MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b
SHA3-384 hash: b86cc672a12777c08262b17a87e9d57e8b764beb8cbbdc613a7ed13a4d825678d0d26b67a99fe9b6db89785e5d63e02e
SHA1 hash: 767a3cd51c5f71d06930a397d1caecb45051138d
MD5 hash: 7029641952b5f91f2e1ac540cca186e0
humanhash: pennsylvania-utah-illinois-twelve
File name:AWB#150322..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:945'672 bytes
First seen:2024-05-08 07:36:06 UTC
Last seen:2024-05-15 11:18:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:8ItnVi2iNT/SHQGweIjfffzrGIOmrecTfYlw9HiG5YTMFbn0BfBNLppX2BkR:851cHQLTbf3GuDTwA75YTHppmc
Threatray 947 similar samples on MalwareBazaar
TLSH T131158AE573165496C51ABBB7053150342260AF1E6F6EC2BB7889FF859DFB6E0CF22042
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0ccb2f8b9b2ccf0 (6 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
295
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b.exe
Verdict:
Malicious activity
Analysis date:
2024-05-08 08:27:36 UTC
Tags:
stealer agenttesla exfiltration
Link:
https://app.any.run/tasks/1dd334a6-33f0-42d7-948e-975453edd2d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
DNS request
Connection attempt
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade overlay packed
Link:
https://www.filescan.io/uploads/663b2ba611114a9ab5e27c7e/reports/fc166ea7-8407-4411-badc-187639b29f64/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d8a6fdf-2082-4f87-8b3d-850a05a9ee15
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1438001
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1438001 Sample: AWB#150322..exe Startdate: 08/05/2024 Architecture: WINDOWS Score: 100 53 mail.azmaplast.com 2->53 57 Snort IDS alert for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 11 other signatures 2->63 8 AWB#150322..exe 7 2->8         started        12 NwGdVxQuqyGAWv.exe 5 2->12         started        14 boqXv.exe 2->14         started        16 boqXv.exe 2->16         started        signatures3 process4 file5 49 C:\Users\user\AppData\...49wGdVxQuqyGAWv.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\...\tmp57AC.tmp, XML 8->51 dropped 79 Uses schtasks.exe or at.exe to add and modify task schedules 8->79 81 Writes to foreign memory regions 8->81 83 Allocates memory in foreign processes 8->83 85 Adds a directory exclusion to Windows Defender 8->85 18 RegSvcs.exe 1 4 8->18         started        23 powershell.exe 23 8->23         started        25 powershell.exe 23 8->25         started        27 schtasks.exe 1 8->27         started        87 Multi AV Scanner detection for dropped file 12->87 89 Machine Learning detection for dropped file 12->89 91 Injects a PE file into a foreign processes 12->91 29 RegSvcs.exe 12->29         started        31 schtasks.exe 12->31         started        33 conhost.exe 14->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 55 mail.azmaplast.com 193.141.65.39, 49706, 49707, 587 KPNNL Iran (ISLAMIC Republic Of) 18->55 47 C:\Users\user\AppData\Roaming\...\boqXv.exe, PE32 18->47 dropped 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 69 Loading BitLocker PowerShell Module 23->69 37 conhost.exe 23->37         started        39 WmiPrvSE.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->71 73 Tries to steal Mail credentials (via file / registry access) 29->73 75 Tries to harvest and steal ftp login credentials 29->75 77 Tries to harvest and steal browser information (history, passwords, etc) 29->77 45 conhost.exe 31->45         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2024-05-07 06:58:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
22 of 24 (91.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4dwsxd226kgup3gbsycvqwpfo3rbxjcgqapz4rm5gtqpxij3cfq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
05a341609057f68b1b8297c7bdef34c889f8a92cb47b54680c8b30afc4c102d7
AgentTesla
20184d8ae4b97f301f2c135cbc53f1600d2da3952653e384aa38578a19dd1b94
AgentTesla
7e8466ab7fd0c3ce3f6ef1df5bffa0e4fb0c9764b3c553685ca62e3d8fbb80ad
AgentTesla
f23060f99dbfae0f176522266f43adedd3a79eef9960d808201e472f3cf96832
AgentTesla
+ 937 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240508-jfb6hacb35/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Command and Scripting Interpreter: PowerShell
AgentTesla
Unpacked files
SH256 hash:
eb0946c264b6c044d59f48135c6aeea07557a42c76069171f36d8165bd538bbc
MD5 hash:
b18e36cf6ab9387836ae41f6f751a31f
SHA1 hash:
d2b27cd5eb33679d5639f7e4b0cdc37f369c631c
Link:
https://www.unpac.me/results/9952849f-0ebb-48e8-af75-11461e4cec31/
SH256 hash:
7e2e7cf85f0a5476331c3ba61d22838ffa5c7af4bd155e7d0f207e15175ba9b1
MD5 hash:
3b9addc45f5cf5006d96056abe12201a
SHA1 hash:
bec4df1939e8dc789095373621ea946853ba8758
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/9952849f-0ebb-48e8-af75-11461e4cec31/
Parent samples :
cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b
43ac59293c68ea3ee2d9912525512249ceda5c0e74b1629625e75f011828bd2a
74bc25305325ee41319153323e722fb21fa052f0e5b0006d12894e906efcd838
3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286
1ccd4bde08beabbb7628115eea1f098e0c32fbc468d410a3474e530824aea835
a76d6e19ac59db6afea91b625c29f06f25316ccb74e1b7bdd59c68cb0aefac34
7bc7edf2f2fafaa8457fb596cbbcdedafd23544d75e739e777b73790965df6bb
c8bc2a9c8544716a04976357e3e6f338ae0c788bb0986912f07524ba36b6b3ee
0975185a93c48b57e32214d885bb9f4a75ec89f2325edfef27dfd64f02f27cac
172799005230f9863cf5a2248248fc9ddcf1849a45d40c2f79ea1924bb14075c
236614f95c217529d7252aa57368c6f8c2b3a13c95d6e77096a8914f714bbc35
89dc8a4e529a8860533365676d0a1431d335c6e1dd1f1b2238e5b5d820c4ac51
c9a815444a848fe94cf548373c941bbdbbf097e3a106005a43c99c716a1ab626
63382a3cc1e90e7dfa54826a62bfb5da86f4ad44a07cffca70fa3c509bbd5ad7
31c25e01cbaaeadccfa1321680bbfd51c17b876859be87fff22b2db8ee1e117c
145f6076604900c379d5a82d6a95e6c56df274b34d77158056dccb5834516461
b758560d291f4483bf7071fa3ff4017e1f421681a264cd8df1d72440a7020ce8
ffe6d376f480727369e4fa7d6a17b2b2ed8069fa34e5332dbfa99a89c68459d0
5b1c695d9556f668983a11fd1ff9be0a90aef963b15ab108ac812b61d8bfef5f
b264cf00761ea67d6c6e881988ba91d436aa801a778d2f640629542a4289f80c
1bc7788f9ec8a8e99c3a0dac3fc57c0cdc7ca2690b6ede27b807de7e5c7ca6bd
0801e3ba5ee4ceed58fce0a3e8c64c59ea9ef68602ba68276bf6b766541c89e9
0877b04273e885323c7e6485e348e39e92157343a4991ffcf7619128040b0f5a
73f84a24ad71c8218e35c8e832888d45a6595130d6aeae18ccd035f90cc91172
1ab01e7554ca61f291d86dae4cee160358fc21459425bfb28a7a0d8c0dddb2fe
a017ebe5d908a488c9fe0e16c08d8dece7eeb761eae0f29a873ede41a751bccb
fb68ecc763b52eb309d5133015ce88b89f151b7cd72ef05a876f0775cc66c9f1
e54bf4b20c28031720994ac7f99a5f151a9df956c14e437c9ecea84aea37119b
SH256 hash:
ab168d26851b30700869106a1f37819ea4dfd4cd187161e1c0195fa36dc7521b
MD5 hash:
67e63e8e0af6367e614d86d301e03b4b
SHA1 hash:
7c733680f473c7598b2d0f1b51fc1775a4eedca1
Link:
https://www.unpac.me/results/9952849f-0ebb-48e8-af75-11461e4cec31/
SH256 hash:
58d69063e7c1778b8fe306608d01b54712dbedc6865f684d2416facc208f3f23
MD5 hash:
c684019e698444faa861bd040ec4b439
SHA1 hash:
4caa1702d5ee83ea9074198adeed93269031dec9
Link:
https://www.unpac.me/results/9952849f-0ebb-48e8-af75-11461e4cec31/
SH256 hash:
925a02479f706216058e6cf4d91699eb576eeefb9dc04c2ece544569154fe891
MD5 hash:
bf426feba5a9a2f55c1a2e439b3f46c2
SHA1 hash:
4b547c42a4a14a4edac9fce0484eeff41f1ec116
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/9952849f-0ebb-48e8-af75-11461e4cec31/
Parent samples :
7e8466ab7fd0c3ce3f6ef1df5bffa0e4fb0c9764b3c553685ca62e3d8fbb80ad
05a341609057f68b1b8297c7bdef34c889f8a92cb47b54680c8b30afc4c102d7
0eb53728acb5e4b7c857ed35dacc4ba1264249cada90f5e69d3fde4e9b243190
48dc7a59d9890db7b030f03aba1bb5c64b401e572d4531c7956c8265e846e6fb
1809301d773302b15457bfa5830b9eebfbec989867db46e9a06882af386df130
30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
ce356848dbe05d9b3dfe99c857e5abae2e19ceefbbdaf32d2c786ffc434d4314
049b5a9dc73afb156d98d5087d9d728287a857420b698ed12d494a2924341667
b9f7f2043b9a1cdeca868f55c33bd83d993be160ca42bb38ac3281ac00f6ec10
7cff23ba2bec8f206920f7814f67fb40698292d87b0137c9a87dac596352aa56
566368d997e93866144f269b23a33a54d910e01c6723ea141bdf88bd9202f31a
20184d8ae4b97f301f2c135cbc53f1600d2da3952653e384aa38578a19dd1b94
d7f670f5225888ddb631d26ccdb01a8c514965d48e15f3913348db8949b606fc
0c12ddd4730b8976410d8245aeb9f69d148afa2a1ae2a761ff82ca1744dfa207
47023bf6cf58f345002a5ced2740eb0244c02d1936123079d1ea41c427d5cf90
925a02479f706216058e6cf4d91699eb576eeefb9dc04c2ece544569154fe891
c68376bcbfd140e682ba3b0f7535af83a9653b63f090718ce028a9a65514959b
622cf81d55d81ae7200c6f7353d62f9ab64a43ba762fa1b604749d85ae2a8d07
1268ff6a657c693e5b4fa2ee3aa1ffcf3f5c0449ab5468fb430a3147314e2931
331621cd29733a7586ec0ecc51705f13433e146daeeaf2fc1848f8f5e8cb1306
3130e85a4fa0df65c8ab6a310c3ea1cb2c91e4cc2cc55f77c1dfa1e606037438
9c88b2fbf7b78279ae5a1f6c4ea318e2d4620d1f6ce23d8f89b1bd3e50bc0f95
966f683a0580f7d052c49ebda86cb0fb3ea22199fa37698cc0e0fa7ac5a9a95f
cd04d0be3d3ffb70bda5e2dce9f0bcdd480e5209f000a91a473f8020eab0deff
9e40251e52536336aee3deb9b764441efff559f90a83987c3f51db874bdee361
d1277cf74db30d16884abaf7a0f487374f63aba610e1a966da28e71a421db7ab
e0c8b02870ad1dbca34a9167a4ed5316e8a3cba0d0872e48ee2f77642c1b70a5
f23060f99dbfae0f176522266f43adedd3a79eef9960d808201e472f3cf96832
0a750351ec2b43d2ff77cf94903bcb9a2fda69450d62eedf2fa4eebda26e07f2
377449ca71b8a9f0688ce1826a2b245cbafc8dcb56498eb6db9b5a973f5ef36d
307b6baff0d23da831efea1205facd7d4352fcd532edca732ac42322eabb6eb5
c5f5072d4434c3210c68708a250b1c62304f213c5f0447c010e55c6d4d6370d5
34f7239e0a54a95941f92fb3e1b027ee214ae6002773e917e23e58e28a754726
1b57a890251e57f1b1861cdecaa0c02ff83d438ea0cef15a677dfa0a67e7891e
ca7bfa1d520a6bdf0711c132a66bf28a10bad487ecbc225f69038ed95619dc86
5dc68c4082f00849a418aa068b15322c9888e2462f517fef05b6301eab33c770
bcdc102d9b2ee935356e5888be20ed24f5e6916f668d1847a26630223265d197
b4146ebcc1fa90a7e4adfcabba15f5fe474348666fe15c98367216932fcfa7bf
6a37c6b56b588d4bb27dc42af88e95ac60bf80a0544870cf6476c423f4eec2c1
ca1dc64bb446fe0612f320105ab988ea750a7d7c9e1e0689005925dae6d3a8ee
c6e903556bc2f879377ea0e482875eb73d980edbc156419ea3bb741647e2ae04
22227fce9d09014d3fca954bf6fba7a40cdf9bcf4b8dd13f69914fab061d0dfe
83daa016494bbc800ff8e1db308b5e3dc9c0b73daaf455a579d8268b4f44f3ed
3ba0d394c1cbc83eadb19d11c4f9bd2d831013ccae6f325eed11e18dfccd22f8
e7dbb76c52c158efa316bd2236902bfe1208e0742621b9652806bdc13ea3d6e0
203bacf22feee36e2d35a3846fce5db308f078942ce7ed5a16a9671f6138e46b
9db03971f027f14894036a6c0bc19fd875dad7387708a70623d1f3a8e5627958
8b1ddf6861f6e9fdd05b7e279bf0e218c41946b5162dc12d7da5cb628c98db27
1d7754c8cc8eb7df3bd429fe9806b85f7f6fbd768ff59948a1772eace6dec77c
115fc6621dd995b238916ac8629521d718fb941f0b455f019c85b1a4174f47d2
cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b
c28cff180b9334b37f4d59ec77dd36b6665e1a3e8f4625be51f9205e523750bd
11dc8824044bb1848e5675025a503ac5f37a277883f4522d0e8a4f238d049345
bbe3fb7e0f0ddf898c7f5055707dcd5847cf14801f02563f384b75ffd06ece4b
28cc41b32461784fcf2bcb6d66d4ad44cdf10edd2dd8d2b2712e901d1d44ce99
9d4250be0e0211b67c9d2817e00441a0031156edf03e4cea333153275bb87519
9909d16ff5a6e59c3f55c3e4a8bc3c4fbe4fd56c728ffd1875ec602ec1ccd57c
8201ae4019ccfc7b3756ddfbed3f8fed7dc3f65fe47ca2d9b2ee67efc0d57e3e
c7a842c7d0b5d81693410eccebf67e1cbd0725fd1292dd695617494f47543f0f
1bc2001563ec7cb81fc1d7086b7d8bf36b285354015654b9ac2bcf051c68d2f7
403fb4a908a97f67ebabaa9d60f9fc520d3f3f44a892c8f3b9b9fe44edf59df2
4e3eb1a503d160b9cd151c523b34ba05c7bcbd79974a0a46fa092569db8bf2a7
11434dae7da8d82c7cfdbcd435b920c3785903e41dee470bc4e191c6c87b5489
f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9
f4a45365e22a84bee73e3d8339ee08f2336d76bd78c3f25cf61a08e4a4085a2e
55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f
655bf2b084f93181d47b1ffb31e944da4cd4779a2ce1a17f37286b17684677f6
a26493d2e56f50c049733bc651849a42513021b26bcf8c9fbb4b71fd0b3bac54
17cb12e355a44f0aefb9ec8069817a61f409d455129feb61b489d508c0721992
561f3664b4dcc39b1eb79236231b0e36fb5fde10c8bda6d356d2fa63925f3a6b
SH256 hash:
cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b
MD5 hash:
7029641952b5f91f2e1ac540cca186e0
SHA1 hash:
767a3cd51c5f71d06930a397d1caecb45051138d
Detections:
INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Link:
https://www.unpac.me/results/9952849f-0ebb-48e8-af75-11461e4cec31/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf07695c7ad7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe cf07695c7ad7946a3f660cb02ac2cf2bb710dd223400fcf22ce9a707dd09d88b

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments