MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e89363fb758ac1d01dffca3212cd980aa3fe199efda522052fc8c3e041b31f70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e89363fb758ac1d01dffca3212cd980aa3fe199efda522052fc8c3e041b31f70
SHA3-384 hash: 7446c05315dbec12f5aa93550fbc3d2f393e1f15219873c2056b4712a1a2b4f5fbc293ec4af1f5b360a0499d2046c3ef
SHA1 hash: 8f95fe68ff5089b7758e2e616de9b8794d56b17e
MD5 hash: 7aab87bdb700f87915b9a46fc8b777b8
humanhash: august-grey-orange-happy
File name:SWIFT Transaction #MT1038525849_Payment_Copy_Receipt.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:966'656 bytes
First seen:2025-06-18 06:32:08 UTC
Last seen:2025-06-20 07:51:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:lj6W7vLr9CBLb4Li8r/rbRFGt49qe46+Brr:h6W7jr9OaiMzbr9qvB
Threatray 3'338 similar samples on MalwareBazaar
TLSH T1102549F51AC37911E46A05F1FF9894BC133F8C8688194B83D585E8AF3DA3AEB451C6B1
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon f0f0e86961e8ecf8 (13 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe payment

Intelligence

File Origin
# of uploads :
2
# of downloads :
483
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SWIFTTransactionMT1038525849_Payment_Copy_Receipt.pdf.zip
Verdict:
Malicious activity
Analysis date:
2025-06-18 06:59:07 UTC
Tags:
arch-exec stealer evasion ultravnc rmm-tool auto-reg netreactor agenttesla
Link:
https://app.any.run/tasks/e0c57cc7-9cbd-41a0-9a7f-a72b7761f582

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9956/
Detection(s):
SecuriteInfo.com.BackDoor.AgentTeslaNET.18.12842.13002.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e89363fb758ac1d01dffca3212cd980aa3fe199efda522052fc8c3e041b31f70
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cb9940e3-69f5-44c2-8e95-911af9a12df5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1717125
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1717125 Sample: SWIFT Transaction #MT103852... Startdate: 18/06/2025 Architecture: WINDOWS Score: 100 65 ftp.haliza.com.my 2->65 67 api.ipify.org 2->67 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus / Scanner detection for submitted sample 2->77 79 14 other signatures 2->79 8 SWIFT Transaction #MT1038525849_Payment_Copy_Receipt.pdf.exe 7 2->8         started        12 sgxIb.exe 2->12         started        14 ayeHNsWZupLk.exe 5 2->14         started        16 sgxIb.exe 2->16         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\ayeHNsWZupLk.exe, PE32 8->57 dropped 59 C:\Users\...\ayeHNsWZupLk.exe:Zone.Identifier, ASCII 8->59 dropped 61 C:\Users\user\AppData\Local\...\tmpAE9A.tmp, XML 8->61 dropped 63 SWIFT Transaction ...Receipt.pdf.exe.log, ASCII 8->63 dropped 95 Adds a directory exclusion to Windows Defender 8->95 18 SWIFT Transaction #MT1038525849_Payment_Copy_Receipt.pdf.exe 16 5 8->18         started        23 powershell.exe 23 8->23         started        35 2 other processes 8->35 97 Antivirus detection for dropped file 12->97 99 Multi AV Scanner detection for dropped file 12->99 101 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->101 25 sgxIb.exe 12->25         started        37 2 other processes 12->37 27 ayeHNsWZupLk.exe 14->27         started        29 schtasks.exe 14->29         started        103 Injects a PE file into a foreign processes 16->103 31 sgxIb.exe 16->31         started        33 schtasks.exe 16->33         started        signatures6 process7 dnsIp8 69 ftp.haliza.com.my 110.4.45.197, 21, 49691, 49692 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 18->69 71 api.ipify.org 104.26.12.205, 443, 49687, 49695 CLOUDFLARENETUS United States 18->71 53 C:\Users\user\AppData\Roaming\...\sgxIb.exe, PE32 18->53 dropped 55 C:\Users\user\...\sgxIb.exe:Zone.Identifier, ASCII 18->55 dropped 81 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->81 83 Tries to steal Mail credentials (via file / registry access) 18->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->85 87 Loading BitLocker PowerShell Module 23->87 39 conhost.exe 23->39         started        41 WmiPrvSE.exe 23->41         started        43 conhost.exe 29->43         started        89 Tries to harvest and steal ftp login credentials 31->89 91 Tries to harvest and steal browser information (history, passwords, etc) 31->91 93 Installs a global keyboard hook 31->93 45 conhost.exe 33->45         started        47 conhost.exe 35->47         started        49 conhost.exe 35->49         started        51 conhost.exe 37->51         started        file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e89363fb758ac1d01dffca3212cd980aa3fe199efda522052fc8c3e041b31f70
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/7aab87bdb700f87915b9a46fc8b777b8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e89363fb758ac1d01dffca3212cd980aa3fe199efda522052fc8c3e041b31f70/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2025-06-18 01:53:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
29 of 38 (76.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5cjwh63vrla5ahp7zizbftmybkr74gm67wssebjpzdb6aqntd5ya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
5abfe96f31b8b8e4013501cbd3e7bb332e03b37e96f04cb75f05c04f15bb66ac
AgentTesla
cf7c1f62432d8f62f8a12d58cf0761953d8be84d975abfafcb0071804de5a2c4
AgentTesla
dfb8ecbf4f52efbf20605c2be946d62bb062edf1dce896a9b45516c7aa90e422
AgentTesla
e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474
AgentTesla
+ 3'328 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/250618-hbfsfsvqs7/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/735092c5-475e-463d-8327-ec2a0a5a6c25
Unpacked files
SH256 hash:
e89363fb758ac1d01dffca3212cd980aa3fe199efda522052fc8c3e041b31f70
MD5 hash:
7aab87bdb700f87915b9a46fc8b777b8
SHA1 hash:
8f95fe68ff5089b7758e2e616de9b8794d56b17e
Link:
https://www.unpac.me/results/b54a4b4c-a9c4-47d5-ad72-3c29deee074f/
SH256 hash:
fa3889846854ef037c9e350a7274d50fae8c2ff11e91ce1e06453cd351967119
MD5 hash:
9d7041814acba87c294b1abcfadea481
SHA1 hash:
53bc6f748ae5c851d23b6ab8635d38fb9eeaf58c
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/b54a4b4c-a9c4-47d5-ad72-3c29deee074f/
Parent samples :
a6cc6e17a43fd18e44449df2bee44d53d4098817149e1d443a61777cf458611f
d6a676ac2fedead7999ed8250543e38da6096cc6efd3c7517d49d6b090ffbec2
1fca7f3155e24ba3e96508a8b406395c80966cc7aa5f0ff9e6201f7979c80b8b
dfb8ecbf4f52efbf20605c2be946d62bb062edf1dce896a9b45516c7aa90e422
797f44aa209382a598bf62263d36a65d3c0b238c6e056ac1df84dd989d79ff03
7d6248b79e83e710efc263a60b855854648088ea196e3460aece7f3fef4dbc8c
841a3a3d4807c215f922e72b1391e8c56db813173a248ce4e5e7b29b5534b5ec
b1f950d68fb3e445f741d2bb7fefbcfe1b1a756548dcc6f88b173cae77495b57
0195c54fa21dd3d6ba8e59245bfe3953c0b56a05f53f877654a634a5bf088a86
fe8abf598767162b0eb16dcf51205afcfd221eb2b2f23f32e5b286de19561df8
0c7252f921ef57eac052095ee10c5553c98f123d2f7484d795179c19689df5d6
f8e5a47c68fac52c69ec3fd461cde2ff76d64fda08c528c066a0ab822485cd23
5abfe96f31b8b8e4013501cbd3e7bb332e03b37e96f04cb75f05c04f15bb66ac
e09c5d8ea6eb4b7eac7c73e951e3e43d95a62a94fa053fdb4ef64da70fd76361
04a80cbfdbc1428ea6a1b6377bdd9d164163abf0ac1460e59db8862cdc322382
4cd5676a9e5f1f59e10c246d9a6c674518e66031fea5e17d23318ece2c5e9c67
ff14655342e9f2d6c62955f89111bded7e4d1f65237201e502fb9b7fbd75c46b
4a6dcfe4dfe7d02d44962cb9e47d87d6d755d0a9481a8013b145eb674ba567a0
a25bab1b3a0b9ff47c05a477831e3c14ba6b3b9b60a1a7d339595b8c5243313a
cdf8c43cdca0aae5ebae3ae4155f8ec78d84eec31e864c0cc843b99c61d36c1d
20331b45b686e183cb628218e6fe464eb1e7e2f56ea9336e7dd3ec067d194226
4fb637c4caacb8d3ea6a9db3b0d06cc8a9b5b0f23429dab7d0697053a55aa0dc
a497dbe34f12783111bc413a4447e581e48e5c539f8325ce95fc71800f1e4c43
e89363fb758ac1d01dffca3212cd980aa3fe199efda522052fc8c3e041b31f70
de9c905c7d05ee8775d644ecc9354ca87a1c74fe5eb23537c0bec8784e7dfaaa
b456078d0dff3c375378480fb133a340d88ae4b59d6598ead4249d66523f3428
4bc3ba71f56e14ee1e7eb8f6fea0fbda1a9aa92545205097476853d0308ad623
f47b7f935ea1bfb7dab5c9e31e368aeb7a07fe506a4cf430c36b9a3cbe8ddcc3
d24f280b413e7e170bdc29ba7bfaa7a3d221e582204c331803a9fbba64ff7d13
bb6f0186eec1d2587ecd2b6b0e0c88c8189823fc633c56848365b362dc3f53de
44bcdcc19976200147601f72c903a84f73d79a82782af77a5e4da96b791fce73
3144e19689bfa00782be4602c85cb949b03262fc1da9c2ea1e765258668b61ba
e5d18d2a845b927f1f7d7f7e33031a20a3d6b540e2b00f3c064255ab3948e7f0
c8b76fc09a283dae6e7ed2f6cae8e31d0b4038abf3f851da15672110b99fd23e
698e5418168e5500b644766ea8c31cfc826ec6399c1f61cf85481caa3c183a65
638c6eea32c710305fe44d62be21b6ab68a957e8a07a487b2501d82bb2419f1e
e61db8e0b03e566917d24767e2146e6335f4dacfd1b1a8cda8a49de6e0544a19
f700199315360a824ed6eca65f543d531d04210118e3cfc8bfbe986ed1641aaa
0f421725abfeb6485909289412de00d17fafa7f2f13b4f6e439f9aaf637c2470
cc5401e45d7f9f7e2ed916b1ecf9acef960d221e4512ba7f465bde7b56b57834
fae7e35584a2df9dffeab985c2b6128609a35ff7eb7d994b6295e8a3bb5817ed
f9c3b78cce61d4ef1c118287edc5d5d3324bd64df1d2c704c087e7b073d7eb33
0ca32ef99b452e03e0a45dc234399bc6a8588ed4eabdce7afacce73f3c20aaa6
ffc12a905f90d00b9381e8e3226adaf6c25e3deabab70580a46f39eb1e68deef
a0a646a7539bcf09db1f8d40395bf5b5c1ae885e808e512bbb4b898a4495c079
87fb77ed68ec8001ca8f1dcd4be4bba3dea657778223ced143964dfac2239f52
090be2d28dbb7a3d5782f1946ca17e5c048987dd027090cf1de7b8cffc0c07ea
0f99bf966f34d5152ee51fd8510a37b3fc0792334c9b8f2475e896bc2ec72a6e
89a08615e8a94f42744b85d9486cefafd9defa24951b8d69f0c8aadb082f2487
1cdb6733c402bb21c71997839d008b94e69097f3156e69bad3dd7c252cf042e7
97719ce27cd8169ca0f4db352c3f9c53fd700c55d059e9835fbd451e75f59bb6
da00184567031f30767dae698ef809f2faa6ce271b03a4e03695f0b236e68d1d
e4b8f8770eb2fe1a6aefd4ac5087a04e1034bb5ab320a200b8d4e3279f835597
9247f2f45db631dd50e32455deecd8bc32a05cea40bfcb4c3f3b9ebb0732eafd
19d152d22b4b9d39d05e579b9fe7c48060ad4f2c2786da3dd3d497197ec3c7ad
bace7360ffdfb5ba55798cf7c08452ea943877d49de2f135956ff0eb0e0da98c
0228c928cdc2312658629a75d65bb333014b28585f6b5614db51b86e7189a234
90c39e2981ae3de1f04f0e946d0c50271e718cd853eed6333e67964c78a25465
d29651c63ccaf0392b12fe7d501cf7072878a1d5bdf77cd98d9ce7c53c98d907
2f835a2d633b2fb81fb9375cefc17313e59a283de5869b7d7f04b42e9134cf25
0e6389a3fdfa62ca6e1b852be32912ccc7152011c3de3bb12bcca515109b3f38
e82761150effc8a77c096328b3fe325dd7910104f9d756a56868653e3c813dc6
56dd5e30024791d0240babaf7110454704ecaa0936bdde1c7a3e626b89a6c7cb
26d88548fb6387644d90e615eca6e1f0103ffc5df0b4de341c81cbdc28d53ce1
bdf389c57bb92746de7ea48eff0df48bbb66bccc9e451e632b7ed76398ab7e0b
3f41083e15aa4dc793017ee919805df5132743988a31cca59099d5a8842f4186
a04a0223a2cb079868f34225df1953d8897690ef0fd730f2d83a8dfa9515d874
3a8d95ebd1a116107405f1cb2a7d42e954643a9a0244ceef22a70b656b8525a3
6fa16359905843e294d5f805986bda12aa603775ea7db1eaf10beff3493c3b93
1494ed37c7ea409a0d8445032855474030fc4dbe0c16844b3b349d55acea5de8
f6445ad9735732aa3ae46b05eeb7707cca1aa4e0fa4ad72e64de3d1c467d5121
bf166be918695404ec2724b62671d7eac13fd67e39433894439d70a2ce534861
a3bbb335406677c373dc6f68ce37705ef3e419439378ef2b58f93302914e0e3b
7e855c3d24b8bdd605c526a0d007d88b90c76c9b9b1ae837d48db2c987f75765
93e14efc8eadf9f9dd7d4aae3b8d680e22ad771d94caa155cd2ee774b3712a3a
8be521d630b1c7285e4e2074443ba82175636714302b975bd27da3e0cb6fc270
6924363cb427ecd59994781e876040d4f0f2422fec9b0e1f61dbe9000dee2baa
5f192f10cc75f3be973d6f3725fb0479f70f67fbb3412f9900a272730acf17b3
1d9b47e8366507c23d81a11dfbc4f5e54c95f6a4b778da0c5990feb28751bdae
5f16ee8e5457480d3780ec03b7b37d9a43f0621a4e8bc0bea6fe77695f6e1ea3
0f546fee6a66dd05082402fcf23e426d2b5bd8a97f6544b77ad951e1f65689bd
7412c73049ad87dbfc8106ce0fc8a03ca2a21d6507fcdb53d96fb2efb8ac1561
4ff0882b1dfe25c7b1793da9754485d1f1a28e660934e8fec5b7aad2e5571502
8f503c7fdf82f233c787200e9672d93ff653affadc78fd3549a477650f4aec36
ff67a4429b3cd257a8ef58dbbc90450eda82271ef4256ba1dc5fa6eb215fedec
86c422aeea528f860b82e8af539b3d38f4c06b1f574addcc0afb200972c51473
140e2bbb3ae25648d8993155ca60f6dac9369dc41ad2eb4fa87cf6104ab938e0
e4408864dff2496aee90aaad03699d107a62e047c19da2f396c3e4a5e1e18692
d20f814c949d8aaefbb38fd7fc5a3d51358e209c88bb40ed611ab34802e3fd9b
9cd9d15f66f824f3df89cb5fd98a32e768a31dd3e0d05245d15759be6b88129f
2f0ae3872ddb72b9c17060aa7608559a5cd92d376dfc88441ff8c54e6f1a65dc
b9634112c7c3ee5da40fdc31fb9a1f4c05dc0c432945575f869d3566c74c4c0b
a14bc89b9c0e1ef9160cc2dbd223eda8627b4919d616a2668e93f9dea8334246
033c55f8f206bede32c03f77eede842650727506dfad0be0aea118b79f9dd922
068035d7c009e6fec1d2baaad409c8289f1c1bba84c1ba792efe5f963db3f97e
b310dcdd9e68c3f72ef76ef1f10506a3094e1de2f96564276d0f7dc8d11bf5f1
8038e254a1dfdbe9a67358318bbe1f90f935b97d9eb6d87717101ff93224884a
e4c4cd20f12ca28fcf603d531dfb0dd6cd0e0222d5187d0e7227d33854776050
6efe9fbfc3d3e47786a8ae76434966a1c64f7c4e91d8709c4eb36ae7b6bb0a86
e2263780bc74e9300528646a608133f1b123def3ceb62d09c5086f32ae813e82
10ef58d9ab1de0c837b94cf2c65618936c9ec98c476f9b262e0c33c0fd752112
2ba48ba616ce16bf1a7b6d8dfbb09f1c984a4c27b11d12b26531992dd4373f23
7c3204c01bd91defa73bf48c8537104084583572061a3f81081aec3275741535
b974f6e408fee02342f4cc5fbc1580da54c4fbbdb3c7541f8cd0cc7aeb097df7
9e3ec9a0a7c86125bceea9ddc46cc00ad70476b0182da370ee8358fcf543939c
ef31e67b0e3fde58acd72fd5e0c6939b82935df5e683e94042239f834d6a2936
5e6b39d039f9fc05c0262c84b33cdfe703b70df0be1491cb2afa294d344756fd
62bd1a4886eaea5b5bbd21eea90540913b0a7a573305b0eb7c58cc61e93ecea0
76c83209bd8b50457ba60e433a6a49be1f03471d506906ee18b8b211fd0779dd
27da76240b4d9ff64b74ed54b40950861096cb90098a81262051704b63aa9096
a0f8fddf5306250fb6d1a880798c989ba07fe83ce09c8aa82c7c968d840ad243
372210f4c6442c3236ed1b7dde082f60d169afc634d13e6953a86230e4fc06d2
88d0ec8c33ccb203a5312e45ae8674fd2f555de075e9a1fbbab1905bed51c1d9
e3ab15a37eb0ac7fc858be0a57d6ca34de07545ec156cab774114a031c72ab4e
a86e9373657effff617182f3bccd52a5e6013e635ca40357d468871f38fdaa8b
7d5e8db5ceb4205a26d726a6375394528dd1ccb55084f337ac69cdd3b0bff6ae
3b6585b5a221372d1ea06544e7762ee242a7790c0f6dccd4905b48af00b45558
d496059f895bbd1ec2bb25f7f4c0395210d085bc525b013c2fe3d962d5e76a48
95d237db17e891b78afc8df935075fa973a0823158a6b706be8695f8525775b3
74ca5aad35d138c31e8cc8bf3a0d3389ab321fac99483f475fa434a6ffd8a6a4
82dbec85d38c90b698f12ae23f185b3f5a76b15b0f544530ddb9750c8fb80d6f
a6ab3643364fe7f07cdde83e146d477a37ed88618cb0278cb5d030ca3f226759
767aa72294b73ffbe525ee35fccfd5939a9cf6d1128717ac159ee9b9f9adc759
8ed52e5cadcf8bc30a3e25bb135c0d5e4e81c8fd43ee2843736bc614998e9a34
8dfdf9c7b2657d5f27838a2ee023e77497bc31e87853983974db402852a28ebc
9a80aacb95033e97acd1faeb405e0bf54e3e891cc8963244c2036ff63630ea10
888e3ee78f9d77ebe995ee5cd3aaaf1b0c6f1c62e5349fb2666cc8ca8c095c7e
2ba41f387ea8d91674878017056d8653151a1c2bc45b4d4c4d97c83657b01db6
34df432fffd0dff5f4a974f12dd75d405816892e113100f34ed1b3bac7358ffe
3361b8e7bb64b56a082e777887264cc89d4694640bc53e1f44f86efed13e2108
d592e061c641ef816a8dc1a6d83d36578a84df47f3b063c06299c8debc4b8a21
be09dbae32fa67700c6ebefff7f8e081b61efd7431cc7326093703a172f91530
bce8d98eb5c366ef1c2bfe0d513e1e59230162943f5fae377a3f1cdb767fe3f6
90fc5b8abe7025184179b0ecce4948baed241898ae625f3710ccc1cd92bcdc00
49ca026d8d0b9af34ff8daeca673475a84d249fba5c6a8204b8f9a15c0145820
451202f7640bc0ba50330e90b7d4496707f2bedbd851cc8be2a7a38dc91ebc1c
2032e1262f598729cad41b1ada73fbbbcec199ee877c825583650c65a824210b
9c6a17b9f0909eb2b0feebbf337d3bd8d543a7e8c9344242382bf814b6fb614d
e70d76f8e2e25aac085a95feb18cbb6283da2ca8b7b65d383723cceb84eff706
38a4d9f237a7a43c30064b9013215249ba0245abeb39428eadb28d120a7e0087
d0d7734635bf2c12c9a6c714ac512d11ef03e4f00a3ecd19cc666653436c652f
8b83d463c4ddfc873ac4954f326d473cd6aa3443617fdba8860680188500def6
1d8b3cef330d50251ae4a59b3cc24e341cc38fffb03f3ea0731ceade94ab71d2
69b4c8361199937a0cb7e28c689e3dfa2967af5dc5ed0c1fccd770273cc3c71a
2037288b15790f8046e536194e8e2cd78f1cec0af33e2368436368475b2c37f2
5430d9faf55e36dfc17034194780f1abbad5f5670f63ac3c1870da3352e2f342
ec7615c1c9aa8d049dd4c8f86407d3253b30137a88e711eccd2e26e017dee00f
7f44edb791af09f8161a6b292d6fc82cf3601e56e1996228133081914a660d50
84f2e7778e3a25f2b9900ddfdfce6bbc39a6814f791c44100fd7d35d38dd95af
0f9f93ac54a96bbbd431fde1eb4bc5499e94286e8234f396d64d0b5e6f5394e2
5902a20f794b3c5ed37a3d76eeaa2f4a8be1548d83f9a94026986813ac5ddaed
1431c6a53d3d523daf93f328d21e164db1457b7499b0db9da818325bea6cd277
de95c7fdb27d4768c98e3ab9230019ae3ab2f2d54890778c839e6f7be10e2bee
567961fe8882128ade4c226651ee188e05fdd8927daacea3ca1a2c487d049dba
890a5d662df8f575eb47d331395eacb582e888494ebea7edd10a9374b605b937
a97ce603c002e36fe4dacfa2df5f77756b7fa2e827c934152ba1acbbdcd6675e
3fa202fb6f5dbcfd3faa63fea105e530440204fd747ba386b9a290545453d4d8
57fd4666f5ee7b31e8b02f6c31d0a33bb08f5eb1694a759b0b1aa95ec9fc0524
df71af12f27e4f7512bc1ce4b7765e550b30a1887fef2e0781770c2c840d262e
22bfdf4ec2732b1eeb75d671dfb2b417f64242b9f30e366c1207cff835a3e175
6abd3a82fe2451100cf201fe9669462ba805b4ce1e754cfb779083592b24bcc1
3f992a10ab5d213b5cad26ba4f416c1e5c54b386d1c20c8a2f4ccd20c5b40e24
fd9203e74edff64b5059ed50dc2bab90592a5bff46a84efd9a7c2f3735509952
e8792948e135a95560f471d83d37df68f63452ac67f33b643e7a1ecea4f04c6a
b24151a525eefa5dcd9b083bc51b383ee8fd51c8b5dd59ab6743b39209196dfb
1c237d4ca5bed7db9150b849ea06db16f44218003ac9649e412746bf6af9ab4a
8a3c4a4dedc8ccc8dcd27b9bb2b0f2a3982b938cf9185c0c4c5b8a46a8321002
47c1e1964a4887a5cbdbe07724152dce1fc0d4f1a81466fb7349a02a8c0de8b8
2954300a43acc2d8c0fa950282160984746ac1d5a7606be99e2c87d03dfec961
SH256 hash:
a4ea280f8614b914a14799ef2c29779bc5b6152b0ef9d4f721385648da0db212
MD5 hash:
f636f2454dbdadec5a1936a8455db489
SHA1 hash:
657d86842a83eac4829596129fab2ae5862f487d
Detections:
win_agent_tesla_g2
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
Link:
https://www.unpac.me/results/b54a4b4c-a9c4-47d5-ad72-3c29deee074f/
Parent samples :
b7f92bbf59df7cfb571012b7aefa91bdc9f25b9cbced01e91dec5b0fc1380f7e
ae7c268e9b988e9fa86380095f0a5cbb7d04024505c01dab09feed5ab8551b8d
338bd51d53c8c482447321ad6d1ec585faedfc3b9d5429f3b33bd805eadbaf92
0a58b574ccfb2898c4ee47a8dab29174c2193731573d4578b7b5ff83ad1196d6
fda83ecb5bd6a07dedaf6be0fce7c626e21e9df94d82ddb905460e9d6a25a162
0dfe79bf85e9cfcbcd5ffa2cb21370eaf78d80d27ae4b4b0c5087afad5c6ebb8
60712b6d9bb023934b8d27fc6f54b3543a5ebfcd229cd1c4cb8f8dbaec08dc99
9952c53705dfc353eeaf4262192cc740a066cb2e401ae3ec9e2ba11706f429e2
23cd8546d36b29224b474b5fff6b67fea6a12c0bcc84b0cdc7e84ca23f5faf3d
be5f3e984fc55b64b4aafb52c1390a52ab94c92a345ba3008df931d2eb5452b5
c68ac751c2b84e31bd64a9d318fd5cde9c1fa7f9f9090940808fef7989b3ade9
a674d532150b92874dc954bb8349b6e66a006f1f7dd9381f751237cc98d38dc2
30f53c188f4ca288bab139778eb5426ee3db92ddc779c8df149b501334dd8dbb
59cbe4e681c4371b18a5f6d457369560ce9e4f0eda5a39de1acab8b5bdf73bda
7602098a6b2a95ca014488ce7c67b273a6189d7cc4daa09fb639c32fc21afa99
af1c4d4509e271497c9eac4c96c1fc5c4e419c6d73b69a5141380589e479c16a
a621353d9ba0b680e8f65d1951b47a74a08c1dc903eb071a64680a7a46793197
123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d
130c869f7ce90b4dd45a1192c8cb13aa8e3f986ab29fb9f446475e2030a2d2ec
e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474
10fd2d2e6c357bcffff543914c648b64fc672861551b5b098ed84a6db04126a3
2d5f57ef41272fafdd56ac619de62e86bf57938c96032cfa90eaa3c48930f012
10559de6aa9d0859f9a8b46c69a4edb950297610a98121a1fb8a3c94de06ed05
43c802763ad10188bf10a16b5bbf7840447d46ec04d1bfc2ef60c58dab38d951
b1d51bc9c016f36486682366f537633a12b95e16e68d7fc184f7a9bf9a48a811
5a673c2139bee9e5deec79e98e0baf1026af44a5a02487d474de76d16b7eddc8
e5ee0f86a7365463f8a0bdd3591624c214c8db88abf861d06d1fbd342a6fbfd1
a641f727fa4566ec19a3a04edcbe7e177aad8fb5f2381907e6c38adfa01f8a7a
6d98593e2de051c5ab3d36ddf4107ab2a0680bdb6bc73bdf9a75c62bb05b124a
cd47f0c08702e38c1ec62ae345136fb824e0ae0db0a8294b97ca9a474edec2f9
a4ce664077c1707b407385c08eb0f4e9299229717ee02b1b1b2f9745ad82613b
819f0be98d577e7949915dfd234c0ac0e0d12088eacab58f83a4418ad3675b4e
0b22914998a25304fe8e6dc1db692f037aa9b2066b43a53f0b24da35e629e6b1
470b09e386f5cd8befb4796af1aec03895b755d4219d6b9fc14e41ae5a400e23
f0c545e288910de036c58dd733fb4202b7cb45daa4e5f0e72e418544c4b1528c
b6f18002487b80c6378f7021d10cf6a6ccad659bb9e4a2c4aa9d016c48b8bfbf
aedfae05284600f51e6fe18a6f47ac68c7971e365d827bed7bc2205f27063c8d
30d5fcd7da81bc0b8d77d5b3547a227bac06bc781990f528c0bd78d696235779
357b3313f39b40d4b9acc1181d3eca642418b945e0b35cc0f3c436b9598fd8a5
353630ee79a8d39505ae091c60cb8352182cccdb9b861d1cf6ff2e19f2cc5b1e
af1593748a93b90fe69835554739c92bc7147611b405e8e93bbbffd65ec0c958
ab713363a32fee4abae9d10b1c18fd58454529f80947c5dc221379545b1c86a4
7a560acc97e0be33258afce759c4c215a91103e7b7447e487d540eca65959f4e
7c9d0d539bd2ffef3dfee864f3f7078937f7c9fe392df2f9511ad2a21be9446e
6c863b2dd3f9e7a690f4ab3a1ec9c7da83d2f20e7b82d58dae4bfae34218a878
156ffbc1adf860198501bf76e6428debdfa847e13e73796ee9bad6e982bf94d4
b7ca5eee2c0af78525e33094a2c1d38f639824b8f051a50216dc47417f426bba
cb627325f51d6abcc61a922937e0d66beb75a7c52f28341178dcfbcb01794790
dfb8ecbf4f52efbf20605c2be946d62bb062edf1dce896a9b45516c7aa90e422
b1f950d68fb3e445f741d2bb7fefbcfe1b1a756548dcc6f88b173cae77495b57
5abfe96f31b8b8e4013501cbd3e7bb332e03b37e96f04cb75f05c04f15bb66ac
e89363fb758ac1d01dffca3212cd980aa3fe199efda522052fc8c3e041b31f70
b456078d0dff3c375378480fb133a340d88ae4b59d6598ead4249d66523f3428
0707da3b9e454ee6ed7fe3bbc1e61811fa9907263ed843c98ef408f5f741690c
c368072750d355e8b4139efdc6c9007ce31c2989067248ab9312a4d7479015ff
efb452117b9b073d0200fb4ab2407615a33e2149fdebfba2881e711d187ed514
57752262d1f2b530fa014b31fe3d836f47d0b8ebcc81e275a9bf173b42f808a3
f9c3b78cce61d4ef1c118287edc5d5d3324bd64df1d2c704c087e7b073d7eb33
0f99bf966f34d5152ee51fd8510a37b3fc0792334c9b8f2475e896bc2ec72a6e
2f835a2d633b2fb81fb9375cefc17313e59a283de5869b7d7f04b42e9134cf25
3a8d95ebd1a116107405f1cb2a7d42e954643a9a0244ceef22a70b656b8525a3
6fa16359905843e294d5f805986bda12aa603775ea7db1eaf10beff3493c3b93
bf166be918695404ec2724b62671d7eac13fd67e39433894439d70a2ce534861
99d1f6ce99a8c07c33ee2dafe789299e0a51c2860882a2548c6e612606b1c1c1
ddb4d0771b710a59722707002a175602f29c6d1aeab70c61e0e9dc3eeeade55e
ed27568e72ac6bf7edfb74b5a35ea694d11ca0859753ec5816bf0d84c5803958
54368441d4ed3cdc5b14f8de606c9c0ef111838b10072a6ac68cd58d8b47bedf
c9a5fff84aef8b46605c9414b3d20e1f190e902454757c1f89179c5436422109
44ae98fe4b0b4bd2000ed7ec88e9b7458e04c1abbe64102142c1686ac4ac494b
80e7e263927b11a7f93f188d4e1e4ee34a4751187672e5298c03e6ceaf43d104
dad46ac711be7ee69322bea3f3069bcd644ba55cbbe635a232b1e76fdb08da23
73d81ccb9a09fc6ce1789df05b4fec440ba9aa3c0998da3a843e577a111def96
7b75b7d9e892e63a9fd39ccb87222d7311b6a3e9cba68cd34dc650e15e295796
3249cbb032d6aaf66c01aaddc48eab91417b1f22b97ddb659f2f5a5a5683bfb3
SH256 hash:
9927c6a6a5b3311c73c0188a6ba1721b126c27812c83ea0ae27c367fec3f6596
MD5 hash:
a6690903ab23a894d23cce972557fd3e
SHA1 hash:
ce8d4513bea849175f82ac7e761cb1e45608f9e1
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b54a4b4c-a9c4-47d5-ad72-3c29deee074f/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e89363fb758a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e89363fb758ac1d01dffca3212cd980aa3fe199efda522052fc8c3e041b31f70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:agentesla
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked agenttesla malware samples.
Rule name:AgentTeslaV2
Create hunting rule
Author:ditekshen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:growtopia
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked growtopia stealer malware samples.
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_808f680e
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 1825c9f02ec151646292ade0fffe5ba6dfc8505f1b33c5059094b2ee38faab3e

AgentTesla

Executable exe e89363fb758ac1d01dffca3212cd980aa3fe199efda522052fc8c3e041b31f70

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1825c9f02ec151646292ade0fffe5ba6dfc8505f1b33c5059094b2ee38faab3e
  
Dropped by
MD5 a73561bcbaebc63c9941a74189224441
Cape
Cape
https://www.capesandbox.com/analysis/9956/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments