MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9
SHA3-384 hash: adb56ba92b33d8fed10441b9f6585497b35dcbc666e5564697679ab084a43978ad0eb880834ddfead5ce486dbc14cfa8
SHA1 hash: 66e843edd184c92c957876e8916c7b160ebb0427
MD5 hash: 37ba8e340b84dab15f6139caf18760e3
humanhash: sweet-asparagus-lima-magazine
File name:2023000000025 scan_Fiyat Teklif - 10523 2023935164- BUET 0%01%.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:709'632 bytes
First seen:2024-01-24 10:16:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:Rnv2iNPBJI3kIi/W3MpkA4lcooBNiQJ7X4KTA7mIzEgaGn8DfpNrIkO29izJol3:F1xukTvpkAx6y7o+AiKbn8DBRIfaO
TLSH T12DE41241B3FC9B56D8E9A7BA2662D08093B23E5F6527D70E4C9871CE0E76B004B41F67
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 210c17330f231786 (6 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
0809e366-ab43-4045-b179-65692f051b4d
Verdict:
Malicious activity
Analysis date:
2024-01-23 13:13:41 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/0809e366-ab43-4045-b179-65692f051b4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/472701/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65b0e3aacaf820370f5942c2/reports/db043171-b860-4579-aebd-67d147162241/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d22fb626-344d-43ac-8b8b-281d361dd41d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1380196
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1380196 Sample: 2023000000025_scan_Fiyat_Te... Startdate: 24/01/2024 Architecture: WINDOWS Score: 100 29 mail.bilimseltipyayinevi.com 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus / Scanner detection for submitted sample 2->35 37 7 other signatures 2->37 7 ctsdvwT.exe 3 2->7         started        10 2023000000025_scan_Fiyat_Teklif_-_10523_2023935164-_BUET_0%01%.exe 3 2->10         started        12 ctsdvwT.exe 2 2->12         started        signatures3 process4 signatures5 39 Antivirus detection for dropped file 7->39 41 Multi AV Scanner detection for dropped file 7->41 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->43 47 2 other signatures 7->47 14 ctsdvwT.exe 2 7->14         started        45 Injects a PE file into a foreign processes 10->45 17 2023000000025_scan_Fiyat_Teklif_-_10523_2023935164-_BUET_0%01%.exe 1 5 10->17         started        21 ctsdvwT.exe 2 12->21         started        process6 dnsIp7 27 mail.bilimseltipyayinevi.com 94.103.35.2, 49723, 587 VERITEKNIKTR Turkey 17->27 23 C:\Users\user\AppData\Roaming\...\ctsdvwT.exe, PE32 17->23 dropped 25 C:\Users\user\...\ctsdvwT.exe:Zone.Identifier, ASCII 17->25 dropped 49 Tries to steal Mail credentials (via file / registry access) 17->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->51 53 Installs a global keyboard hook 17->53 55 Tries to harvest and steal browser information (history, passwords, etc) 21->55 file8 signatures9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-01-23 12:42:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
33
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xwjzeskugk2mri462ipmkk6wwqzgd73vfg7fkplzskgkaxcwd4q._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240124-mb2r5sfhc8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4b1b5c13062076b8482834256679ddd7ce05b1aab77f38f8b1250c2473a3b917
MD5 hash:
bd66dd1aa735c8a6a085672df43ebbf7
SHA1 hash:
f62542de32e7eeb87cad60d27d7c95a1efb6e0f3
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/09eb88ed-6e43-441d-b55d-2ecebf27ed60/
Parent samples :
b601d1ef1cb314076912264021dc3dde56e5697cd344fc6da9b954230ccf8aaf
4ec0dc97a22820f4d65d46424b991f5a8d84db9272d76a9801f5c31d299d42f3
751597396e020f0bc9c02049fba72290571f6ade9b2c079f33bf1e70f99a30f6
b158ba3f49bd61efc640f7deae0d98757d964970f1af83a17d619cb4fb1f2fef
edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9
SH256 hash:
a045c96d4878b673a5cde3d702118eccec146db3ffd84a47bab36912a4a6d27e
MD5 hash:
907876bb49866dbb17244475578e4315
SHA1 hash:
380c556b9b7020669189174d005fff5be67731c1
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/09eb88ed-6e43-441d-b55d-2ecebf27ed60/
Parent samples :
1114073506daab881c22bce61bd90102035168e438f38e854f6ec4c06d6d32c7
7bb92c2e39257c484c80d3b38aa3434b89eb60ff3af59d9213768b584e4f30ed
4860c4829d6149b7b05d263746a1f28702c98d9e187eac27c32f6b2bde162e9b
edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9
c9299fe5ed7896a57647e91989b9f0eaaaf695a0327badb974c595f461602645
SH256 hash:
e33e2936d9280a7d4470c46994750a10aab5e6f6a8265c083124f23e34170f66
MD5 hash:
c82c74c7cc736ca34eda994553713b15
SHA1 hash:
37f670d3c44a0f7328bdbfa1f3f4b9a8a3ac0aeb
Link:
https://www.unpac.me/results/09eb88ed-6e43-441d-b55d-2ecebf27ed60/
SH256 hash:
853f530579b4aa0d5f36b83fb15310d1165c59906bc8dda245b686c26a2fe574
MD5 hash:
6dcd36e908965b3a3c4ab333fcbb6f4a
SHA1 hash:
2d4f917ce319c586cc77c54ee2c80616c5467d32
Detections:
Saudi_Phish_Trojan
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/09eb88ed-6e43-441d-b55d-2ecebf27ed60/
Parent samples :
9d58f6f9e8cadbecbbef127edaa0f5376f8a52643e8d08d029f6672783a16e22
af44409d8c91f6233e6f5158318c154f79b07759cdab2285976d42aab8ad2953
21f4cff809112e0a354179b898ede4e2d46c02c4054faeea2a1d57c08f6ac6bd
3e941cee8775445c37f252c350d1db6c09ba1587a798ffe8ded410568fe84629
008829495fb07d03d8ba297ade38201a8d713902ee7b2c18710e2ca63513daa3
5d6af06be9ec01074484b491de582d0ba0625f30ef36b96331675cd2615fe7ed
15114ec1d55832243fff432834efa5432e01e8834b6b8bfe05c7e6e8bdf78b7e
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
3730cb53c74ac925b65e3c43e603f1a2664d5b06d1c9239403a7178ce9c3e4e0
f746ed45af2d73fae31d7c7b26b365377aa7d8bc97a12b9583502797c71502f1
1714faef50d0127645ce3540480623cf619f9b10c0364c67ca22db0f604e2381
46de16ca8457889b62194d6dfc6a4baedc6ebda2feccb40cfede71e5ef8909a9
1d132becb6f5aa7c2597944d9fa196bacf8cea871ccbdd09ce64cab06f581583
c63a10d8a92a5348801360fb963792f3f4309d6801eee6fa63038333f6b5d830
d5b58663ecebfcc7b6093c8d0fbea2539cbcaeaa00d3f46f38b60353223ace6f
29f087438d46cf90b950d1013a74442b2f59854ff69b760616b9d14d6ac9a801
55f2afe80aaf7acecb9a81cd6171b4bf54a30aca00df32c4fc42aeb37d383f39
8826eb70de19f0bde0925ea53e0e33510e5414658ceaf5afacb6c1fb180d9745
0b31e06dc15e96e9b5a3ff9f7618643d8d0e8e71f631414482ee8c218bbd2d85
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
b5e780ba89a5931161f195adb76074b20fd6a6074193529cbe6fd80031f66ad0
1114073506daab881c22bce61bd90102035168e438f38e854f6ec4c06d6d32c7
7bb92c2e39257c484c80d3b38aa3434b89eb60ff3af59d9213768b584e4f30ed
41f69d2ee1b520c3b7b6f890f1aa179e8e4e7b42e0ee9bde0d0bffe6ee99e21b
e453df70a43c13e5369e84d709be914f98bd1035d4efee09d090572baa1845d1
1a4bea91e3d72f6c78b16e46376c9705c50d45f0c1ab05b0145bed9b8a33e477
64b31e1b3603d676bdc0bbef41f539f4512bb295f019e25989694bfe05431b83
4860c4829d6149b7b05d263746a1f28702c98d9e187eac27c32f6b2bde162e9b
d1eff45d764dbbd9e9fc345263b8b7f3b39996d4dd57b3c3ff4dd57215faad07
fa4c8c4fd3ad0008d15bcd71e575130151f5f211f7b1fd3e4c934e68f9ec5ad7
96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72
776774dc37907872aa37bd08d7940d51fcbdf88d09dddfd406215a9a5711dec7
0443311f4b05218b62f48a55e9352a7bae03736be86f25590419adf5839f23c5
f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e
5d47a80d0d70a08c67a9a793bfbbb939c9b13938e76e4b03f8499b3f4e4caa6a
289c80a31dd9c0f4c69db3288e5240e090a70e076fef4e392c63af50d224e4a5
33cde805b1aa4d8bdab56b02496c00745feadbbf0931c1f759fb9669d0090b80
069960eea034929991cd4c1edfd5cfbe12ecd1fb8cc85a58e64696c69839f49a
edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9
2d79661bab06962e3e62224d335c54bba46b49816053a657f5e385f9c664decb
18dcc42b24c46ae2977b3173964ba0a89595c83839bf527a32a7c7b28b4c369a
789f724c88740882c6fef87be7bdf47461cd59482f41fa18d48ad799b9cfb931
c9299fe5ed7896a57647e91989b9f0eaaaf695a0327badb974c595f461602645
9ab459961a61e4b570365b270bbd8f19ce432275f7d5a44c22fea3efba69fa9c
9d381423ee9f27108e8df36d255f1cfa33e6873ab0d7827d72b47d548293024b
ebaad7382547ccd2a7122e2a991e0b5fabcfc49823e258eaef1c2c57062321a3
59271e92e53dd84c1525724e5157c22a417a7875473031fd268245033917f97f
SH256 hash:
49f12025017c6a5aec4d4b5c661048b49e05635297a55aba88e28b8ca74ef0ce
MD5 hash:
66cb5e8d0fd00d3f69cc260ce48dec0c
SHA1 hash:
11fb2d2634ad099a38a9814b52b5e2778e7c9e89
Link:
https://www.unpac.me/results/09eb88ed-6e43-441d-b55d-2ecebf27ed60/
SH256 hash:
edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9
MD5 hash:
37ba8e340b84dab15f6139caf18760e3
SHA1 hash:
66e843edd184c92c957876e8916c7b160ebb0427
Link:
https://www.unpac.me/results/09eb88ed-6e43-441d-b55d-2ecebf27ed60/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/edec9c924aa1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/472701/

Comments