MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1dcc38bd18b2cc106bcf1c3800931658d0b7463f7259916dec7c123830045c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1dcc38bd18b2cc106bcf1c3800931658d0b7463f7259916dec7c123830045c5
SHA3-384 hash: a87015fd4cfaf4bc228bb2c4a7f857be8725eab27f89d5db8847e840fac80786011891498f5a2efa022b2105cf285564
SHA1 hash: cfe662d47c20ad42a47bd6caf1cd1ba9523a8d17
MD5 hash: 3f9e372cc103758491c9786c67468330
humanhash: spring-golf-social-wisconsin
File name:Aviso de pago - (DS78B) Pago n.º 133060908_jpg.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:607'232 bytes
First seen:2023-05-02 12:15:56 UTC
Last seen:2023-05-13 22:47:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:Ozmqjz+ydhlC8gRXocOkgqieQmCIFmmXLy:0mquydhsnRXocPgqiPERy
Threatray 2'873 similar samples on MalwareBazaar
TLSH T1FED4DF426179CF0AFC3ADBF154A4FF8457F1B5B398E0D2211FB624C9DAA6F010A4961B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Aviso de pago - (DS78B) Pago n.º 133060908_jpg.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-02 12:16:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7fb06a9d-969d-4921-b4b3-78c4cbb3c900

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/386116/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6450ff07edfde86c79815dae/reports/9cf4ee27-6483-46e1-80e7-c7b6b9c66079/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f1dcc38bd18b2cc106bcf1c3800931658d0b7463f7259916dec7c123830045c5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b177af90-54c2-4581-80a4-50284f1cd5a4
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1224663
Signature
.NET source code contains potential unpacker
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1dcc38bd18b2cc106bcf1c3800931658d0b7463f7259916dec7c123830045c5/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-01 20:05:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6homhc6rrmwmcbv46hbyacjrmwgqw5dd64szsfw6y7ashayaixcq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de
AgentTesla
369589e738fc8b7e8e74ae15fc398639e3ed906982c7244705a66875cca0a611
AgentTesla
746604779bf099b84b5a237bc6e777b10cd9ca0d02e49e136f4856debbb89d65
AgentTesla
7d05369e7f8c3f1ae6e8e52d34c33707768c9d50c7cc688198f1e72bfebd2599
AgentTesla
88594695bdc9357dfd4ad5736af7f8ec01912cca4bb418f842228cf9ab1c9156
AgentTesla
ce411fa4af687b15beb90211d18afb4e5ec2842fde8cae87d72bc7def65ef6ef
AgentTesla
d1edcffd58ccef4c9709f027948bb28d09b1aee267cdd9b1271f7136b37ebd94
AgentTesla
fe30de8c39a135c0bda337c2624c20db55670737fffd79cb09145b42401782cf
AgentTesla
+ 2'863 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230502-pff3caba42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
8ed47379ecab9b238763382e2ffb47f059d5022d536c4a988674632650fade9e
MD5 hash:
ba96a4836d1184a1277c90afcb0986de
SHA1 hash:
d48ca5de3f1b281ee7352a67fc37558aff687528
Link:
https://www.unpac.me/results/67306488-abda-41a6-9279-9ff50c7cddb1/
SH256 hash:
46072018443cdfb307ef241c0ce18b432e118ff03e2eeb72dd658053b1f0910f
MD5 hash:
1e2987cdcc4382d19dd1a7432f18ac7d
SHA1 hash:
bbf49c7c1e3c3ba1e13a1c1e28c16b0d0f0f6bcd
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/67306488-abda-41a6-9279-9ff50c7cddb1/
Parent samples :
2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de
21267f1c9f80d23b5c5199bddeec69bfc45b04de306bf05939622c5c4ca8887a
83d1c6995d6bb86139c6ead750d64648c2f0dd60d759e34ebbf3725518de8fdf
746604779bf099b84b5a237bc6e777b10cd9ca0d02e49e136f4856debbb89d65
f1dcc38bd18b2cc106bcf1c3800931658d0b7463f7259916dec7c123830045c5
SH256 hash:
58b99b8e8c0a8b4f1b98cbfd5d014abbc7e353614f5474bde6f542d7ecf5a982
MD5 hash:
8a161ba170d2a3f35144dc180b16757d
SHA1 hash:
9a768b44ef664ce8a3b7d951d5ce3b4f722a0843
Link:
https://www.unpac.me/results/67306488-abda-41a6-9279-9ff50c7cddb1/
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/67306488-abda-41a6-9279-9ff50c7cddb1/
SH256 hash:
3527168167a5f3d4329a9477ffc098b909094ac0e9838cfc2de47d9a98e664ec
MD5 hash:
6c3d85406970ec76449f42cb8ad1603f
SHA1 hash:
5e51e41dbbbb876fad62d1eb1bc50a8589d5b4b2
Link:
https://www.unpac.me/results/67306488-abda-41a6-9279-9ff50c7cddb1/
SH256 hash:
f1dcc38bd18b2cc106bcf1c3800931658d0b7463f7259916dec7c123830045c5
MD5 hash:
3f9e372cc103758491c9786c67468330
SHA1 hash:
cfe662d47c20ad42a47bd6caf1cd1ba9523a8d17
Link:
https://www.unpac.me/results/67306488-abda-41a6-9279-9ff50c7cddb1/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f1dcc38bd18b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f1dcc38bd18b2cc106bcf1c3800931658d0b7463f7259916dec7c123830045c5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386116/

Comments