MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5fae927a1a1b6e3d99a1f3df7102c77ae2be31680ea655d118323b02b04a47b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	d5fae927a1a1b6e3d99a1f3df7102c77ae2be31680ea655d118323b02b04a47b
SHA3-384 hash:	e107ea75c9036271b0976d7df456b2ede2ae0102ccc1ae1959009423d0175c96c64d115018323efc547d4cf254bd17f1
SHA1 hash:	0a505715ac2053dff7c41b67fe1e403280c7e89c
MD5 hash:	22ba5a270aa34e1a04e14f0f95e2e46d
humanhash:	purple-texas-carpet-washington
File name:	6fd650e4f7d88a81503ca6a6ba8d21abbdd0a6d14086bfff03d1b5cc89625eaf_unpaked.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'293'312 bytes
First seen:	2024-01-07 04:14:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cc2b3e63a50ba98c3412285dee7a8f0b (16 x AgentTesla, 5 x RemcosRAT, 3 x 404Keylogger)
ssdeep	24576:pqDEvCTbMWu7rQYlBQcBiT6rpFd+zdIk/JPebiYNGo:pTvC/MTQYxsWPkzdIk/JPYzY
TLSH	T13155BF1333819056FFAB99734F8BF61157B869AA4023E12F139D3E7AB970571023E762
TrID	52.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 24.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 9.5% (.EXE) Win64 Executable (generic) (10523/12/4) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon	f0a0a0a8a8a8a8c0 (2 x AgentTesla)
Reporter	ukycircle
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

309

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/469763/

Detection(s):

PUA.Win.Packer.Ep-7

PUA.Win.Packer.Embedpe-3

PUA.Win.Packer.AcprotectUltraprotect-1

SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autoit bladabindi control darkkomet greyware keylogger lolbin packed shell32 threat

Link:

https://www.filescan.io/uploads/659a2547fd5068bbc3c9321d/reports/3e9e5a1a-8479-4cac-b9ae-ec0471a28781/overview

Verdict:

Malicious

Labled as:

Strictor.Generic

Link:

https://www.hybrid-analysis.com/sample/d5fae927a1a1b6e3d99a1f3df7102c77ae2be31680ea655d118323b02b04a47b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b5689d24-199d-48b5-8c60-939c77b81b0f

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1370867

Signature

Antivirus / Scanner detection for submitted sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d5fae927a1a1b6e3d99a1f3df7102c77ae2be31680ea655d118323b02b04a47b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d5fae927a1a1b6e3d99a1f3df7102c77ae2be31680ea655d118323b02b04a47b/

Threat name:

Win32.Trojan.Strictor

Status:

Malicious

First seen:

2024-01-07 04:15:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2x5osj5bug3ohwm2d467oebmo6xcxyywqdvgkxirqmr3akyeur5q._file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240107-et8z6sebcl/

Unpacked files

SH256 hash:

c5b0e9d5e70c12c5530943abf70451eadf9b9de8ddfaac4bc7234dbc580b6e5c

MD5 hash:

a7770cd05872881f3e47e8a9041748fd

SHA1 hash:

7606e077fdeb8dc5fbffbf428260baba4f0ba470

Detections:

AgentTesla

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/a34990aa-efb9-408d-9d40-9255da9675e2/

Parent samples :

07e1a7c7db48634dab70556d466ed0b8b4da85b28529b2b263a0a46b3f04dd10
b90922b5e35d6368d5ae449c45a111323f5d3b883416b0c13df5c1ecaa25d9bf
0bc70feb553bde362d94c650261f67ba9c56502ad04c838ff2d7c4fc49a45fb1
6fd650e4f7d88a81503ca6a6ba8d21abbdd0a6d14086bfff03d1b5cc89625eaf
5c7d5f2261c2faa3edb70a55eb5a53deb84557f80d7fa339d5ec82999f1ed213
d5fae927a1a1b6e3d99a1f3df7102c77ae2be31680ea655d118323b02b04a47b

SH256 hash:

d5fae927a1a1b6e3d99a1f3df7102c77ae2be31680ea655d118323b02b04a47b

MD5 hash:

22ba5a270aa34e1a04e14f0f95e2e46d

SHA1 hash:

0a505715ac2053dff7c41b67fe1e403280c7e89c

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/a34990aa-efb9-408d-9d40-9255da9675e2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d5fae927a1a1b6e3d99a1f3df7102c77ae2be31680ea655d118323b02b04a47b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/469763/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample