MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88fa1f0c7c938dd906f2757b1df097ce40dbaa45740960a0457c41fd93c9285a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88fa1f0c7c938dd906f2757b1df097ce40dbaa45740960a0457c41fd93c9285a
SHA3-384 hash: ff6e832f8965ffbd81ca2a0ac4c1f6b831b62df016d57d284ce6bb235242fe81f7e6bab76a23b9ee55105acaf14cddbc
SHA1 hash: 2bbf3d4682a253d373f01ead1cb86c8e3c269ae3
MD5 hash: f16382c47d6df2809c980a0e8dc937db
humanhash: ten-foxtrot-sixteen-pasta
File name:RFQ.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'208'320 bytes
First seen:2024-11-28 08:09:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:8tb20pkaCqT5TBWgNQ7aGI6jcC7uFrUQLb6A:lVg5tQ7aGI6IlfP5
TLSH T16A45CF1373DE8361C3B26273BA15B741BEBF782506B5F56B2FD8093DA820161521EA73
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe RFQ

Intelligence

File Origin
# of uploads :
1
# of downloads :
417
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
RFQ.exe
Verdict:
Malicious activity
Analysis date:
2024-11-28 08:33:18 UTC
Tags:
agenttesla stealer netreactor
Link:
https://app.any.run/tasks/3d8f4a82-3eb6-47f3-bcf7-19a7ab857e43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674826ded0583382434ba53b
Tags:
autoit emotet lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Connection attempt
Sending a custom TCP request
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit compiled-script evasive fingerprint keylogger lolbin microsoft_visual_cc packed packed packer_detected regedit
Link:
https://www.filescan.io/uploads/674825608f37cc1861ff5561/reports/b0604690-8655-438c-bb0b-0baef8743219/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/88fa1f0c7c938dd906f2757b1df097ce40dbaa45740960a0457c41fd93c9285a
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39cda725-2de1-457a-8268-4ab0a406d75d
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1564379
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/88fa1f0c7c938dd906f2757b1df097ce40dbaa45740960a0457c41fd93c9285a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88fa1f0c7c938dd906f2757b1df097ce40dbaa45740960a0457c41fd93c9285a/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2024-11-28 03:04:10 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rd5b6dd4sog5sbxsov5r34exzzanxksfoqewbicfpra73e6jfbna._file
Verdict:
malicious
Label(s):
unknown_loader_036
Create hunting rule
unknown_loader_001
Create hunting rule
agenttesla
Create hunting rule
autoit
Create hunting rule
Similar samples:
error
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/241128-j2pnqa1ncx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
AgentTesla
Agenttesla family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/df8cf4ce-1b73-48ed-8745-a631491d5176
Unpacked files
SH256 hash:
cc9ee0aecad9cdc84384e1f884bcb4a60eb0e001daddbde24f380512d55d3209
MD5 hash:
461dc4aaadb269b1b0d5895e30119ce1
SHA1 hash:
e40dd92000402a3b648a11288889d58eb172715f
Detections:
AgentTesla
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/4fa201bf-fc57-4054-8a60-2b5be210b3aa/
SH256 hash:
9aad02c83ec8478478b917b2c1f13d92b06673fe5dc252f5d8133869375214bd
MD5 hash:
615692941045f6f94a5728243b6864f8
SHA1 hash:
1d75c43af846eccab24883d031ea39b7dd664e8e
Detections:
AgentTesla
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/4fa201bf-fc57-4054-8a60-2b5be210b3aa/
SH256 hash:
9187d0b12e6378912fc967c14fbcbddbb21a95889c819d57e1bb7cb4875cfee3
MD5 hash:
dba0afd22a7e9f44b245a4534d3da623
SHA1 hash:
1dac9e1d49b2c7ae49681806e1515f549b5be3f6
Detections:
win_samsam_auto
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4fa201bf-fc57-4054-8a60-2b5be210b3aa/
SH256 hash:
88fa1f0c7c938dd906f2757b1df097ce40dbaa45740960a0457c41fd93c9285a
MD5 hash:
f16382c47d6df2809c980a0e8dc937db
SHA1 hash:
2bbf3d4682a253d373f01ead1cb86c8e3c269ae3
Link:
https://www.unpac.me/results/4fa201bf-fc57-4054-8a60-2b5be210b3aa/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88fa1f0c7c93/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RedLineStealer

zip f00ca56d8ce8b8f541efd24be1fd83e9ea847d75c448f81b7eb95174651a5e30

AgentTesla

Executable exe 88fa1f0c7c938dd906f2757b1df097ce40dbaa45740960a0457c41fd93c9285a

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 f00ca56d8ce8b8f541efd24be1fd83e9ea847d75c448f81b7eb95174651a5e30
  
Dropped by
MD5 a1e4c6d4419bf76446bb53c900b5732c

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments