MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774
SHA3-384 hash: c4890dd7020a97d30566df9f4f40964025da3cf7fb4f91357af3e9e1294e99e2adc11dff9c075bfbacbce14c0917ab29
SHA1 hash: c5434c31851555523d380591c3c7a3ec884278b8
MD5 hash: 0d6903937d99f589999fe92abdf3dfa4
humanhash: ceiling-shade-south-queen
File name:Payment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:894'464 bytes
First seen:2023-12-21 07:43:30 UTC
Last seen:2023-12-22 14:01:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:HGXDY6tTAvg2Gb/AM2JHabeXPLCdSHGPT+FdOLSfgGGqi:mzBAIAM2JHabIbmP5u4hq
Threatray 625 similar samples on MalwareBazaar
TLSH T16F15B23C587D2237D6B5C7A58BDC8427F26CA46F3151ED6498DA93E603C6E4238D322E
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
311
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Payment.exe
Verdict:
Malicious activity
Analysis date:
2023-12-21 07:45:48 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/a6059fde-4882-45c4-9434-51c50acb4377

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468754/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Inject4.59820.1924.26410.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/6583ecc4eabaed0701720a79/reports/635016b3-cc37-4675-9116-b5818e78147d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/323353d8-4c99-47f7-b698-d4c616ad4860
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365451
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365451 Sample: Payment.exe Startdate: 21/12/2023 Architecture: WINDOWS Score: 100 57 us2.smtp.mailhostbox.com 2->57 59 api4.ipify.org 2->59 61 api.ipify.org 2->61 67 Found malware configuration 2->67 69 Sigma detected: Scheduled temp file as task from temp location 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 7 other signatures 2->73 8 Payment.exe 7 2->8         started        12 YakYtYDCtDyu.exe 5 2->12         started        14 sOFvE.exe 2->14         started        16 sOFvE.exe 2->16         started        signatures3 process4 file5 53 C:\Users\user\AppData\...\YakYtYDCtDyu.exe, PE32 8->53 dropped 55 C:\Users\user\AppData\Local\...\tmpD886.tmp, XML 8->55 dropped 83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->83 85 Uses schtasks.exe or at.exe to add and modify task schedules 8->85 87 Adds a directory exclusion to Windows Defender 8->87 18 Payment.exe 16 5 8->18         started        23 powershell.exe 21 8->23         started        25 schtasks.exe 1 8->25         started        89 Multi AV Scanner detection for dropped file 12->89 91 Machine Learning detection for dropped file 12->91 93 Injects a PE file into a foreign processes 12->93 27 YakYtYDCtDyu.exe 14 4 12->27         started        29 schtasks.exe 1 12->29         started        31 sOFvE.exe 14->31         started        33 schtasks.exe 14->33         started        35 sOFvE.exe 16->35         started        37 schtasks.exe 16->37         started        signatures6 process7 dnsIp8 63 api4.ipify.org 104.237.62.212, 443, 49706, 49709 WEBNXUS United States 18->63 65 us2.smtp.mailhostbox.com 208.91.198.143, 49708, 49712, 49717 PUBLIC-DOMAIN-REGISTRYUS United States 18->65 49 C:\Users\user\AppData\Roaming\...\sOFvE.exe, PE32 18->49 dropped 51 C:\Users\user\...\sOFvE.exe:Zone.Identifier, ASCII 18->51 dropped 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->75 77 Tries to steal Mail credentials (via file / registry access) 18->77 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->79 39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 29->43         started        45 conhost.exe 33->45         started        81 Tries to harvest and steal browser information (history, passwords, etc) 35->81 47 conhost.exe 37->47         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-18 19:29:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3hbycb3bsqwgdeni4lp3ekzbpdljoc7uosuqrjfpdpeawmbcu52a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c250b21da631c5356630ff3d17f09a6da38a4c619f534b8f0be9d360707c9d4
AgentTesla
289fdeca4e918db13a5b5bc5f46d377877542b3c3c534859f7dab8ecc088f93d
AgentTesla
4fb354ecdf9b230311b7b6bc60b1016f5f17653a1653e1c6fa1fbbbc92a08a30
AgentTesla
73d86b4c5e0ec35d75e6d81fa0244f5320a267b34fa37b12f5d548958c9390f4
AgentTesla
93184419005707ae02f08ee38bf8381c4a87fc14a9715fb660ad48f6e1665f98
AgentTesla
ee4ae0633d4f95d3611693174a516e4a4c20dddaafa737245fd8a7100a49b9e8
AgentTesla
+ 615 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/231221-jksztaage3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/d6c82b6f-23e5-4c5c-95a1-61df6f96ba3c/
SH256 hash:
98038b763950f8de3efffa83da020669fbd376492deb24c75b25bbd4a1c2ce07
MD5 hash:
aa445eee133a93b202ea105e5de4e232
SHA1 hash:
c0968cfa259d38fb80af27465c314ba889b08296
Detections:
AgentTeslaXorStringsNet
Create hunting rule
MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
Link:
https://www.unpac.me/results/d6c82b6f-23e5-4c5c-95a1-61df6f96ba3c/
Parent samples :
baaba65de7ee0a52274e439f9cfc6e1ad5e55f74dc43644c33c27863c99f9c4e
3c3e9ce2a4c9d2022601a66e6753d37cf92ae3940e87e62b46999eb4411264f8
3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b
91cdc121ddcc77ba9e01963b2ff1a92192cd4a7804915a67b598f69d457160b3
9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463
47438e1a176f18053c6a9de8c2834a3d5ffeb78bb7efa09c6dea99aa7da44991
a357b85560b1159abbca744e8226315663cfa2d3778046eaedfe82dc293446e5
16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e
fe304cb0925bffe7c7314fb8c4bc50c15b82e49c81fe176c8482ea1ed6f51bc8
b5b3f18d4a9208ec2a9b1b8e1d1e1e8dfa6f6b749223fcb021839038d015d92f
892887bf977985a7b3c64ac19d31facf3af7e783b25173665c8cc48d804cca45
9cd47c4593254f37eb5bef6b0d887f7132ce6d9678af33799da736d6073382fa
65cea55d24d19444f39704ab0836a07e7e89a99b244abfad347516b14f58af0b
12d37f94ebe64d74e7cc1a4290af6797832b512a223d03d410171f47cd979065
cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef
cc1214e080d2525cf0b00c622186d0f78a228d3f6dc933cad0f0114d505a73f7
e5dbce139ab26dc9f743ca4161894d49adddd7c9bd0f1ac4adf4177aec479b69
0501f9ee9fe9f858c159e067280b30badb60ce0e430abb1e60b3581edd8a971b
0725b0bb5b536502fd3a4593864bbf3b25dcacc3b3259162080909284c1348de
b79d3384f353bf024148b984f6d96e272c30b7547a00fb5d6f05524dbcc435a8
dc0e2395ee3f6a75876ca8cb0b8a876ac8494dc0d317a432ea5d1ba758296063
b1dd2f23a4e0925adcfe19c55bf701af33e6d3d66f3fd1537d30ea7ceddee9a4
cabf5777651e17c1d64384cefbf5f7ce2fc7abedff68901c96174dd16612caf1
f25d6018d3bab1f7651937b7b8e618979ea3c45b06e42e3d93e8b59cac9d46c3
be9496d0210e6343ea547889586015ab09bd8d25061f154a3f9f0922ea5a61de
37a72a158a2325b4967c6b2a9835fa722b6ca3789316c6120d3f263bfb6c15e7
26a294c50930c0cd9fbed08dd7fb63ea59bd2300eed46c452de0b4c5f7b95309
0828689925ecabda99bd3939a58b034387e6cd4c153c7652a0450d93010ccae3
0c250b21da631c5356630ff3d17f09a6da38a4c619f534b8f0be9d360707c9d4
83b11e62d88278fd953ef2496d6e6217d314defc55f7ba1fbb4d0a00ec6651b2
fb1c133bb4d681619adff92051b62f07da505ca6f15906b4fbb125bd65b1f190
9e2f5bad6acb0454f71026526cb9d5d78985ef6e566b433b04ba7aba5b277ddb
4316bebd7893238fab61d5cc2a4bdca1d65ad8f631347c949485b0c3a3b1353b
e2811e462b73fc7c62941b8472d9989a048509e8e6aed7012bc5f786d0f7bbe7
90d63293d26ff8d79d3cb130d63e4d69646527a8c61ea5308288980fcfd5189d
cbc632ae3dd2c72c24bd2b4ab8e53ff56aa2e742911ec9512432f0788b104e3c
93184419005707ae02f08ee38bf8381c4a87fc14a9715fb660ad48f6e1665f98
174e2237b3157582189f15393ba0a1771ac0fb62fb479690b46de1b61071b491
244ca73815a8c8303d9738bf0dd0fb859736fc69ea5103329ba2f6be2f9637eb
8c72d6594c46c605916cf3456b84810a1982c7f62f9c66d7eeb12bd0da0e82d0
e0a14b9acddbf73d270c2eabf671ce58e1c2aaa237ccf2de320efedc947b6ccc
69e82246e2a2444321ad9c8c84a445b8ec6b18702c2407565cae60e07b3823ef
4fb354ecdf9b230311b7b6bc60b1016f5f17653a1653e1c6fa1fbbbc92a08a30
e4319322a73a875512b80a2cc5bebf8c963f3e657258a6e7afd90919c8553fdf
40b4f0f7a724e1dc0abb235b73cbd1b50defaf387fb18b5535197607311056d2
a988d3605915b2f831729ebcde7d9ef7d169a549f3d3b7b1de604a9c07abee14
a81e919be20c26807dc7d775ccdc026d4a9daf0116661dff5e3fbdaf29effe19
8dd68257e8d07b2e0d25da886cdb7cb487085b99a469984369d486812596ea12
26794f7598febe976fb23ad9abe87ca823f65730957ce7821ce5bc9e6dbfab92
d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774
SH256 hash:
c681e39199e58b59eadda0b0fcf86b9fc2e6c43cb2ec392bc05627245b2148e4
MD5 hash:
44c9c77691c640a1c57dc3b82db6cf70
SHA1 hash:
4da3e3d560a75b61a381ed657e34b0ff89548568
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/d6c82b6f-23e5-4c5c-95a1-61df6f96ba3c/
Parent samples :
ada28dc16f1eb7d03ad145b01c1525e832d18bcd8a179dd68c1f5c4313b5853f
9496ea650a182fc8c1b87b205c226d44b7271186b473b156cfb727c2e81dca0a
2fefc7f1b4dec38932b815ef1192a4343c4face356016de5ede1c17958950975
be69955e99c6aec10c257ba0211df9cce2fd5af533a8932ba447b1450aa35699
59d1135fc573e663c3c92460520c6ac49ef035d3ad789cf69708cc6c6409a9bf
bb0563d0a398d0501bda4848f662f494dc8807b2ca7e81fd733d38e1145f1efc
ba33d177c1fbc1f4f44ae77af00eb377e9196b2f9f1556e94fd82b942883be13
9996fd83b852a172c456594e49d2a13d94b0c8d55a9a2d28e5658853ed819b28
c5cd096e51840ab5ceb8a29c7efedee7ae3f16562bdd4779b5b1bd44dfc784e4
128b915c058609131a3ae2ae25b26aea06b51a0001bb9b9794b9cf401f16668c
961501b7f2e2ba7d255fc9cc4de8dfd0697dd2265c2e4e316f92854166614c31
5c7c411ea48976a55a30558e1ce6147a7f28b6b99d84083e1f01de1db86bb588
9dd7786a5c103076ba73cce2e2a3dad65a6a76684c781a86d924cddf9bffc8b3
a3980c5f653e99fe53dc88f60a9ca1b4954b8cee932085ea57b1f46b9c7ab4c1
30f5366a61da542dd959a186cf9ae3cbc13efa1d66fcb67631b62cfd8ee52612
9feeb14ac128b73d9c6eaaea8c91272ed93a1780c126b6ca90ed077f1185484a
ea93863c147402b54407c3a1eff90043b55e76a08aa3ff4a8823469dd4d9def5
46295ce76105598ad1d887f772d13391523cf76347b3ce1f8be1db96053c278c
9704e443a68009427028c22fdb39eb3e28a32709d42358b1df4c95d16a4112fe
ac44b7c74193bdc699761d10f631bde2dd81b7f4d23d57f6cd240c62a9b26331
6464a6492dd967af2d0582451a3574b456699f0337cc6b10c088988078fed79f
4c3c1031279a42eb5955cccfd5a006235cd27b909503d10ad4eb1c10dc5cebfe
e404945ee6da74e3dda8a92dbb0e7e163c46a48c84aa0a291456a0f66a5030fa
5336c951ff27b8609dab0bcde98c674d54e972eafc5514039d0a893fdd52a965
b25ebc1b52d81dfb1cf844c3b87d65c0a307589b2775c12aa7c7c2ebcf74fcd1
6bffe8588990f845c6eeafbdd359e2355dbcd68de8b0605175935886857970bb
0390ab5a06e04c8c38776aeeea11fd0352230d049be1defb139e71e8906114ba
3e43fe5dce47c5a3115320ac38040f4b6367e58356a06810ca638579da1bf3d1
fccac8700366b9cf48eafc5c012a1616534d26fc6501d4014e56a0619d5d0db4
b965df83cfeec960e1372166cd73d936ebfb3be2986db0bf953bf2b67b5209ce
3d537a7796fa465cdff1388141e37df9ff689007f024808b90381640f99b9b7d
9cf514b4555e47eccf07148c0e961250d108d04d8187a4aa224629f7a0961142
8737b9c5969931c61500427c301c40e635acec433bd4450e1dca9f202e97fb6f
6819d0ef008f17b3bffc407cbc8e37c43eabfdc39bdb10029afb535f542e4d86
7948315565e8321056661c7aabdeb10e01ca73d2425a6f6bd17593a0ffb484ef
531ba82cdd6f8cba501fd8c5160ec637c2193ce69c455dd8e591da083f2c80da
509f9d3065054df28846986ba9a1190361092f3bad865d77ef2ff10d32151ad2
abd4a743c4aa8fb625f1af14edc51606fc1b8e1a15396d9db706c1fd3cf41395
4a0a2c6bf6a863c1c56fb7b6657fd8cd60369e03fb40d8634eb5ee37d8575390
5721a2c6e2c0a577828b9e4b3690a18a7df63e541aeba65781464c1f73e8da91
24ba94ab2486ed9bbac37e3fb3508b6bb38ec8bafe1c0816719351e0790a21f4
e5ba53de1a80eda27337da32ad9bf522473c542fc42a434fff3fc843cbdf88ed
d2312c82b0ef97a5bfcf73173a4b72a720c2194278d6a7815091e4f4727e6a61
fe708d845a9c3e6d3338b2a146a4a5e68fe05d448b72a63bd60f4b431b243d9f
56cd0e12747b872def87829710c32165fc42e34ed351872e1750fbc13a8c31a0
93c052934438599045e6d9a3177f5d7d57960cad17070bc74444c1e4818bb81b
3de39937dbba16980b665dcf03505af8bd11a77a9f09d8e5ca69837932a9340e
b2617dccd3165177226a7c23effd6dd4e51e0c06c7ad57818ef1461ecaaa13e0
4f8ef9616b1237912967776aff09a8b8fea96837f78787911ce7405ecb4b001d
33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5
3ae22f99bd5e1772eb6f9abb1d127c8682b5847b6e7e062d843ef236db85e828
94afbf76b9c59a5e2ae4bc864a78c41f92602c5b37e6771eb29864344b69dbce
b091bf4326241b1053f88a1a47618fee3f87ccdce873a9bb79e653670b7e4948
8d693225be9e1f824c20f3bc2f71a9c21e87a2b32bca274580b7abad75ecacbb
d02530a2bac21b47a1ecaafc185ddb11680c9a90d0fcb2c52b7b081b952f1cd2
01dbf52c9a79ce268fa7b5ab876ab6c8a8e6d5d5de70ccfacd11ca169e83908a
5c11be9fa69ed199fb4004a1fb7cf649d4f7e469b43c7b5f73f4867cecf89d18
7f2fea83dd18d529a6a6440334240fd6ea6cb4a84d4bfe1ab3213c894a7a51d0
0eed254ba5c7e7cc2b6ac08be4b1a450d453b58ed58d5b23caed7fb0db89961a
9dba8d99de990b1900e024e45a32d8ed2ffe06018ea422a92eb4a9cca56144e4
2b55e6baa2cf6110fb403cdf32cf7b9c06684e06a53a417b9f0bab73fb9c6747
71cabc7f66e840c073f576ee3051b7e4eb355bc28065a10eb06e5ec737d08221
61c11d170ceb320bafd7872824de7ce33d10fdbb5ef585e67487f9afcde5e207
4e77677a9a29e465f030c9a9695533c8dbde964ecc66585a0b9f26a1548ad3ff
0172a0a250dca4e77360389ca9a6ee4dec2f306bd056265c9a42de7af49481f4
cf672b77bf6d5faee34f9ebaca90fef0222b422db31d4464ec73126a15736c3d
00972929b3e57240b86f2812aca237acff75e09d18a55bcf575d22a2beb5fc9f
8e57e2bf33cb22ceaf6596ce060680e8efa099bdaaafc2383b1d31b24b0fca58
6d306743daac37b3fcc6276d1e507f504833ffb8db0839808c016a339a64cf85
7bacfc4148055cac9beba5517630e42a46ca8689bc8e6fd1bb25831e43e58582
e28cbe3c81e959dd96ca36cbf3585b4523ce4d75c989ffc16d756f71b3d2fe54
2b6f9aaa250051acb504eb782e963ef4bffca581d26d7c632b405f130ee5e09b
2b99095636ec250358f5abd47474a374de96f743fc2fadb89642401301e6b670
ef8e672ff4f30d2630ddebcf804c67d572e9979c949e4803654572479f486db0
e50bfa53e75f7c54582c2609f3c59db91bb47590a43a49e95e5458a6ae97ad4b
d6aa67de9b98880b2d666debd047112535c8527642220a81b72d6246b1eff210
0c263290cd7f3c225d5f7b2ba488ac5d9927b03411c566fd81b73bbee827c46c
0ca7d41fee3a2830bf3c46fad06e838fa2f3a362a3f62f58f1b3f0176146ddc3
937937444fbc2f971d32996dc728c166315195b25b2c0aa4befbef762b93ea35
46a870926fb693596e4fea1ff6ed4bd228d8cc63a9e285997ded48b1484ab3f5
8736f4327bdd2098d35ca3ed5c2733f3a066a434804b846277047ef097e09c85
68539ce65162c2526ee390f706b68e249e05e0453f2e5138dd77a9d5aaa9b54c
1e0ec921f531219f110e8bf1e1e5b5d757119ea7e2f1d885bfa234007548c95d
6474b902f837575873e3b356ef0939eedccf0cad4b07a82fc5b7aa80d3b46339
d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774
4dbdafb1f38d8d8f55f611e7e6985b3975658a8b0b652d80c432eff73812e21d
169ad5c33acf7a4aae70046eb2ac4e8f60c62c236065c616277b827ea4ec00f9
79658843a0028941539f3b437a8d262c78b15e6e58f4b1f7b96bf357b06fa84f
326f39b2d29896b3748625b4bab991da83ce7583b35dc0ed984455c77f24057b
18f9d778efc5dcb90c7ae7ccaacdfd8b9041295447759c1811e99a5d0a48dcda
a9ed7edf5b5cecaecdf126bafc6c85d3ca918363d874f3c33afc07131bc43c4d
26f693ee7807e9a341eb9936519194f587d1bd2998fdb734d36cd62b9a46b8b1
d34e493e8e0dfa5e9a04ded3565e2ed4d60473148e63aeb3fca9a7f62dc90900
70369453cd6e8481ce8f2fc4fa4074fb998a27ff6f91bce6caeab0ecac36493b
781fecd030f2f437a89dcf726a45e3eed218043316b35e80770a20a6f4bb62e4
c569fe7d3ccb9bf36356f829d5ab7de3ba4261d3beaffef1e690d8d197919c71
221df9cb593d75416b887497288cdd49ed654c164f1a752671301228a97e2282
97a3313357020aa0cda6addb7bd2015cc52f67dcde4c75f4d89f9f4d76f17b04
3e90bab5c79be10c283f3752091122910f7c5b9f35428a37eb0250d244d01f94
SH256 hash:
faa1c373165c0458e261ed16f0af6425231b30fb24e316aac33a316461fdef99
MD5 hash:
bd137380994fe3c430d4ae3fcb2d3ba6
SHA1 hash:
13418387dbbb2fe82f93600d0f3b7550b4d5bffd
Link:
https://www.unpac.me/results/d6c82b6f-23e5-4c5c-95a1-61df6f96ba3c/
SH256 hash:
d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774
MD5 hash:
0d6903937d99f589999fe92abdf3dfa4
SHA1 hash:
c5434c31851555523d380591c3c7a3ec884278b8
Link:
https://www.unpac.me/results/d6c82b6f-23e5-4c5c-95a1-61df6f96ba3c/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d9c381076194/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e5e2af1b8ea169231817c1ed9b9252b50e0e1f27f91fa3b56c98da8c03568563

AgentTesla

Executable exe d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468754/
  
Dropped by
SHA256 e5e2af1b8ea169231817c1ed9b9252b50e0e1f27f91fa3b56c98da8c03568563
  
Dropped by
MD5 000d01e211206849d431279c64aa17fb

Comments