
1849180107c4fddc3104670d0c3d0249322b49b3439d7681f6b40922806194ed
9a81ff86c16b576d976858cce824e978c380b97087b756fdaedb5736b891d9fb
84a03d4c69389af18a55a569813bd9d02f6c2cee34eea0efb7fe267662bf706e
f67354f208b9b7ea9e45262b27221c5862c73503d92139051a88c0479fc04cda
1d8615b69ab6173b6c115d5cb234f5353744aa3603d3ea6e952e5da508e14b78
75e54e1163e476f84f0659124fe3d3c436ca2d1c84e7b17adf3b69366e20b18a
944c94577ed913dad804faa6e0a51c10ec26780e63b8852c92c64f23919a4848
8056b9e6cd1a8bb5230232b23b08ad23a47b543c8c6cb116e711ba703850c027
31067e4964e4e4c454217fd32a1e68221ae3f470be4faf28a85e48eaccf39162
a29e9b8e67c16a0c46bed63e400297cb520b0084d1a2cccd76fcc4201caae734
b43a26bba9392c41659ef71c0ba10b4c00d641646c002a64cbe11d09fc4f5cd9
a415fd213d9fff8a0f41b0c5adcc41b7eb8db6b30f394c6e0b51fc8a2ad429bb
f1f024ecf670402056cb215338dfbb8de5c25671f9e5e127b9df197dc972bac3
a1aac69e61fbf0ab4f4d04092f73857d04743117f74b0b78dddc0c382659390a
19d827229db9c2e05384b3422e238c54206f976c279967eb6a2097cc19ba4324
d1e777383b749d7f1adcac696732cd4d6fe7ac78a1e3573558a2978190f014aa
5487558b2691eda44b1e4476a8597588f290f6686d200ac9a8e8692d186432a4
a621aed5d7ce456a046646e757826f0c96b0f90bec9f2bcf5e73398af427bd6c
8c9fd9ea38c16b4b38039c60d03c499aff67451f6fcd00d56abd4c81a6f2c3c2
85ec11517de659f7a359f0fac6b06e53229e67bc3ee46bb942c2d4d692cd0982
10f246e9a23f84a9e80787e654d3f5612eaded3b992ccaa7a92a94ce8676e40f
3acb2148708b5413c1dadf7a624e917a0448f90ac1c5c7b76236bf2d0d4947ba
f7fe3016d93d6ccf5f6bde386675afa006b920e015ad70a8698f8524380635b2
99dcd9cd3a6d39ef105c199f464fb5d166f1c3cf0a699cb008aa9b4b75182b39
9d6279109af5c9b69c2c09e5b27fb1d850508496dfbb9d0da623b3b4dc757468
579101645425dfc71e51c4200cbb69b6ffb0429254a86c913d48f0cebbfcc85a
ad188854da20c440975e7bf1bfc218c1917da6d7155c77b8c03fefc148ac1759
adf911021f13749e7a024c1ed4e5d0c4183697ea55530fc1f57c3441df74f5fc
4ed89812437a80fce23d4c00bafc70da61f00f23f8c0132863385686c2e8a06d
1a6c68b2f9c1c0634d001c2a320d14fb73308f380202c7aa4e2ae9d7e03f35e0
ae129ff90d7634798454e7df6ea731577ce9cc456fb6f2497f3af1c77abbb815
8cd56ddaedb0cc45a957765ea3e590005a6fd09715308bf007aa24a2e0c15799
2c3647e18b349259666a5b80a49cb486d5d312947a87673d39a26234852ae002
8b91d1572631d84c5f844303768824f864830722a6f67afec38d9f3f1ed25123
1936d1b8295caabcbd48e3ea53f312bd49c0dab3e41870d807667eda64a29c14
af1dac32cb850795edce8871424e105668dd55e7cab6d1087a1d484e95f5ce83
1185b5e91551a71f839ed9a8893a4c8b9ab98d079a74fc0967a980e90c8d35c7
9b372aa138671e6ea5c0be48db655a7f62172d9affe4d28c0559b28bf5181a67
ad70d6c6d21f2f81955549cf07ef09b01fb18ef8e888b4c44d6933d0676cfce4
62016848b8c42b05e7e94628f567892628da294cf4b2bb35c7ff9ca4e7369715
069393dd8a507d9cc76baffc122ee772fa281d078a95ac7cf2826d05ba251ea3
b9fb69368a5ecddcddc93b9df31c1b313302e768b53f650eb0892a8e6395daaa
60ff822d32c1522b9f7a8496938186f10760df68498775c7a401fe6e23260a9b
9454ed7dab210e18bef21b1c59a2736a65ced61892df6299fdcf743cce638bcf
d712a6037cf6a4d9302adc8298d3be1708ff4f23a99b0de1b56ca9149a4f96e2
b27f625907b905e6f97ce169cabafc6933362c28a75b0430584e44ea95b53682
701fe6d56b805a9cca0dc77d76bb7a2d44aea16fed3632e6a78909bb8f2cc119
734bb8b05e5a6728e15a199bd216842ad5650e4401166d4debcde4819ec3d044
f980f36e53756a9a63992d61749e45842f2e2a2a23b297c886dadf41a3b01e9c
be9e44076ce939fe3455823b2d0293264f2e712f71d850ae16a5b7bf35a29292
fe60a7df5bc022b0e471bf083116a1657e8181a87f26727bee92ec7e8eb2fae8
b741780191794a119c0d9323f1699cbdab8a52cce3850d12ac529393a03a7ff3
8bf440a88117231580f2f636c3597991c7c8f355e0b95aefaa7cd99b0b1066ff
b225beef2338636503b1d0e3f9d43ec35ff0e2d3b271904b4fcafe2c3bc48c01
a09d6699c8aad5ef8e6cc60745ffa8764da18b41e92e3f02da1f45b70c74d695
90439986776b345d31480126e9f24f0c79df25c3f9f1f8ab3bb2981830950150
287b8d3a5d0326958711e0802dbc5dc3ad7df0ee4c22ffafa7a95d3fd416f9fd
e0debd3d856bc96dc136c9477707ad7da3288c6e57e7040ad7e904fb589f4ef5
6930fae092d170045ef16fe16ff486e4232e95ce5092a10c8d42f07bffa0f3e4
620a8006f4abc321fb1683303da342cf0db8dd0b598f29b1124de04df918ef58
e36d13a1a406cdb3b6f4d90653cb212d4c4f2e59ee7435fa43aa053ecb066b05
4107b7ac2f19c4a6d314b2ffd4410735c23ea65152fd999461d3dc5c4fb95186
ef621eb27cf38820b597be924cc1e9198b39a460150f862e4df651e6d3f09bc0
342a701d57b0051e20b4b282c9cc3a6869008ac4a157240df5973180622bbc40
4fd183ba00f63128021f0bb45b0b0b92425222efe10c85225ae813bffe598314
9e408a2b2f751998eb82a75f38924040e88159298634f4d38de814f5750ca824
339d2c7c00043ef1ffa01080771fc2392d4b693dd822370511201f5bf0f45f28
1a1e4f5e5b668ea14d3cfc4f3e65d8638cefe7acc82378245d6b28db9a070d31
390684b6b7f8d3599995c168813e51787cdcdfe686ac5ad637b3a0a085bc09a4
9ea3132e269bb19d4424f64b55907e533a39e4e4587932f37be3cbe2e0984d89
95c305c5d89970d7d4fbbe0649543d2286d21c678af50ef80ceebb360b0a3cbf
fc039ad25b39ddf44318da5677c76c4273df5b74c5f9988985d7458c816c4dbc
fb950059d4dbf088a3f81339ba49bb503db94d915f1dc5707eaed1bffe7ba263
7bd43a4dc0291302cddd4adcd10f9fb8236240f3e78b0da85b59cf45799aaf11
9d769a5f8b3c1495caafa6b9018fe9a6fdcfb4d9c84f056d9c2d4208d88018aa
1ef8f48f8464e37887de6e318960e8814dfe2ddb6576b1a2348d838c6b687c40
b1298b37ed1013fa522241867cdb94d31eaab112d3923040efd29648abf9b238
011c95e1c3e4c516deda11b4039dc8ad135860dd944a12a630aec20583fac677
SH256 hash:
0fd81528c151cab8ec12e609f49bbc486e90104c6bf9bbe930a30805c5cf5ccc
MD5 hash:
e95741036932605280ca747a562c13b7
SHA1 hash:
86f282ecc644e8d9841ddb18ec54a1a6c615d1be
Detections:
win_agent_tesla_g2
Create hunting rule
AgentTesla
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Agenttesla_type2
Create hunting rule
Link:
https://www.unpac.me/results/6e83e783-39aa-4552-9dc3-f4cf741d70af/
Parent samples :
409dd82ae03009f32397ee056fcf698e7ea1145184fc4749f00b5ed2534de2d5
e33dfce152f0b1a0fd298f630bb284cc064c2d10d2c69f3e84b308895e1f69de
0f747da7bfb26e1f8bd1b4009036d2eaa3c5431f73bcb599027ab37f1c151061
ba38ba94dc7746ab451cb686df8d8f4cec03db581ae095c5e1b959134db30daa
b900f083db24811988658302c8db25549feda1814fd677a0888465355c3bebd0
a9c310861b7b0eab4b5f00ad0c69d6adb3526d9e9be7cc46ff392ff76ba9da7f
e8595c2e05c63c73af98ce3b55593d4210936a347ef99087d90b18fcbcb0dd74
2497f324ae5abfa05c6910d020b362d445fbca42cc1e320f0c34ae9851a7efb9
54c7016e2d3e49460764d54a465f36f72808382cfef49102446c74d4de9c464d
e864fd2bf5133bc27cd3b2b35dcdb71626128f2c28e24956bf83a1706c2f5bad
cb6c1619615d5947e12e576b93b171902218a8a108fc0148a06078a822ae4211
dbda2a0e7980e112602a69e8e0b12e1435c591b8436aacc5905bdcdca12dafdb
d3cdbd21fac606a9f43a12bad566f242ef59fac34206069528fa9e285e4005d5
44e2650ff2fc7ba8efcbc0a975b2d5ca2ecee228c6ee27df07b215ee79f5b320
8e537ef5b6125fef6449de923808b92122edc8e2d6cc887d49c8ed5510760848
664c0c690a791c1a863702884b3b3bd0aead7fabbd3ff6e46cff58f53c1cd3ff
1c9240b747d01e77bbd4cea63699992b29fc24581021c9fc2a96c75e9e60cc1f
96a1656ba39abe013fe75a41eb52d9b698f723aa7b5f2ba836a8bc3dccb47e2f
7ca9c170757e7f0f9092fcbef7d2830c2393373bdd00648e76e3437ca5a2169f
9f0a3a5caa4240f1aae236ac243a17186e5200983749966cb6b07f311a660302
1873c4b2bde16da1d2e923d66d20eea2536bc824e5134b60f3df4b770edf72d4
55dd72206a4adc304bcae93419f75ff9ff992724d13e92d4e7eaaa550ada4316
0f2abe41f47c8287b81f6f5be7983b8486b298d7121bbc8435ccd334a5f7ce70
0f1b66752dea36f9ad237a452b4bfb2950ab3ce90fcd920c6708f69ee8ce8c9d
6cab1f7e8d015b6db4533050a29b43a62292dd20c0a567d5215eed2d75818937
f673e1b0df47036fa85af6860c7cb98b5319baa42688dd5d97533fd53057dd97
6e7b4c60277416f97aa221245e0f1aca462a4594c621574b65f69e62f88477e0
d07ef403a4d320147704c1e188dfa93e140ac148489d60ee564f710e2dcd7550
824c2de7f889a628b7fde1b4c64837e48201b158b170c2f270250e82642e564c
1f3c2092e06e42ed7dd425ee68f826ad344bbacbde3dfd1cda112eb6af3a4627
d7928afd0b6864968e44f9f0ee807991b3a620f30e57048863ba94a40f291caf
402099326202da95a3c10fba47d836d6f9af2ce39f11e405da6027adcffb4480
3be7372f7dc6f8dbec2b12f15922aad92a022dfd930344fc076ef616d303f869
634a2665a39d9361917d4baf34b157a5bfe6f8712e6cfc45d9f57205efe23b9c
a6321a072d7fe8790f12f68fdb8c2e6fd91b212233fd3c98b9169d6b48ed15e2
d81f1cfc732280d0f92df78433544b467d837f60cbfcfdbff21c5f987eaea942
dcc72f90c1d3aac382ba8965c68109986771562f49d4112c5be1a0e9b645f621
abfb108ffb2021d7851e2908a6ebf23b507aa2cbf36628f9f30b9eada587de96
450cbaf3ba2178d2ecde3158710066ad71a7d1b17130f29bac92b3414679d46c
0007503c902cecf201946832a5c157cf6090efb2e3b1c8ddfcb4c8e150fb7b27
b237b86e8000dc30c0f5316bb8116946fd569a5065e965f9e276cfb48e600a51
ff9dbc074c9fedf0906cdebe94a4ec7b438df3528db6dc3a649c29bb4414c365
f7b17ea8d0bb38c5760528dcafbf354618a643056f04dc110d743bbbf8e99079
95699b4df332139d1782520df7f136a413313d5b1dc05be131ab53acf355909a
9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43
d0063dabacc1569353b846cd664cf979784b4855d03e6ed4fc0ef7f013a0bad9
5eabc2ee89814722a4e157224e042211e7780ab450b8ed1f9311f72eb80f4262
9565e0e3358341d167b1adfe5a30b957aa028e19addb4427af1bbd41bfe67e6b
8c25a42242f041b0ecfc47164ef25a988b37735dac00a6990f7babd80eaa2487
f482d607663a330b6a2393c8c9850bba8eddc53a4f80012c17dfcc416df05880
87d0cb2cfe6bb9f82dd6a1ab3698892c5866322bcd4a598544aebc560d5fe01f
39c15e35f0b21b2680c56f0f281feffba42f17e437e4234fb2f575678e3afbd9
b17505955e2436a83dcc3b4a213f10fc2b827316ba2d40a5d6c2415feb34e623
c65e44ab50c876191f4c648500e7bf3d6986a7c6941fae19ee55d752aae2e523
c64cd755a3b9d9bc23e8b0654820c719556cd630198bd3ba147e5dda26474ea1
c620d711c48043d706ee5bc200e6087db4b9d46b854ad8d8eb8ba47c9c770662
b03db0564666573fc8c78762884386005dd29e7f39d76e008e36dea70bc7f2e7
ad7e3733334f727508954b7fddebe16af8fb5499e28e243ed42286da81a2da15
d2196a161741acc9a33cab7859e04c625ee492f31dc96a17c57cacb2517f61c7
72a1ba2aaf8d724372e2592797580d085f48ccdcc9f3985eb01b108a49fe5779
e6285b91e58a7dc662833fdf6b8a6574f871287308146d920b4e687a01974e4e
3f700fd41c6cca501d50cc2f62afd8e0d951efc1a918aa65ab3e84ee563ff1d6
595d3b670b05d0e45b48b7f6eea396ad268a02f42c80ae20cbe7cd02890e05bd
c081e4ae35d4644933b0b3542c569d7dea9b52e276ff7c0d7b8f4c4ccc235290
3b6632b43aa88d79aa9bdcf19f38f11fd3b0a86915cef4408e390a4d70f068cd
71fb09d88849f446a488c86f0fabb3a4c69b6c559ecc2166fa2d878d64837bd1
b5ef79a4b0b11a1d8546b1ece86049b558b21205228b8ad98f26e0a475795f7c
47890d0675f690a1ede57fd5619d2ee6acf90648268f0f5538c4b65be53b18e6
36a5e24f66a8e3059682f75bcc74832ed2a29767768b968e88452f0626dd2b97
13cafe220f24b118aa4bfe7ecc489415c8b593de6552a692ba87b636d04610dc
d2cab43a622ed80a2a79ff9266a25fe00175692204a5b022ad34787e39b578c6
806564d7681d2ceeea860949993d5d239949473548ed78fc45f351e7584276f6
c4004e409a21cc66cb6c0d77e72214349ffc8339f7cfa38585f5dd7e40636c31
6dc9d0fa317804195eb9e6f6970f746fb01d91b9758964dc722f31728f88d548
7b3756fe271e48ce86861ea41251320e986f26f51b71f0c917e1099d027c9235
e2ec8b7b5c0cb0461cbc9bde55b79c1da6219c87552b94c0491409c9c8988e6d
cf874da7b8afee07bfb3f9711dc2b1e3eac8c96e177ad338a5918260fe11fb3f
1a642dd77d6b7be3538a906db63abfab9fa008507efd3ce04d4aefc7acf1fdef
b1e435ffd9f5ca69e21beaf2820465fbf1efdf5ac5c691859f1f7957795234b5
1c2f2b8e26c9f1b700df8d0b069c2bfc07d8e4ecb09831e9c402c2aa6a92e2be
36d73dad1a1d20a3555e2206290f750426a6447cf2afd9163ac4764f7fe33af3
c69d5ba2cf0568ef7eb820943ade84ac38f9755b2216566301e7104b8e718796
224c1dcd9fc5ebc03058e8f271abf111c93b47570000615090576a79276b7dbf
1d1f60b21fe163afa6fd4342960a5f524039a603611cd5dcc3b20632c394220e
d2ee35269d6e4f6ffefaefa53d126ae88f6be5d79ecd3894981f844012b01ef2
de6caf2bcb90334037743c21d52d9a9707ddc9b992524abd45c42eb58b85275f
dc77100a6f5d92b71dedb82e431de0d31e571a4b216d44047e44fbb1e5b59e5b
1b169d86759603cf2c5524c535be2cae744a43914fa2b6f78d35c8e27389c7d8
bc6dcf0fb81a1212fe388d0f4aea0b7a213a45664e806236f3fb4e2ee2a64551
26d87f27a9ec64a426d4be355ccfea2671aedbf37545cf13529c04555ffc534b
bb906ba8bafc258a36d21d4fc1924334daf0e5a50c61f244d214ab312297e97d
dc303cf927f0dedb0cc934cf5f8c54b3fe5d0c0952f7d2a34082b9f0434f2346
cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1
069393dd8a507d9cc76baffc122ee772fa281d078a95ac7cf2826d05ba251ea3
a25be9533b9bf7feb8ab371e69cfdbc40cdf7a9d6f9041e8dd04d5f7755d43d0
297659c9c082dc0a4b302a2d13189c9f85b5795c79ca3526cbce006b29cb1690
af3714df64bf3a66c27d6e4c718c6da0f770cfbb1cb33d10f15721246b2d717a
ac8248066dcae6455d379d03888b2d618e49e0715e6c11fa5e96ac44faca7208
03fd8790dd182915e617edd7273911a0bf068ad55c83bcf042771975cd6cb85c
50a91256ad1710681ad272b85b6eca0c4ada089ef954b4f48e18e188c482fc59
89c911723b05c5bce8bcd4dd0ec42f190763afc166e85e0fde944e2e752223c8
a5c02fd74ba332b6e1e77af7e15e9828b7371780a2930a1c6034fa99b6690320
f5d4ecc25c69d82f7664ca00768df241cd4fabb9d6aeb8edfc988b2a6f83a673
SH256 hash:
0d5d2ce5b6a8ac144484fa7634d9d51f3fdbc56465b8a68fc0ec6b829cfd249e
MD5 hash:
0abb9b4faf3e166f0fa315aa6c4be440
SHA1 hash:
9889b13cbe65ef26fe1f9ac3671e2f73a703ec8a
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6e83e783-39aa-4552-9dc3-f4cf741d70af/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc9053792386/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe cc9053792386f5b65b663acfc4a7c4076db2a106692dd04f0c30c349837d7ce1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/24416/

Comments