MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f199f051d76eae8d5ddf0ee522868aa6878425948f4fc23c53e547995c403cbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	f199f051d76eae8d5ddf0ee522868aa6878425948f4fc23c53e547995c403cbe
SHA3-384 hash:	64660668cb149c092e266db828648342069864eaeab353ba6cae502e4471ee941e0b10c63f995bfa0ffd384e540714f5
SHA1 hash:	5792059d7619942fc8fc09f603fc54b6c726a72c
MD5 hash:	c1e9a197e8ce679ef564382593c6e5c2
humanhash:	georgia-triple-mirror-winner
File name:	quotation professional pricelist for 2021 - 1009 232356 0000 565.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	927'712 bytes
First seen:	2021-02-16 14:34:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f228986deddd0a2624405de57a5157a5 (3 x RemcosRAT, 1 x Formbook, 1 x AgentTesla)
ssdeep	12288:KMndyoft/z3WuigCItGkRzowJ/miCoDaMycZ+wvt51d:KMd7/DhHoEchitDocLF51d
Threatray	2'717 similar samples on MalwareBazaar
TLSH	1415E7F2E94A8E71F05B153CE48EF6341826BCF2391D846A4EE87F06AA5375C39114B7
Reporter	James_inthe_box
Tags:	AgentTesla exe signed

Code Signing Certificate

Organisation:	MicroSoft
Issuer:	MicroSoft
Algorithm:	sha1WithRSA
Valid from:	2021-01-12T16:15:56Z
Valid to:	2039-12-31T23:59:59Z
Serial number:	6354dd7ccbc3858d4f7d4225184a532f
Thumbprint Algorithm:	SHA256
Thumbprint:	7271a5139a6fbb0875bb31e6408fded56369d4b3f47e313b8ca830c8e8442598
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

1

# of downloads :

81

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/117353/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Trojan.DownLoader36.41349.10224.539.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a recently created process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/609040

Signature

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f199f051d76eae8d5ddf0ee522868aa6878425948f4fc23c53e547995c403cbe/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-02-16 05:30:51 UTC

File Type:

PE (Exe)

Extracted files:

31

AV detection:

33 of 48 (68.75%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

05edc3fe4fb4bfa22e5e3ce66e66a4f258adc1aebbb26142bafd1a9264feb4b9

0aa319b22736e50f9486096af97cf5d70a4b072116d52c2872708295732862a5

2f4223fec053d607cd7a1e13602545d061fa6b1745eb59bc7962d1ee35917582

54297a66291e2f879e2eaae44cb06032719d69299968e28c237f6315fe1d7eb1

756872f4d16293b9ecef4d7ac6a632bcd120e5afff1acd42750cca5875794493

9898c37e93d4e9a054c013f34ca57c1aa9130112c9104386219f94e1125d0b97

a33d7aa0899a3fc482f317f171286e069c251e6aa8048296e3a56916acf13087

c9442156b26b8fe68a84028f85861191bff85680b1460d26b9491cbc3f3ac230

e87ed8ad9f753e4de9899be1bca89baf0655588679245a73c524c737512e0a45

ff30ebf52489bc096912d3d89259f8f6e44ec3ced1d124094d10f2fbfaa18590

+ 2'707 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/210216-k8l5vemtwj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

6c5faf9784abeff03bdbe2522b9da9862ac8eb9d333f608f8ef28719565968df

MD5 hash:

dff8986eae6a2b85730955c35b506f1a

SHA1 hash:

0b20d24bdd350524c25f5d513d1b3f8e4315c989

Link:

https://www.unpac.me/results/6eb9504f-1a39-465f-b36c-22ae49330bdd/

SH256 hash:

f199f051d76eae8d5ddf0ee522868aa6878425948f4fc23c53e547995c403cbe

MD5 hash:

c1e9a197e8ce679ef564382593c6e5c2

SHA1 hash:

5792059d7619942fc8fc09f603fc54b6c726a72c

Link:

https://www.unpac.me/results/6eb9504f-1a39-465f-b36c-22ae49330bdd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/f199f051d76eae8d5ddf0ee522868aa6878425948f4fc23c53e547995c403cbe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/117353/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample