MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c4064658cfc929bb45169b4ea8f237984acd8f92ee45892c1b05bffc61cf0aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash:	5c4064658cfc929bb45169b4ea8f237984acd8f92ee45892c1b05bffc61cf0aa
SHA3-384 hash:	b3b63911364e710195e3cce1bb6dd51f850a27ce6b3e015207e5618e4598e3b3facc7269187b38cd02f43095d580b435
SHA1 hash:	f0215a7f600ee104f6da49ea142578d835046d2d
MD5 hash:	8bc29f39922f7905925d0f58e95f1a4a
humanhash:	indigo-april-arkansas-golf
File name:	SecuriteInfo.com.Win32.RATX-gen.24742.674
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	717'312 bytes
First seen:	2024-07-31 16:20:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:FiSOpnAArPTdW+2Av3Gg5dgKD488nXl1i2ow4QnFr9Ie1vPzsLtTPFe:FiFaArbddLWg5uq4pXl1boEFBh1vL+P4
Threatray	637 similar samples on MalwareBazaar
TLSH	T143E42359B7A8D20DF2F92731D028E8FA0765EE85DA61C20F3CC53ECB75397649128729
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

402

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

SecuriteInfo.com.Win32.RATX-gen.24742.674

Verdict:

Malicious activity

Analysis date:

2024-07-31 16:32:39 UTC

Tags:

netreactor stealer formbook xloader

Link:

https://app.any.run/tasks/21e8e8cc-806f-4c8d-80da-1d5f0543c0ab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66aa6471037b02d0daecc7f7

Tags:

Execution Network Stealth Swotter

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Creating a file

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/66aa647d556840231716fefc/reports/51d8a87f-3c39-4c13-9de5-dc7437e00d30/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/5c4064658cfc929bb45169b4ea8f237984acd8f92ee45892c1b05bffc61cf0aa

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7c3f4a1c-0f18-4e26-8d7c-7c72810e1ede

Result

Threat name:

FormBook, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1485491

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Allocates memory in foreign processes

Antivirus detection for URL or domain

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5c4064658cfc929bb45169b4ea8f237984acd8f92ee45892c1b05bffc61cf0aa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5c4064658cfc929bb45169b4ea8f237984acd8f92ee45892c1b05bffc61cf0aa/

Threat name:

ByteCode-MSIL.Backdoor.FormBook

Status:

Malicious

First seen:

2024-07-31 16:21:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lragizmm7sjjxncrng2ovdzdpgckzwhzf3sfrewbwbn77rq46cva._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

680b2535047f66d49243a54b9659a3714a2133daa2f5b8b06c7519e2fa075f64

AgentTesla

96de213abe4abd93e28e7a7a3053906e85027b08f6333531f52da2e67b096447

AgentTesla

9709b89b130bc2a8b0f8aaf832705d093760bf811698cfe3cc40ff1751bef020

AgentTesla

ec0cb53f3f7dd573b6449bed509234445870faabe3134f554f48ac150ae99de2

AgentTesla

+ 627 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

credential_access discovery execution persistence privilege_escalation stealer

Link:

https://tria.ge/reports/240731-ttmt9ssenr/

Behaviour

Modifies Internet Explorer settings

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Event Triggered Execution: Accessibility Features

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

Command and Scripting Interpreter: PowerShell

Credentials from Password Stores: Credentials from Web Browsers

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3daa70f9-e1cc-47e9-9311-89322d066772

Unpacked files

SH256 hash:

ecd942960bdf6229e36999829d08e39b3df911ffe1aa876ff5e10c758e15aef9

MD5 hash:

937929fba94bbcfba33e5f07894b0211

SHA1 hash:

4b4a1bdd10b05d634a2ed633c11a7a1980d925c5

Link:

https://www.unpac.me/results/38cea5a4-a46d-4925-ab44-a651cec5acb6/

SH256 hash:

8309221b129494e58b531e1bb54e12b89d9d2914d893fe831dd19b099aba7331

MD5 hash:

b36c15e967699b292c6aec154f26ba7e

SHA1 hash:

a55f9f93e516b0edf9c69f94eb5df5984ee83a60

Link:

https://www.unpac.me/results/38cea5a4-a46d-4925-ab44-a651cec5acb6/

SH256 hash:

f7bf5dec85a3ec02b206fa42e8b3c4857db064b1094ad80a80a4899cb3b1222f

MD5 hash:

65e978693d8b713bb2b96af6f58286ee

SHA1 hash:

fcae99ae09d804e80d7718aa30d2ea220ef340c6

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/38cea5a4-a46d-4925-ab44-a651cec5acb6/

Parent samples :

fec7c785b5cab74579e38a8b33a3fdfa91ea44356f31c29b793680f7740f663e
03ce36fd07bc77fb8fcb27e93d3e05053a3ac991012891b2fa96370b4ed26784
680b2535047f66d49243a54b9659a3714a2133daa2f5b8b06c7519e2fa075f64
626ffcb054c33c59e1caa726e5a71f11f2e6dc81a982afbca8820e09ac7929b4
96de213abe4abd93e28e7a7a3053906e85027b08f6333531f52da2e67b096447
3ba7694dd1ba8f1886339cc90d6c66d518745e0dd837fecd0d67c27b33712d43
f087a9852ad32d54b3691e9d25c081ee806c262c35b4704035e948d855f45246
9e6e07e5acd158d093464bf485f966d7d6ec4a6f5b36d80bc2beb3d9bb07c45e
9f17dfb2b539dbfeae4eff938a67da34bf07b6d9617c49963ec4b537449f7520
d12078dbf736a6b4c15d15c12c4fde2586164b70ab09c38f5024321fab1a6b01
cb0a8f0e6440de0c5299984554a8cafa69d326d41f29a477f6536b6934a2b732
45bac0cd4b709400f6801f0b6dfaa5eba1d6125d3a859ade0cf2a1e53b637746
d86f8e1eb90204fd06f98aae802410b345b1a2e9b561a933b1980e2e4aad99a4
6aaa71779c919eb439d209d99b8f0f9adfb89f20bd1333658c8f3cd615d054f5
9709b89b130bc2a8b0f8aaf832705d093760bf811698cfe3cc40ff1751bef020
c2c4eb306f16f75c7cc6a4afc6b5161b8f84eb242604b739d172ac1ae1f01d15
ad0f22301dd500e68662a4085fd546d09d7f8d2902369f8a537bd364c04e88aa
36609ed28222d995170a36e1d4df63fcf518bece4a965e5674cc5a03c2d2b324
ec0cb53f3f7dd573b6449bed509234445870faabe3134f554f48ac150ae99de2
158c8861036425f4e7b9df9a610a0e23d45a811c2916aa697cb01491b493e539
88e81b3ce5ac8ea73503bda113bf3e8df80928b7521c349e5e4cf46d118ea419
cdd7df460178e0239fb3342ac3f97e920069e5b2aac1c9c343923241f1b60b87
5c4064658cfc929bb45169b4ea8f237984acd8f92ee45892c1b05bffc61cf0aa
4a79a8b83afd4feb2fd2e130d54f667fa9ee6c61ecf7d61efed3753ab2450775
121de22078536795f06ad23e6db6d1627f4cab617a6264b44820839c13e4c2d3
22e07732afa9d6a1c689bd93a3f5b60205310ef8f4225aa00391d8da73d88108
18e5ff8af38bd3bd2a0a497543241be74cf4ce575cc5c564cd34e6e3f41122aa
f35f4d73501f046d2319a9d6284235bad63461584faced48db23d9fdd032a045
ec48091b8b9cc09fd9d73415078622d8b3c5fb2de818caa20814a43b1d1c14c7
d3f2be134599de5203a3eb61863b6da610df012c2fdd6e3b47ac4929132da763
fa2a38ee7933b6eec66fed45d0f14e9cb4009ce04d5b56cf7e753af46626ada0
ec90bcbed4dc9e168367b501a9ac22ce0d53f1fe0b9a976727181f4bbf6b3467
8cc3a57385ce576b1264431f444a0b0178ac53c10b69058b2898373172565337
a100af984853a3c17d51f8aa34d70bb462ce8d760ba278937479ccf27edc3b9c
3e9f3a83f830c41cfec094e86c31a8c79c032814a4f029eba014cf90b7db75ab
b731e1e07da1ab601c2773e2124f60e482f30f81bf2d1d64c3363c5d1f4ec08d
6dd94fe4a5b0297fabec9985a7ef901a1ab05fb75c1284c036e7e79c60321e86
8509fdd176d2cfd177b97085f7aa8a865c38fdc8a004f8b3222a39deaf6bf680
78fdf9c2edfb9f97d16867a8372835563cb6ce1f1128b66ead34f88cbf299dc6
1d77e6b59c60817f9c5b17e620db8c30a6fda1c3ae638961f3a907b78d4e9128
ed94e4340621581cec927c362247b765e8eec9946069d54c36cac2e7ce1236f7
c1275a93bd767e100a37e8bc22439be45698a733f71d1ba5c890f5b1b4c3e034
3f084903c5b689b3d88e36e524bd3fcbda689a2b6d2446b8b10fbd97b145db7a
dc1ef9303dccebb2719b654a156860278e36cbd08bfa24cfacd82b640fb640df
4152197ecd541c3b62d3ada6ff29bf7bb90edf2e57f96f27980f802513420897
07d7da9b867a476b6214db42000f3e731e6c83e487edb5828687529898ea2267
ab4593816a20ff7503167fc8fac03e20ab1fd7479c8d26d23baaa12f5df7bbb2
472819b55a8804b4d8787f5e45cc9b1aeb1026d5819f06e91bbc022d53ccae5c
b0758e26884a064ab95a8d86fd4e17df2e2cf7b38b1c33ebbfa0cf9b9e88b9f2
33f8b2938048a821d1c515daf12ebb890ad5751b0d06cc2942ce976d2d9d1341
0d38a75eaacd1df541127d09bdfae1fd1ccc166a8f8e5f0c8f9566c1ca7cc3ad
5e30eebbe6f8d7fafad37f578848e1800a231e240162ba954ed211766d641afe
a7ba3de84abf4628a7b7096e7f28b4d8b6946429d6f8b1e8f0b5bd05eba3db0e
ec611350a188956ae50ff4b5ebea09f16d61e843b2dd6aef2c15ea82537b273e
f3fe763c0bab8b6423578bbe031190508406459cf1648b47dcba314c95ca8fbc
850752cfce58c44ce5d48735f4d53ccc1f8d12b7e1ae00d367d9c42103d9ad99
f3dd8124dc20b5dbe2afde3eaa092c05e1eb0fae8fe16aaacfa9e0d5213f4117
eb25536bdb4fbc21cefbd43e00f58424c9458eee4059a9d5fa26aaa1c4842e0f

SH256 hash:

02fedd2a6307569c9a02f2ba8ba9af43667c9212d6537fff0e5b6f31049d1c23

MD5 hash:

ff288f9fc4a4775af6d180b6a6c7a56a

SHA1 hash:

a0adbf88f81aa44723d1c3f00072b6dcbb8c16c7

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/38cea5a4-a46d-4925-ab44-a651cec5acb6/

SH256 hash:

2d9dca16d8cddcc92d2efa4fc73a425db1ddfbc0846825d700fadf79e714825c

MD5 hash:

e0cb96167d57afb40ddc23b8a6e787bf

SHA1 hash:

5d49eb0bebd34258268b6c5318154a4ccc48c29f

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/38cea5a4-a46d-4925-ab44-a651cec5acb6/

SH256 hash:

5c4064658cfc929bb45169b4ea8f237984acd8f92ee45892c1b05bffc61cf0aa

MD5 hash:

8bc29f39922f7905925d0f58e95f1a4a

SHA1 hash:

f0215a7f600ee104f6da49ea142578d835046d2d

Link:

https://www.unpac.me/results/38cea5a4-a46d-4925-ab44-a651cec5acb6/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5c4064658cfc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5c4064658cfc929bb45169b4ea8f237984acd8f92ee45892c1b05bffc61cf0aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample