MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01fd05fcbf5478c32a53d44b4d2976b3bf36046cc8839f0d63bfe1d3e04eaeec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01fd05fcbf5478c32a53d44b4d2976b3bf36046cc8839f0d63bfe1d3e04eaeec
SHA3-384 hash: 4358f175cda3c19e8b8bf5474afe9bab423f4113b80a9eadd642c49a1d398c264433e53b4714461d511ae6f0744ab70a
SHA1 hash: 28bc416a29278598ab725a7215aa32229c7bf9d9
MD5 hash: 516ff7145edb5838c23989c8cbb221ca
humanhash: golf-five-east-alanine
File name:Ürün_Fiyat 10243975_formu scan MuHas963_.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:629'248 bytes
First seen:2023-07-14 12:10:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:82PtemZ8G+PhQLY9J5WJC3YHCdVO4QrFup+6pF2FC:jtewuPhGYiC3YHsQ/5us+F2A
Threatray 463 similar samples on MalwareBazaar
TLSH T13AD4123A55291B56E3B64BF50140237053BE49D6BA32F7A78CC670CECB35F498A64D23
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d092989899a9a1c9 (16 x AgentTesla, 3 x RemcosRAT, 2 x SnakeKeylogger)
Reporter abuse_ch
Tags:AgentTesla exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Ürün_Fiyat 10243975_formu scan MuHas963_.exe
Verdict:
Malicious activity
Analysis date:
2023-07-14 12:16:19 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/a46250bf-e5e7-4ce2-9391-5cfbdea76bca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/418770/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.101852.15497.664.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a process from a recently created file
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/01fd05fcbf5478c32a53d44b4d2976b3bf36046cc8839f0d63bfe1d3e04eaeec
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab0349d6-ec51-4725-b76d-44bb867e2eb5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273131
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1273131 Sample: #U00dcr#U00fcn_Fiyat_102439... Startdate: 14/07/2023 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Sigma detected: Scheduled temp file as task from temp location 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 7 #U00dcr#U00fcn_Fiyat_10243975_formu_scan_MuHas963_.exe 7 2->7         started        11 uphhWPjlIXB.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\uphhWPjlIXB.exe, PE32 7->35 dropped 37 C:\Users\...\uphhWPjlIXB.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmpB4B8.tmp, XML 7->39 dropped 41 #U00dcr#U00fcn_Fiy...n_MuHas963_.exe.log, ASCII 7->41 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Adds a directory exclusion to Windows Defender 7->57 59 Injects a PE file into a foreign processes 7->59 13 #U00dcr#U00fcn_Fiyat_10243975_formu_scan_MuHas963_.exe 15 7 7->13         started        17 powershell.exe 18 7->17         started        19 schtasks.exe 1 7->19         started        21 #U00dcr#U00fcn_Fiyat_10243975_formu_scan_MuHas963_.exe 7->21         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 23 uphhWPjlIXB.exe 14 7 11->23         started        25 schtasks.exe 1 11->25         started        27 uphhWPjlIXB.exe 11->27         started        signatures5 process6 dnsIp7 43 discord.com 162.159.138.232, 443, 49719, 49720 CLOUDFLARENETUS United States 13->43 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        65 Tries to steal Mail credentials (via file / registry access) 23->65 67 Tries to harvest and steal browser information (history, passwords, etc) 23->67 69 Installs a global keyboard hook 23->69 33 conhost.exe 25->33         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/01fd05fcbf5478c32a53d44b4d2976b3bf36046cc8839f0d63bfe1d3e04eaeec/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-13 10:18:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ah6ql7f7kr4mgkst2rfu2klwwo7tmbdmzcbz6dldx7q5hycov3wa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
309892ec1d5c26c1ffe3d4ea531df5475ddb9d0959ccc3f8b4c147eae55bf5aa
AgentTesla
339429d967f98ad9c386cb00ba35eb536e2d6d724264ce454a8a1a350e0f40c4
AgentTesla
59e4c9c9baab4c3b88d91cbcb0edaf1c2eb5f27a8d4201425e30ca48cc7ea035
AgentTesla
67ff25062bd960e50c4b3fcfc82c3029aa1e3302fa453c0fecb76176494cc496
AgentTesla
7918d390e8ff7703cf6241499b0bf03eb8318008679c3e185a491dad0a2f2695
AgentTesla
a1f77d1997422f4bb911ad530de645219d7b462baf1b7f6ee346c5409b169a08
AgentTesla
ba41cc66aeb4792c945d4ac87b51b1149827fe02f0f66d4ed7f03b01ff823c60
AgentTesla
c0ee769f085dd3cea7755a01e6294ecf18c4f3448b4bbbcbbc6eaa0b8529fdbc
AgentTesla
ff83137921b3eeff0d4fb13d18137b9350419d94b84e42f791251dd83af8563a
AgentTesla
+ 453 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230714-pck7wsed6w/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1128590293319569429/p6mdLBq6xA039MtGf_8sp0o-unZ3V0mvQp0HzGzNyiM96G5uGbHx9ZBGNG2h0G1LEgzw
Unpacked files
SH256 hash:
f53c4023da02df834ae1356a5a050273cc931f9faebf380a19ab75498d43af88
MD5 hash:
ec137f1b6998c24fdb9944b3e1faf609
SHA1 hash:
d285c88f91388fdc82d60d581b90f4881651bf7a
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/3ed8201c-56fe-46ea-935c-c91a05a9b761/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/3ed8201c-56fe-46ea-935c-c91a05a9b761/
SH256 hash:
af320eab5df3c9b28d3649377c85e531573bc9c073e1bcf5ce6586da2458e581
MD5 hash:
c2d271eff03ddbe6832882abe288fa42
SHA1 hash:
2b6b36fccbaa2ccd3bbca721cf561af3d1e319ee
Link:
https://www.unpac.me/results/3ed8201c-56fe-46ea-935c-c91a05a9b761/
SH256 hash:
3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9
MD5 hash:
a5228b97b33467ac41fac5cac2718252
SHA1 hash:
28bb020c8a53b046fc8e8106f2913e62c5941a0d
Link:
https://www.unpac.me/results/3ed8201c-56fe-46ea-935c-c91a05a9b761/
SH256 hash:
01fd05fcbf5478c32a53d44b4d2976b3bf36046cc8839f0d63bfe1d3e04eaeec
MD5 hash:
516ff7145edb5838c23989c8cbb221ca
SHA1 hash:
28bc416a29278598ab725a7215aa32229c7bf9d9
Link:
https://www.unpac.me/results/3ed8201c-56fe-46ea-935c-c91a05a9b761/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/01fd05fcbf54/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 01fd05fcbf5478c32a53d44b4d2976b3bf36046cc8839f0d63bfe1d3e04eaeec

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/418770/

Comments