MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
SHA3-384 hash: 9cf67eb5eb7a4470057a627ba6cbb1339fa567d8cbac61514497e09d3d6772641b8671b794af940c566acf648cdad7bf
SHA1 hash: 8d8ac5b528d8e6fecf081e32c38e7a23fe6bfc01
MD5 hash: 3780fa7621e2ec23aba413d63c1dbe1f
humanhash: michigan-nebraska-lima-vegan
File name:TEKLİF TALEP PANDOĞA SAN ve TİC AŞ_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:631'296 bytes
First seen:2024-01-23 16:59:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:4p/2iNPBJI3pGl/ROP8OZwNIoDa7/TsHhDOxha96s6kkuOTZz:c1xuipOUOZwNOsHhDMe6/uOZ
TLSH T146D4121173F86705E4B55BBA1270414017B97A2F3AA5D68E4CEAA1CE1D76B004FE2FB3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
346
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5.exe
Verdict:
Malicious activity
Analysis date:
2024-01-23 17:01:35 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/0598dafa-e10f-4f6b-a02e-f5a4d36564ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MSIL Injector
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8745070b-37eb-465f-ba63-aefd66bfda89
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1379712
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1379712 Sample: TEKL#U0130F_TALEP_PANDO#U01... Startdate: 23/01/2024 Architecture: WINDOWS Score: 100 44 cp5ua.hyperhost.ua 2->44 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 8 other signatures 2->54 8 CUGspSslVsgCdv.exe 5 2->8         started        11 TEKL#U0130F_TALEP_PANDO#U011eA_SAN_ve_T#U0130C_A#U015e_PDF.exe 7 2->11         started        signatures3 process4 file5 56 Antivirus detection for dropped file 8->56 58 Multi AV Scanner detection for dropped file 8->58 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->60 62 Machine Learning detection for dropped file 8->62 14 CUGspSslVsgCdv.exe 8->14         started        17 schtasks.exe 8->17         started        19 CUGspSslVsgCdv.exe 8->19         started        40 C:\Users\user\AppData\...\CUGspSslVsgCdv.exe, PE32 11->40 dropped 42 C:\Users\user\AppData\Local\...\tmpC5DD.tmp, XML 11->42 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 11->64 66 Adds a directory exclusion to Windows Defender 11->66 68 Injects a PE file into a foreign processes 11->68 21 TEKL#U0130F_TALEP_PANDO#U011eA_SAN_ve_T#U0130C_A#U015e_PDF.exe 2 11->21         started        24 powershell.exe 23 11->24         started        26 powershell.exe 23 11->26         started        28 3 other processes 11->28 signatures6 process7 dnsIp8 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->70 72 Tries to steal Mail credentials (via file / registry access) 14->72 74 Tries to harvest and steal browser information (history, passwords, etc) 14->74 30 conhost.exe 17->30         started        46 cp5ua.hyperhost.ua 91.235.128.141, 49702, 49705, 587 ITLASUA Ukraine 21->46 32 WmiPrvSE.exe 24->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-01-23 07:59:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7guhtbokep3tu4zl6ovs2ikyypb5olnkkctn3qjjt6fokxcpyxsq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240123-vhy9ladfb5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Unpacked files
SH256 hash:
1d33d555b73c704ff4fe4034d52b78ea5adc015480134730ee5be35dda903dba
MD5 hash:
d57ba8cdc26064b4bb6d9a54d192eeb9
SHA1 hash:
5667c386c978441a63c13a0bcad6a12b7532281c
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/500c42c9-18e3-4c82-85b9-93f913986f3e/
Parent samples :
a3bff963a78d300d87f4eb0b72b89f77dfe2949c020d49787bf69f78cf950957
cb7c810d1def4f26ab7841a883508648e9d5a7de232a066f63ce7acdd8e4f5b0
7e4178777e66874affc0c4e95846d4fadd7b9d39252ef984ede3e13ffdf0140a
7f4cf7be9758a49380bcbf0d253f9ee9474dcaff8807b4807b6b6604c8145fb1
e1634ff5ede9a20d67be7a3fae3c88a3983ae5c2804b588637068b0dc9fe3a0b
ff6b215f19a9c250170c0b55fbe400ef0abf5f619ca223f8e407d2141f522122
700fd6c408ce5d0e3953026e355db953dd3ca0850fedba2f0c772f7dcb18d80b
63f2ab7b378b46324d18e2a5246a1966d80be0952738c16c512358d537216ee6
c36013e4224ff11ecd2d2c1eeb69830211e2cfedc94260678ff9ee16590c89dd
36776fd1a84b600bff010627124a10d6d7b2924e469ba04f0a1ff39f003c129d
e6d8312356c497c9781cf72f5bbb56a16643c7c3dd4fbc1745fa92577702de62
05369208d0c31e1f2b1cf7bfbeb95439f5b23a08d6ec859a2cf51530a0c74ac1
772c3cd8d8d7bc1043d33a0f97e74e9e97754752f0a3d9c50aa28bfc1784acd3
ec7f9e26c253ba9024ad8baf255778a3ee3055cc0f834be9e77a41e80d49e9e0
841a8d318d917200d97923744371ff2e98c5ea8d9205823bfc895a9a494f2538
705322479931288652d8dcca3391e35ec17f003f68085455d8f6e2acec7dd2f7
055f46cf6b7e99842948d4e59820a70b779c864471c9a4234d7ac68637b94f6f
b5299eeae320619ecbc6a36ed9ddd7c7aef9f91779539f1c72bce38de5d82635
607c6eab23177feefeb9b9e941479f5c70f9132eea7355f693bf0c0f3bdd961b
9332e08a8bb23a66d9c1003c97fa4efbe3b5aaaf804d8a4ebb51323df3ade564
fd3c1907423ee42b394833ce43061bd8656e4250b63b5f0da32d6b101c99cfe8
72a051505abb9381f7e7b9256a38007e6b2f73915fd0b6d1891bae17063e8259
a27b90af0efe1643f641173c2a2efcb9eba21a9b4e2b13b8aa7513665fb490d7
0509f94b1130c86832027f9990c3f3da9a84bc00f1462e99e8ef16a806944bb4
2ffc3eca97e5736c881f13458e38408a554e94fa8df23753bf15423a6673e8d4
a72e43fa37b46c6c05aae87485a78b39a69d82624a447bc4a6f2481bcb892709
5b17813545c85a10c81e81610c7ebf01d2316f80c8b02b89bb747c31a8c919e6
94a33f12727532ff17c7cbce2fd33276e607e53bd6e03e8e7ee38f1386491bc9
b348825be831e3eb48ba5bee71b43e90073ba4d29056c86aea794dd1b6424618
1772bc937beb129e72657d927f5f33420225761fc634aa0c2a65c48f2bf35c90
ea399759fbd83f80066105ff45bba9e5f4d2756eded1a0bacdc0bdf32a283af2
58924b2968d04cc20ff58b4d0c4c220f7109eefb13db6b348aa2754293fbfe85
0497f6d061c93f99d46132b30e460f5e856ad3749b1d7ac9c9e1351e6db37020
bdedbe6d10d500531db662fdfaaaedf6b3362c144189443e1945f16c2db331ca
22de0b61308c9e186e46c8b584a91bf0d30e41822c8bb057ba83d8ec1c4b215a
81e7f10e3da2b0ae2e6785fa2126c3e76c3d11007ded45f88fd08390a25e7e69
8b44d22c62f8f7f749ed63a3ae1ea5068bdac5db4fbccec5635f47a6fd27dbde
c3cbff3aed1ec835babf2cb779d38d66ed9328662fb049819ce7d199e693409b
d4de5078a15d847876ba1af8c9d49b5449eaf21515b7a70307d42ced8c335ebd
c0bb5c738263d4ab3fbcf7743f3b700324c93d3236cfaecc0919771b0efe1b70
9d58f6f9e8cadbecbbef127edaa0f5376f8a52643e8d08d029f6672783a16e22
21f4cff809112e0a354179b898ede4e2d46c02c4054faeea2a1d57c08f6ac6bd
3e941cee8775445c37f252c350d1db6c09ba1587a798ffe8ded410568fe84629
008829495fb07d03d8ba297ade38201a8d713902ee7b2c18710e2ca63513daa3
e615bd88ac5bd226b4cf4d0893aa6a6ff8b1dfa91bf048218cf8dbba623c2796
070bc4d30d213930baf0450e5f9fa01b63311708e85bb68069182400a3946c49
83f04cafd0ef0c6d710c4116cbd6222b5746d7c2053005b395f78ea4a0ff07ab
5d6af06be9ec01074484b491de582d0ba0625f30ef36b96331675cd2615fe7ed
15114ec1d55832243fff432834efa5432e01e8834b6b8bfe05c7e6e8bdf78b7e
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
f746ed45af2d73fae31d7c7b26b365377aa7d8bc97a12b9583502797c71502f1
cecd3fc1bf9666dbc8f10ef183088b53b0b8ddb2cd7a2590ae55c569cdbbdaf2
1d132becb6f5aa7c2597944d9fa196bacf8cea871ccbdd09ce64cab06f581583
d5b58663ecebfcc7b6093c8d0fbea2539cbcaeaa00d3f46f38b60353223ace6f
29f087438d46cf90b950d1013a74442b2f59854ff69b760616b9d14d6ac9a801
0b31e06dc15e96e9b5a3ff9f7618643d8d0e8e71f631414482ee8c218bbd2d85
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
59bfb982d029cacbcb298fb5f5cd32d30a4420c92cca120304e144aad3608068
41f69d2ee1b520c3b7b6f890f1aa179e8e4e7b42e0ee9bde0d0bffe6ee99e21b
0dc0814bf9af68b936d74daf83ecc88ed015d0b1a53c1bf886ea739dcaa1166e
a089efede840ee87f839049b84e2d055269fb6d0b349189e818f29658cbc3d11
387728d4d68279a1347744d93c6e1b441a8c85f954742b48ed76602c6074c399
e453df70a43c13e5369e84d709be914f98bd1035d4efee09d090572baa1845d1
d1eff45d764dbbd9e9fc345263b8b7f3b39996d4dd57b3c3ff4dd57215faad07
fa4c8c4fd3ad0008d15bcd71e575130151f5f211f7b1fd3e4c934e68f9ec5ad7
776774dc37907872aa37bd08d7940d51fcbdf88d09dddfd406215a9a5711dec7
5d47a80d0d70a08c67a9a793bfbbb939c9b13938e76e4b03f8499b3f4e4caa6a
5a35f52e0d2648bbaa5effdc525dddae79a9012344c54270c12415ff6d83e52a
289c80a31dd9c0f4c69db3288e5240e090a70e076fef4e392c63af50d224e4a5
069960eea034929991cd4c1edfd5cfbe12ecd1fb8cc85a58e64696c69839f49a
d9ce37fccf19b2aca12e06ede4bfec3654bc288b8748284e9ecc2676b8d93212
8d02093810a5c085023f3fa3de9619de6e51f5467f7826fb512a9e7878bc4569
2e62ccab66721d06ed86a11e1fb8e2207f440529a148efcb866b29f2382d12c3
aa2a7a45f9361876ba300272fd6c98d32ccdf80927ad088cf114195afcfc78bd
f318db79a444204fb79a7e1e023b3bfced09f60e439c9fb926580aad1b9e09ed
2d79661bab06962e3e62224d335c54bba46b49816053a657f5e385f9c664decb
18dcc42b24c46ae2977b3173964ba0a89595c83839bf527a32a7c7b28b4c369a
89821d7c365a38226118279910a8239ebb5357414ad78e69fcf23dc1092ea3fc
558122a88015bea8cc58d92d22e752167ccf7d837d8d85a3070497471660de3a
d8de75418c41232ba6cb4177f0766f5c48bb4952641c8c43c0a1f066f997e5b7
2a0bae477238b2eb5b2dd0127bd7b1a6396f6512dd6b3dd8b85aef23fcc59322
0305ad42c7da1b460dca33c0053dd6ebef74cd532f443817d6c81bbe74f959bc
e24f2f385bbbb4c09d165929599a3a802da74c2071a40b2d192313e21c0de4da
98bfea598fdbf66e6fe2ec2c44712794464832f0ae920abc93843780c15f506b
421bc23fe947a02ce49679bf4048785e3d50f4b914c0de05119fd12888687623
198596d17d62409a12b4f1f21e0a165774653713a4f9f5918ed710711b72573f
5a88ba99a9a102c08cbc44679f5bf078a79134bb99d0ca92fae9a8930500211b
3b4e3532a40eca44a5d89734e3fa567e88cdda066bcd7048172a5e1f95c8781f
11db5a95e90d6d4fffdd165db26971e275c9f799302de519a118ad1b48c4f587
1899cb937862bb84c5e4ab6a7211474a014cee50d4a05099a17ffb63ce8be0be
3d6c98f71037a6853222932b8b2b562c999b6111535c71081c7b90881b76b8b4
d948f80bf490f2dd3633d96c0c730b023984f67c45f225bf4c1e169085975293
844a5da9df7b604b6f85ca154026f32842425c57cdbdcd68cc6dc00d05dd1f29
258d0d5f9ddd5fb732807dd74dbc71f99adb82b82420f193573d01cb5a3a563f
683eb38c67e70e0cf2b9f5b2cb2ecb80dd91abd50539e216de7568512d5087c9
8957582ccd1876780ff5a43336984ee23ff03be1c8184a6ff9797828f52536e1
7a387acbd5bb25530813087436b2207051b361ae1e6d32f451958732cdb3b7f4
b2f95f5faf9437b040fdc78d347ce9aca970e2cdcffe877939362210bd685d52
f87afdb24721791be0b5b0a400b20a4f6545f8738b6a6665e1b0d09213c43b5f
fff9e202e5905ba82f68b445004980a5a99b78e3e86098bbd7568f8e61fe3260
85d6eeb46f4f808ab01a7af7e736cecb2e0d68baa4a60c1fa579a42558746de3
781f43e37ca22df3c807e1238d271cebab045e38212a58b5f47406e9ece9e2b1
923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
d6a64dc592c210af25a948be2824c9e92b02d99786004fea9b21032d467b9a12
27769f4bb96d0e605bdc282658c6a729e4ceb8447cd9e1f9880c69862258e66f
453a55e207726e7d46391d250ebb8be6b2f188c27ae597d49defeb8831f026dc
9c08f0499db9529b8c171f66432a1185ca004f2762ee77e3de9f3d8a8f5998bd
24b2c5278a4d80c22994b4d9727293aa6641ae9947f7ed522b7b5f44fa1f7a63
90ce02725d886ba2f6ae19d75257230e7fb80c9d19fa77d715f3e3226bd07125
32d376bc206926ca6f299e97d04644b68e6a863ac4975bf4a804bd120e82aeab
c6e74d13f05f11c8bda77a12154cc75b110cfccff566ee72106f80b302734565
0bb832320a92ba68c398f71058c99556988795e84f3838ffa8143921c3ed04c7
4ba298859e61cb9c39d9d4a4d556fe6357ce0901d5d4ac6f78e6e15ced75cccb
055df72340a95664035986e6d027055304abed82949af74bb5e230c841a8f8f5
47d396f2913a1a812fa3421d33730da64905cc93d2936d048fc51ec9ea2cabc4
6271c329c4f40cf98e90cfa7016bcf533be22f66c7e20446ea721a9a475e2325
b557e372c22db30990fad3e3226c4ab649d96b40170cb8890ba401d6ec0f3cc6
938e74e2208f8d67dd6e3d8cabb73682e0d160f6270171fac3af80f7712304ef
f84f0208e1ccce6876611ab8d7e4c92f4e02427e9a72283f5346f98bf6539160
82456f6e550951ab6a0dc2cec4f2b5dc7cdf7e55170afb0589fd01196622e98c
ebaad7382547ccd2a7122e2a991e0b5fabcfc49823e258eaef1c2c57062321a3
6e4abc6a114b9b50936426d9eba916fe2a4fa59e9e226ce1c369ffb092d8087d
ff232b508c8bd32a681a0a4737e6028f92538cc923cb67989841644294493b00
04709040eacfb086cb71024a846c381ba9aaaabc80580aa2a63057df7ec218f9
8a29c80b0cd5df46f57f94c8934bccb49663e1c2311670875aa1ac48004fbea2
20e505e45d023aa2aaa74d1afb765b33a21e6b09de26a54760cee2c4f5ce1453
6c1ef5c49bd50a87b78c6836da99912d61bddbe94f5f604bb6153ef2fd9b0510
cd0cb018865b79f3e52d5dd49fb34e2fc0cdeb41feca165cbdd23fda66c2e6ae
8fa2e0d127c12e87357d7e9c41b3e71a0e2bd4bda5a1ad9bd6b10fab0f934b05
a8148f9225500d804ff688e662c4d1c08ab0c7a5575d9cc06feba87eb2afed92
12a594716a14edb8fcc167ca1f5541fcc2bf6f8758be3f072092cb7869bed11e
ef9291504c34bef37e4bd77b57f064beeedfb87295da6e6c5979970986f21c7d
19a9be9c599e9d453d07a0f5d72e891ec5b978d47c54ebfff855f9aa2b0994d4
b434201842862745c16dc4c8d7eb1e21b7fbb0896ccc1c1975cc9e23392a7b46
cde87a87ff004bcd031ff14bcaf31f598e4cbc33972fce7adb8b798d80d96723
114322a61e042f61dcd09306c0d19f875e41638452c3bf9a24a6c8251ef5ab72
77a38968b37bcb562fb8df2e70f08d312cabcaaf5dca09e995ead70240a05a30
65af772e03925fe6f08f4da235d1b7d529fc36ddfdfb4648276431f94cda0636
SH256 hash:
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
MD5 hash:
ec5e9334f65168cce67cd57bc6391d0a
SHA1 hash:
4f2ac65623e89a9457cdd5fc51dc5d747b4830e4
Detections:
AgentTeslaXorStringsNet
Create hunting rule
MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
Link:
https://www.unpac.me/results/500c42c9-18e3-4c82-85b9-93f913986f3e/
Parent samples :
be91f662c6129ebed98724e3bcc3b1756f34ae703ecd0c2d1b7b24680a911b02
7c8f766c92bb04f1a2ea22e8a3fa91909bbb2c918c67a957aa956cc901488e56
8fa741885aa3008210667909c5dc93bbd695bfa9f10b808f329e70a87dbbc262
3fc2adeb47b4f9fdf134587dc79fc696f13852e509b883e9ed7b308b77846016
73ca2bb8b5a217092150b3fc0fc469416868198b11179e51a05d18840742c2ac
bf4eb25b59a0472448b5efed8a8b5286867ffcc99751f2aee8c2b5e208800b7b
0de129849e28a7281cd7d6e6ca69f950a27efca7d1b121b1635e6c34b76ad167
ba2ca0c5ba29b90d2ce55292293642c9f6b3b931381db8221d529452d04a5189
c93dc9b3ec14e0e1d375ee919ac40ed95eb67eddc6cb9b7508b4f64743ad8804
0fa983b67dc6abd6cce03b0fcebd96d1bb78ffbbc65b8a0f5fe7ff6c79baa109
24952a927387b2cfbd99c117a3b7d74fa69dce826f70767765622a5aab3db707
6f417ed94d121bb0379a9ce8c0465c503b998bcd2c0df5021c0ee595901aebca
f79e68687f0f3089b125964c398199c04e5ba690540d213ee014eabf29e8eeca
fd272b82f6a8bba4cf146ca17e16030eee6bca8df4dc58330a3721dddd79a43e
87426f179dc002c1acca9d50fcf76cad614a4eaf00b81a4a960840ea9d3fbb0e
3f53c498838571bd3333fc44bda24180a57a37a5a1268f4cdb1d204212c29858
4518d27e5b9109b044c8dabfa242bb224be62ed58111701c1f5e9fb7ed189f11
e75f34f2f6cbed8eb31dbef8ec7d031fce2feacd74f3a516e777923e6170b5f5
e8c89752942b8011820e9d04753700eb70f77a8701796ef7e826399cf889f9ec
d98ed54790efc6d718d719228e2bdbf4295cc23c94c22c6d77b55217337f860c
6d304e636be69bafcfae9423e629770fe3499d352e2a2259b9dc8f428b9e7cbc
6dac7514d424951b1e3091f61a94441b718c5e64e9dba95cfff15a51d8cde370
a4ad4601041ce6d58fb2468be1a3570c6d4e8c0914762972d3ea9a7e66fb85f6
ac32a3b616e9fb1f37a3f8e84db8475dfefb5e3ca56c6eb5580fc6f3887d8744
129467623307928e4bd892bf6320cd2f4c791e5d91d374036469ed09127dba45
a84d6a658ddfea2bf155df47943d616f4dce09d55bf7abc2eac1f1485be7bb48
830eb8430c1b8ce58ea1e6fef98794ef5dce3c485e244adc2e8ad310f2fe2bc6
48b23bea4cdfe0a7e79bc5ebde6eb2d9c69485e14694c48c13f0aab452b60d74
a5888a484f812f66cd39e16dbbcbb0891fd7f88e28a02660acfbe95635055696
96703bd16fbb6ebb4d19bbe99956cc74bc08ef7b8c05d258783c970e7c300ffd
810af925d95b0578d0051b1c49ed2a708c6b8057445794020382560315e611df
527bd1688c686cfb6d7fe4b85e2456a5a80c6995cb8ffc5aea8deae08877062d
cca8056faee51cc307d49154de2dcd5e14a7cbe86f90c54582788ce7b46aa4d9
4b6bdd2b172adc692eb97dd87b5a6bc461e24ba6e714096771dbc3c45168b600
94459db0dd7ef2cab3fd0969b43bb53680c55bf2ea9d03e66bfdd6ba9af65fbf
62ddf21940294964b888e9370713e136b014b8e850ce276d94e9b410a498e739
8f49069af492e2a87edd3a35aafec61b4640c7759917252d317eced01bfbe25f
f42ecdadfc4ba973e68738550d4346e1ca67f0574c7a88a0f8fcf24fd9317cf5
f735fee6c67843c3661810ddde634e99d4eb301e4b298ec06e55d5f58b2a9351
b2436df85bd09d9aeac01c9f7e9b0ba093ad117b8444c99fed71db13ce86f95f
1105c0024a2f2173d5bbda6f209168a34ed95d5cdb05f72be075ef301ee0f63c
9e4960cd3423e643c807c5ac464331fe6844040bcddd39a1b373769ef2b13f6f
bc458140519b0c7cd86830ec9693fe50cdad1c1f27bcef7c33bc2348bcecb817
598fd9267e154c9fd5a5d36f5cf153a570c3265bd131cf63082b64cb4b4e7861
2b6f9aaa250051acb504eb782e963ef4bffca581d26d7c632b405f130ee5e09b
ef8e672ff4f30d2630ddebcf804c67d572e9979c949e4803654572479f486db0
061e29f834b607e0f56113f3318890231346ac04a7fe24673989e10261fe55e1
7d83a92926f6caf31b31a57f3fd55bff1105f3dac0d686847556149067897e55
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
3717f0928a99c81222dca1d74f568e2f92584b5bac7848697bd3913c01742baa
810430cb80a2b4d0cfb713a72dcb40c148f5494ae06b904ebe019e8f61b79d63
SH256 hash:
640175710e1d904f28b5f3c6f22349a741c0f343d4adc961bd1db722376bad5b
MD5 hash:
0b6295a1fde17a50e83a2e55eb049ed1
SHA1 hash:
49011fe9755dd3aff144aba13b167831bb1adb64
Link:
https://www.unpac.me/results/500c42c9-18e3-4c82-85b9-93f913986f3e/
SH256 hash:
853f530579b4aa0d5f36b83fb15310d1165c59906bc8dda245b686c26a2fe574
MD5 hash:
6dcd36e908965b3a3c4ab333fcbb6f4a
SHA1 hash:
2d4f917ce319c586cc77c54ee2c80616c5467d32
Detections:
Saudi_Phish_Trojan
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/500c42c9-18e3-4c82-85b9-93f913986f3e/
Parent samples :
9d58f6f9e8cadbecbbef127edaa0f5376f8a52643e8d08d029f6672783a16e22
af44409d8c91f6233e6f5158318c154f79b07759cdab2285976d42aab8ad2953
21f4cff809112e0a354179b898ede4e2d46c02c4054faeea2a1d57c08f6ac6bd
3e941cee8775445c37f252c350d1db6c09ba1587a798ffe8ded410568fe84629
008829495fb07d03d8ba297ade38201a8d713902ee7b2c18710e2ca63513daa3
5d6af06be9ec01074484b491de582d0ba0625f30ef36b96331675cd2615fe7ed
15114ec1d55832243fff432834efa5432e01e8834b6b8bfe05c7e6e8bdf78b7e
7154910c217ddc6b6d3726e066d688288efbcd8682a4ad90556fed2ce9009c69
3730cb53c74ac925b65e3c43e603f1a2664d5b06d1c9239403a7178ce9c3e4e0
f746ed45af2d73fae31d7c7b26b365377aa7d8bc97a12b9583502797c71502f1
1714faef50d0127645ce3540480623cf619f9b10c0364c67ca22db0f604e2381
46de16ca8457889b62194d6dfc6a4baedc6ebda2feccb40cfede71e5ef8909a9
1d132becb6f5aa7c2597944d9fa196bacf8cea871ccbdd09ce64cab06f581583
c63a10d8a92a5348801360fb963792f3f4309d6801eee6fa63038333f6b5d830
d5b58663ecebfcc7b6093c8d0fbea2539cbcaeaa00d3f46f38b60353223ace6f
29f087438d46cf90b950d1013a74442b2f59854ff69b760616b9d14d6ac9a801
55f2afe80aaf7acecb9a81cd6171b4bf54a30aca00df32c4fc42aeb37d383f39
8826eb70de19f0bde0925ea53e0e33510e5414658ceaf5afacb6c1fb180d9745
0b31e06dc15e96e9b5a3ff9f7618643d8d0e8e71f631414482ee8c218bbd2d85
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
b5e780ba89a5931161f195adb76074b20fd6a6074193529cbe6fd80031f66ad0
1114073506daab881c22bce61bd90102035168e438f38e854f6ec4c06d6d32c7
7bb92c2e39257c484c80d3b38aa3434b89eb60ff3af59d9213768b584e4f30ed
41f69d2ee1b520c3b7b6f890f1aa179e8e4e7b42e0ee9bde0d0bffe6ee99e21b
e453df70a43c13e5369e84d709be914f98bd1035d4efee09d090572baa1845d1
1a4bea91e3d72f6c78b16e46376c9705c50d45f0c1ab05b0145bed9b8a33e477
64b31e1b3603d676bdc0bbef41f539f4512bb295f019e25989694bfe05431b83
4860c4829d6149b7b05d263746a1f28702c98d9e187eac27c32f6b2bde162e9b
d1eff45d764dbbd9e9fc345263b8b7f3b39996d4dd57b3c3ff4dd57215faad07
fa4c8c4fd3ad0008d15bcd71e575130151f5f211f7b1fd3e4c934e68f9ec5ad7
96248233333c5f0fa32b88c881dde0121959b89856b26b932dc1e4622d6f6c72
776774dc37907872aa37bd08d7940d51fcbdf88d09dddfd406215a9a5711dec7
0443311f4b05218b62f48a55e9352a7bae03736be86f25590419adf5839f23c5
f4dee254d538c6b4e5892fe7320c6d3dee7fe65e76d5e6071b59218dd76bd58e
5d47a80d0d70a08c67a9a793bfbbb939c9b13938e76e4b03f8499b3f4e4caa6a
289c80a31dd9c0f4c69db3288e5240e090a70e076fef4e392c63af50d224e4a5
33cde805b1aa4d8bdab56b02496c00745feadbbf0931c1f759fb9669d0090b80
069960eea034929991cd4c1edfd5cfbe12ecd1fb8cc85a58e64696c69839f49a
edec9c924aa195a6451cf690f6295eb5a1930ffba94df2a9ebcc946502e2b0f9
2d79661bab06962e3e62224d335c54bba46b49816053a657f5e385f9c664decb
18dcc42b24c46ae2977b3173964ba0a89595c83839bf527a32a7c7b28b4c369a
789f724c88740882c6fef87be7bdf47461cd59482f41fa18d48ad799b9cfb931
c9299fe5ed7896a57647e91989b9f0eaaaf695a0327badb974c595f461602645
9ab459961a61e4b570365b270bbd8f19ce432275f7d5a44c22fea3efba69fa9c
9d381423ee9f27108e8df36d255f1cfa33e6873ab0d7827d72b47d548293024b
ebaad7382547ccd2a7122e2a991e0b5fabcfc49823e258eaef1c2c57062321a3
59271e92e53dd84c1525724e5157c22a417a7875473031fd268245033917f97f
SH256 hash:
49f12025017c6a5aec4d4b5c661048b49e05635297a55aba88e28b8ca74ef0ce
MD5 hash:
66cb5e8d0fd00d3f69cc260ce48dec0c
SHA1 hash:
11fb2d2634ad099a38a9814b52b5e2778e7c9e89
Link:
https://www.unpac.me/results/500c42c9-18e3-4c82-85b9-93f913986f3e/
SH256 hash:
f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5
MD5 hash:
3780fa7621e2ec23aba413d63c1dbe1f
SHA1 hash:
8d8ac5b528d8e6fecf081e32c38e7a23fe6bfc01
Link:
https://www.unpac.me/results/500c42c9-18e3-4c82-85b9-93f913986f3e/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9a87985ca23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f9a87985ca23f73a732bf3ab2d2158c3c3d72daa50a6ddc1299f8ae55c4fc5e5

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments