MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03
SHA3-384 hash:	ef1a98cf6e7406bad78e19f4b284b6106b153b7ed0dab10670b59735df85a371623dfa1fecee741d0d988f48a7d7200f
SHA1 hash:	d8ca513e1e85e1a8dd6a81824f86064fad19419a
MD5 hash:	7b79bbfe338448b0de666215060d2cbc
humanhash:	seventeen-georgia-robin-fanta
File name:	fuckme55.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	11'867'648 bytes
First seen:	2023-06-28 21:19:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	196608:ChTb9B0BPrDz4pxgZZPy5RmStgxb/z6FDiSJXqeUh4mT+uFk8spbVgo87e8YU:sTb9epDz4MZZ4RmxYDiScfhHjeV+vK8Y
Threatray	6 similar samples on MalwareBazaar
TLSH	T163C6332C4E98BBEEE7A15D7922F20529E7D97513CA57EBDFCEC8365001227C4EB19084
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	ULTRAFRAUD
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

302

Origin country :

Vendor Threat Intelligence

Malware family:

quasar

ID:

File name:

fuckme55.exe

Verdict:

Malicious activity

Analysis date:

2023-06-28 21:21:10 UTC

Tags:

quasar

Link:

https://app.any.run/tasks/43026e83-5f8d-4d99-9393-c700315ef6c0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

QuasarStealer

Link:

https://www.capesandbox.com/analysis/403639/

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.2450.7023.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/649ca4040194f19971946e0b/reports/1dbacd47-9537-40bf-824b-84a62f533ed5/overview

Verdict:

Malicious

Labled as:

Variadic.A.348.Generic

Link:

https://www.hybrid-analysis.com/sample/150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03

Result

Verdict:

MALICIOUS

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20d9e836-68b3-49e1-9fc0-20346f160f75

Result

Threat name:

Quasar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1262950

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

quasar

Link:

https://mwdb.cert.pl/sample/150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03/

Threat name:

ByteCode-MSIL.Trojan.Variadic

Status:

Malicious

First seen:

2023-06-28 21:20:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cuawt6fcqyxezf375gnu22q26trbnhpk43lw2zcdjlzvmm6adybq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2658355af06f2bd5c9bb325e856723a362efcd9d9a8ee6a7c7f6ae5f85214e88

AgentTesla

44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9

AgentTesla

480f481f15179f3009791744f5e16f0fd4868da9b1e68cbeeab729d12f3ddd3d

AgentTesla

9c17ba1f31d3c5a41d0437818a7d6512775ba991a1d8a03e49f29fc982191190

AgentTesla

a8a85e6faaed6a3dc5687d05b92a9f181e0d986eae1b4e1d731c221990920037

AgentTesla

Result

Malware family:

quasar

Score:

10/10

Tags:

family:quasar botnet:office04 spyware trojan

Link:

https://tria.ge/reports/230628-z6q1cabb93/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Quasar RAT

Quasar payload

Malware Config

C2 Extraction:

192.168.1.237:4782

Unpacked files

SH256 hash:

e81398fe27661647e7b8e210d9c35696fa77e50e138c4d1cf2f8a31fdf132eed

MD5 hash:

11cbe386c19f7b05be4da4c6768fe0d3

SHA1 hash:

3cbabd947af7ca7865f9afd7dc4aa2bc0d32fc21

Link:

https://www.unpac.me/results/7809a975-f236-4c43-8b8b-4f9f8768732b/

SH256 hash:

150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03

MD5 hash:

7b79bbfe338448b0de666215060d2cbc

SHA1 hash:

d8ca513e1e85e1a8dd6a81824f86064fad19419a

Link:

https://www.unpac.me/results/7809a975-f236-4c43-8b8b-4f9f8768732b/

Malware family:

QuasarRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/150169f8a286/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/403639/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample