MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f29177a4cfd69578f868616ce53b974ee5c362b2d43e70a17277ac18bbe4d125. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	f29177a4cfd69578f868616ce53b974ee5c362b2d43e70a17277ac18bbe4d125
SHA3-384 hash:	c20d66dfb5541ca670434d4b1d2316a7a6b299ad58927d2eb8d8e82c6a69cf72dd2acca233cc91ad0f57aa3fe5569c52
SHA1 hash:	c5409e36c2e97612cecd087beb0a12baed920550
MD5 hash:	f7c5db5d1a5d5bc81cd2e30cade9d4b8
humanhash:	fillet-nevada-sodium-bravo
File name:	SecuriteInfo.com.Trojan.PackedNET.2525.13170.4622
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	673'280 bytes
First seen:	2023-11-14 12:50:22 UTC
Last seen:	2023-11-14 13:26:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:ujfrLlfuSIN5oIVWDQn3/2KJTahrHtfdpvunCWh+0y99q3mvqFsc:EThxjIVoQP2YTahr3eCWby9wPF
Threatray	339 similar samples on MalwareBazaar
TLSH	T1FDE4021632784527E96D02F8646661C15BB1FD13A460F76E1CE77BEE2BF3B8047026A3
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

295

Origin country :

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/458515/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2525.13170.4622.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin masquerade packed

Link:

https://www.filescan.io/uploads/65536d3c28bfca96f8ab988d/reports/ac207a7c-f3f9-4628-86d6-52225a2cf738/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/f29177a4cfd69578f868616ce53b974ee5c362b2d43e70a17277ac18bbe4d125

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/918e99a5-9b4f-4a35-8fab-d6236187d0eb

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1342314

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f29177a4cfd69578f868616ce53b974ee5c362b2d43e70a17277ac18bbe4d125

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/f29177a4cfd69578f868616ce53b974ee5c362b2d43e70a17277ac18bbe4d125/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-11-14 09:06:50 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

7 of 38 (18.42%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6kixpjgp22kxr6dimfwoko4xj3s4gyvs2q7hbilso6wbro7e2esq._file

Verdict:

malicious

Label(s):

formbook

agenttesla

AgentTesla

091c56138984569435a05540b0fc6d9bcaae31a5a2a7adaf3f91e2614a7cfe42

AgentTesla

15426243aa8d60c8592a759e72f42ee2b1d9f2cbf96018c565ce70fd6778ca33

AgentTesla

1e053c6bce5db98306f6795783016d7d94aaac748c80798210d7932e0c248d61

AgentTesla

321409ee266700ca2cac296c34e8c77358c43503b2376df20a613445ef5b23af

AgentTesla

43141e46fdafbf6529ef4319ee733ef308a6e6e12278e74c135d977a5b135876

AgentTesla

ad5097f981c366a853537cc8a7d745da73615e051c523b92f6ca7dcb80ea82b7

AgentTesla

af3da7cad17a62ffd55dff83580e4f63697bf6e73faec62269c6f6b80fd8516c

AgentTesla

cf1280dea0bfb86e585e302b4dc4fd51cb1f12847b4685cd377f1a6c8f63765b

AgentTesla

+ 329 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:btrd rat spyware stealer trojan

Link:

https://tria.ge/reports/231114-p3gmdsbc38/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Unpacked files

SH256 hash:

dc1640a58e9fea5bfa7f6345a1c4c30b240225cc63f34fdb389af6ece1c5a007

MD5 hash:

b80e4dff0fc7c0b2fc2455aee3273485

SHA1 hash:

2e8ecd4015704c7fa7cd039accf3dd4c6547ca63

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Formbook

Link:

https://www.unpac.me/results/825d526d-394a-4b42-8fff-5d12c4decc6a/

Parent samples :

87d3bbd8edcab168832890e4d362542e2be35fe286ce9a2ebeeb8216d08cca0f
896d0711b287b0914d88b93ff8d06623c60f45b405e12cbc34a406e09942a577
10e1fd083fbaa700f1580863bc6bdc928fff23f2edc479c6a8d4e3d7ff57926c
df810d99cd1588f21a80f27dc691efb44083567f1385978dad10611858bad134
c643ce9cf3045a605b3ed588dc7e992de791468c841013fcdb310e751b237ad3
2799249b9775bcf4a66a5f7fc52a40959815b1bb4b2b882b4f1e57d5dec406c1
a79e68bc2d8643ff603ce0333efb343924760abc43edcc450c124fe4b9142c75
79d20833e8b6c58ece93da20c2c927565e26198e5a6c802cbf5b559429eb4a94
caa1bdc19a635529512712883d67b0de6ff62f71f880e7527f38a4590a238b36
42f2f917ae48fc7239e19745dadfc47fa16537798f75b11a21ba9a604fbb4631
28c3fe7155927cb7482afbe59c25193a1a34856caa296cec11f9a3404df33d7c
7428f76122fbba77322e7338dafb21a613cbcc104f5af85c026b350c2d426f23
41ab6054625f7a03d1a0af44403ac248ca880ddc0141f61e41755b6f2263e42a
fbaea63cf0928cdd548719ce257ea3813b92a8765f561bbe7e8842e7d830b87e
5710572191f804e2f5f91ec37236187038467ef22922976630028ea45d340807
b28c7e4510175a83aa87b5511c73319de27fc894ffc28d561d4689c3ca27d1f9
99bb71c925f112035797c13df8af4106c78c305aecea027583007145fce87de7
01b671890aaefc4af8c91936da19e526f9b104c0a0db0b82734b3328359da0cb
0e0c5ba817a732585fb0e4100c7c7fe60e35b389b941c1b6a975aeebff2c809b
15426243aa8d60c8592a759e72f42ee2b1d9f2cbf96018c565ce70fd6778ca33
af3da7cad17a62ffd55dff83580e4f63697bf6e73faec62269c6f6b80fd8516c
1e053c6bce5db98306f6795783016d7d94aaac748c80798210d7932e0c248d61
321409ee266700ca2cac296c34e8c77358c43503b2376df20a613445ef5b23af
f29177a4cfd69578f868616ce53b974ee5c362b2d43e70a17277ac18bbe4d125
f4b495bc964bbf91246a27e1e0bb242c0e7cb80729a97ae8bd8be53c3c91ef4c

SH256 hash:

d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5

MD5 hash:

579197d4f760148a9482d1ebde113259

SHA1 hash:

cf6924eb360c7e5a117323bebcb6ee02d2aec86d

Link:

https://www.unpac.me/results/825d526d-394a-4b42-8fff-5d12c4decc6a/

SH256 hash:

76482f1dc9b0639dd6b2d762e09101875e207e8c60e146a43ca182a4c13d6afa

MD5 hash:

9561bc00330bfa400784c1b3b2075d0b

SHA1 hash:

b98f0014f428085dea5ea44108d64d9119e3d698

Link:

https://www.unpac.me/results/825d526d-394a-4b42-8fff-5d12c4decc6a/

SH256 hash:

6084ad471af82bcce4b43cb9a34e34f35f5350275a1251748f13605b7c5c1f89

MD5 hash:

e73653f86a40e2e854d3704587caf2c1

SHA1 hash:

64c3e9740d46bd6fe0e2135f7de92a7d916ad0cf

Link:

https://www.unpac.me/results/825d526d-394a-4b42-8fff-5d12c4decc6a/

SH256 hash:

f29177a4cfd69578f868616ce53b974ee5c362b2d43e70a17277ac18bbe4d125

MD5 hash:

f7c5db5d1a5d5bc81cd2e30cade9d4b8

SHA1 hash:

c5409e36c2e97612cecd087beb0a12baed920550

Link:

https://www.unpac.me/results/825d526d-394a-4b42-8fff-5d12c4decc6a/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f29177a4cfd6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f29177a4cfd69578f868616ce53b974ee5c362b2d43e70a17277ac18bbe4d125

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/458515/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample