MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa1263a8e9dea6c3fa9dce2ca23f8f235f8821446eb5089574c706c37db54442. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa1263a8e9dea6c3fa9dce2ca23f8f235f8821446eb5089574c706c37db54442
SHA3-384 hash: 2d0596d66e2efce9b4e31bcb694980b2187152f0e7c55c6a904bdf4419607fea65f5954a4fba14a6b577984fb4f547a0
SHA1 hash: 430dbd8e9b6457c2866b5b8341826a09596afa21
MD5 hash: e982efe6f8a7f422bc6c6d990b86f43d
humanhash: kilo-purple-white-red
File name:price request .exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:534'712 bytes
First seen:2023-12-04 09:09:32 UTC
Last seen:2023-12-04 10:33:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 66fcdd6338ffed276966867e7cf86116 (9 x GuLoader, 2 x AgentTesla, 2 x RemcosRAT)
ssdeep 12288:ZaWwYqkpp8KKQCr2j/xdsnKODz9xyGamW1MMv:oWDx5fj/xqn9x/amAMe
Threatray 3'134 similar samples on MalwareBazaar
TLSH T182B4BF89FB63ECE8FE560239257158163F429C5E60D9295D228DFB263C36203509BCFB
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74e4d4d4ecf4d4d4 (23 x GuLoader, 20 x LummaStealer, 19 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.jib-techs.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462286/
Detection(s):
SecuriteInfo.com.HEUR.Trojan.Win32.Makoob.gen.29429.20708.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows directory
Searching for the window
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/656d976e380413dc0c2f8777/reports/6d719ba1-5eab-4ac3-82f6-3ba969bc3aa8/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/fa1263a8e9dea6c3fa9dce2ca23f8f235f8821446eb5089574c706c37db54442
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c206543f-73f3-4677-a4e3-da581af2f63b
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1352994
Signature
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1352994 Sample: price_request_.exe Startdate: 04/12/2023 Architecture: WINDOWS Score: 100 26 smtp.jib-techs.com 2->26 28 us2.smtp.mailhostbox.com 2->28 30 3 other IPs or domains 2->30 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Antivirus detection for URL or domain 2->42 44 5 other signatures 2->44 9 price_request_.exe 18 49 2->9         started        signatures3 process4 file5 24 C:\Users\user\...\Aquintocubitalism.Hag, data 9->24 dropped 12 powershell.exe 12 9->12         started        process6 signatures7 54 Suspicious powershell command line found 12->54 56 Very long command line found 12->56 58 Found suspicious powershell code related to unpacking or dynamic code loading 12->58 15 powershell.exe 14 12->15         started        18 conhost.exe 12->18         started        process8 signatures9 60 Writes to foreign memory regions 15->60 62 Maps a DLL or memory area into another process 15->62 20 MSBuild.exe 15 8 15->20         started        process10 dnsIp11 32 185.29.11.62, 49712, 80 DATACLUB-NL European Union 20->32 34 api4.ipify.org 173.231.16.77, 443, 49713 WEBNXUS United States 20->34 36 2 other IPs or domains 20->36 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->48 50 Tries to steal Mail credentials (via file / registry access) 20->50 52 2 other signatures 20->52 signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fa1263a8e9dea6c3fa9dce2ca23f8f235f8821446eb5089574c706c37db54442
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fa1263a8e9dea6c3fa9dce2ca23f8f235f8821446eb5089574c706c37db54442/
Threat name:
Win32.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-04 03:10:55 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
10 of 23 (43.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ijghkhj32tmh6u5zywkep4penpyqiken22qrfluy4dmg7nvirba._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
18f41f2a39ff37e43e2a8e01b0447d613257682929e0d5383458935d8279773c
AgentTesla
4afa99f3b34877cefef636c3a1f4a4360c06df2c31352a9852f30631f20e5bbe
AgentTesla
945e176b7aa6d3b13ca4f6cd758fe5ee04c49ab1778c2b5433166dfce5adc9e2
AgentTesla
a057aab2994c9b2d3214e2ebdfa28dcce023546bf7154c8832bd27112c693e86
AgentTesla
f2ad5670f46f3be3f5bd5b6bd9d3122dad6a48664bad0e6f4418396e02ab8c00
AgentTesla
fa1263a8e9dea6c3fa9dce2ca23f8f235f8821446eb5089574c706c37db54442
AgentTesla
+ 3'124 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231204-k42lqsab3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla
Guloader,Cloudeye
Unpacked files
SH256 hash:
fa1263a8e9dea6c3fa9dce2ca23f8f235f8821446eb5089574c706c37db54442
MD5 hash:
e982efe6f8a7f422bc6c6d990b86f43d
SHA1 hash:
430dbd8e9b6457c2866b5b8341826a09596afa21
Link:
https://www.unpac.me/results/8b9f5bfc-74be-443a-9602-e7fda66f38d1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fa1263a8e9de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa1263a8e9dea6c3fa9dce2ca23f8f235f8821446eb5089574c706c37db54442

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe fa1263a8e9dea6c3fa9dce2ca23f8f235f8821446eb5089574c706c37db54442

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/462286/

Comments