MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fcce723ca9ab8e66de8249c6a5b3ef78a4f87dfa128299e097ad8a20bd47c50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fcce723ca9ab8e66de8249c6a5b3ef78a4f87dfa128299e097ad8a20bd47c50
SHA3-384 hash: dcf61d04da5f6402a8937a679a0381dee43ba2ff7c56e1437de29f215c48917f130560f7c5d9e8468c3c04104c55f12f
SHA1 hash: 52c7ad0d6b19440b60dde938fb9b1dead88f067e
MD5 hash: 34ebe5ec1252d01fa9233a6b8054a7c4
humanhash: cold-sierra-oklahoma-wyoming
File name:New Quote 50029741830.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:731'648 bytes
First seen:2024-05-06 06:35:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:yjWJm6CfoZ2X4ciGfd2iFl+vnk3yHf4EyG9957CrfH50FyjfG/gMGOXb6s8qCVXS:yokoci8x3KQJG9bOVFMGOWs8qCVXS
Threatray 72 similar samples on MalwareBazaar
TLSH T1C4F41232AB8C8937D63E98F8244296191BB9490B75D1F3C4FD8C86BB7A813DD86147D3
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 08e2b0c86e36d879 (15 x AgentTesla, 2 x SnakeKeylogger, 2 x Formbook)
Reporter JAMESWT_WT
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
407
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2fcce723ca9ab8e66de8249c6a5b3ef78a4f87dfa128299e097ad8a20bd47c50.exe
Verdict:
Malicious activity
Analysis date:
2024-05-06 06:36:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3b3a42c1-b8b7-45cd-93b2-a6c7d2e66d46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.143680.19735.13898.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Searching for synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66387a5237aa0350b82e5132/reports/adfd6f00-181f-4dcf-bb74-7e4f1c4109d4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2fcce723ca9ab8e66de8249c6a5b3ef78a4f87dfa128299e097ad8a20bd47c50
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4668c62e-59cf-4a8c-bf20-a8f69b1c9dee
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1436614
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436614 Sample: New Quote 50029741830.exe Startdate: 06/05/2024 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 9 other signatures 2->50 7 New Quote 50029741830.exe 7 2->7         started        11 yqlOaUZZYhEp.exe 5 2->11         started        process3 file4 40 C:\Users\user\AppData\...\yqlOaUZZYhEp.exe, PE32+ 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmpD371.tmp, XML 7->42 dropped 52 Modifies the context of a thread in another process (thread injection) 7->52 54 Adds a directory exclusion to Windows Defender 7->54 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        20 New Quote 50029741830.exe 7->20         started        56 Antivirus detection for dropped file 11->56 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 22 schtasks.exe 1 11->22         started        24 yqlOaUZZYhEp.exe 11->24         started        signatures5 process6 signatures7 62 Loading BitLocker PowerShell Module 13->62 26 WmiPrvSE.exe 13->26         started        28 conhost.exe 13->28         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        34 WerFault.exe 2 20->34         started        36 conhost.exe 22->36         started        38 WerFault.exe 24->38         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2fcce723ca9ab8e66de8249c6a5b3ef78a4f87dfa128299e097ad8a20bd47c50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fcce723ca9ab8e66de8249c6a5b3ef78a4f87dfa128299e097ad8a20bd47c50/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-05-06 03:54:01 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
11
AV detection:
16 of 38 (42.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7gooi6ktk4om3piesoguwz666fe7b67ueucthqjplmkec6upria._file
Verdict:
malicious
Similar samples:
0188afd1981d1f23cb7dc4b9acc86642650a6c43948a9241940218eea9c6bd20
AgentTesla
143d962bb7b915798075dcbc1a88f442a50f750ae12f10f7252a19a9da02e537
AgentTesla
2fcce723ca9ab8e66de8249c6a5b3ef78a4f87dfa128299e097ad8a20bd47c50
AgentTesla
36d09ca71335d5a490b523a7dbbf5d03243c45afaef1c19ba15876cfb2bdca5d
AgentTesla
49ef0d1c1549f017b299b97d645ac15bd455b284765810ee72cfac032b1381ff
AgentTesla
75d78c21037f0772b93c881552d2d5b10c3c299d185a9ba243cb6416a4fa2384
AgentTesla
+ 62 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240506-hcw6tsfb83/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
2fcce723ca9ab8e66de8249c6a5b3ef78a4f87dfa128299e097ad8a20bd47c50
MD5 hash:
34ebe5ec1252d01fa9233a6b8054a7c4
SHA1 hash:
52c7ad0d6b19440b60dde938fb9b1dead88f067e
Link:
https://www.unpac.me/results/2095d03d-ff1d-4c68-9b12-207820d869bb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2fcce723ca9a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/2fcce723ca9ab8e66de8249c6a5b3ef78a4f87dfa128299e097ad8a20bd47c50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments