MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa135191856c7e01a2fc89ee8cfbc37bdc6ba80bbd780644ea94183457597412. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa135191856c7e01a2fc89ee8cfbc37bdc6ba80bbd780644ea94183457597412
SHA3-384 hash: cc5849eeaa3f0df7fa8458cdb67661db2a337f94d9de9cc94c6fa8e2e1e18ff51a2014f71f00a20df59dafea4a31a032
SHA1 hash: 43c3d0f8d76692b6222f74c03e22e0211785673e
MD5 hash: c4a959052f68232975b40553c51d45d0
humanhash: salami-winner-moon-edward
File name:rITEMORDER384774FHHFFJ-4847FF8FN.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:740'864 bytes
First seen:2023-07-25 15:07:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:kMaIkPt46c7ujzCWSD6IYkzu0hBX8akVzvwRdqSw0xbiFVsmW//5Hq7N8MnUwhIk:5aIwwQCmkzbfXvyM1besvxshxI
Threatray 635 similar samples on MalwareBazaar
TLSH T1CCF4124041A5DB1BE1E493F95B70A746A3F99FC12923D3288FD3EDC9F46AF241214A63
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0d4d4c69cd4d0f0 (3 x AgentTesla, 3 x Formbook, 1 x SnakeKeylogger)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
rITEMORDER384774FHHFFJ-4847FF8FN.exe
Verdict:
Malicious activity
Analysis date:
2023-07-25 15:14:53 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/3de1c394-1802-4096-8814-cb034fee8274

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/432447/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2196.9294.10395.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fa135191856c7e01a2fc89ee8cfbc37bdc6ba80bbd780644ea94183457597412
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2fd29808-3ae4-4305-9165-383c79a6b88b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279287
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1279287 Sample: rITEMORDER384774FHHFFJ-4847... Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 5 other signatures 2->57 7 rITEMORDER384774FHHFFJ-4847FF8FN.exe 7 2->7         started        11 GQBCXCZgC.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\RoamingbehaviorgraphQBCXCZgC.exe, PE32 7->31 dropped 33 C:\Users\...behaviorgraphQBCXCZgC.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp58C7.tmp, XML 7->35 dropped 37 rITEMORDER384774FHHFFJ-4847FF8FN.exe.log, ASCII 7->37 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Writes to foreign memory regions 7->61 63 Adds a directory exclusion to Windows Defender 7->63 65 Injects a PE file into a foreign processes 7->65 13 RegSvcs.exe 15 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 21 RegSvcs.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 qmcapitalpartners.co.uk 198.251.84.141, 25, 49716, 49719 PONYNETUS United States 13->39 41 mail.qmcapitalpartners.co.uk 13->41 49 3 other IPs or domains 13->49 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->71 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->73 75 May check the online IP address of the machine 13->75 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 mail.qmcapitalpartners.co.uk 21->43 45 104.237.62.211, 443, 49717 WEBNXUS United States 21->45 47 api.ipify.org 21->47 77 Tries to steal Mail credentials (via file / registry access) 21->77 79 Tries to harvest and steal browser information (history, passwords, etc) 21->79 81 Installs a global keyboard hook 21->81 29 conhost.exe 23->29         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fa135191856c7e01a2fc89ee8cfbc37bdc6ba80bbd780644ea94183457597412/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 04:04:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ijvdemfnr7adix4rhxiz66dppogxkalxv4amrhksqmdiv2zoqja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05220984bed944b5743d4a9b640a42788d53ef523a8f9dc81c983b9da74eb6da
AgentTesla
363b5b951382bb7c9af26fadf9a61541d5a2d4e733adcb40fbc87e18579fd69f
AgentTesla
5af1aba19d9dd639542ba941b8e31495d1f9789ed426d376e87e040d5cd9df5f
AgentTesla
5ce651ac4d414f62033562a147cd6e7e821c408f50240ac3cd7c14fe89aaa108
AgentTesla
6771834e7cdb8a8f7813d313e65281901a61493653beb7fd0aad365036ede94a
AgentTesla
7510d23c5bd88ede2d8d2efbd6d851da1dfcdc1dfb089b80a4a310b7fb96df4a
AgentTesla
76d55aec6c6ce78586bcfa2b1ae7e727d9c922ff75a3f2aedc7cba917f793395
AgentTesla
7ae867cd981bcf4ee5a98923f6ca7e415f3287b1ad04a6e31b3f905a67b2c1e5
AgentTesla
81a48f67c7805ecf8ee47f17999208a9a116fca844d8dff8dbf12f66f4c91445
AgentTesla
ae2f668db376e89695e11dd9bed4d3becf18a74f812b6b647beaf39ab2aa3610
AgentTesla
+ 625 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230725-shwgladd86/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137
MD5 hash:
60126f10641986bbcefca9ed6159994b
SHA1 hash:
df584155d49b10805f1f0d81a758e98b23990815
Link:
https://www.unpac.me/results/2a0fa330-14aa-4e6f-9321-ca528655b6e6/
SH256 hash:
c064544a880410f33d8dad943ddc05aec105d4a1c28b2d54adadf1e9b18aa5a0
MD5 hash:
fec1e9ccfe65235c031d77a7f925ec13
SHA1 hash:
900e77a8e80ff8531265a7d0e6970b3a12e7f34b
Link:
https://www.unpac.me/results/2a0fa330-14aa-4e6f-9321-ca528655b6e6/
SH256 hash:
73be8c9241fcf655cef90880750ed24ed57ae3d388bcde841938262ca9206cc6
MD5 hash:
8c4d7b9b4fbaa46631812549e069d94e
SHA1 hash:
7294a0a603002975994891afb72bca3cec337292
Link:
https://www.unpac.me/results/2a0fa330-14aa-4e6f-9321-ca528655b6e6/
SH256 hash:
222de4bd5e455987bde3d488f89258cb9e2b6f734cad7428e765bdb107ca09e9
MD5 hash:
df71fd50a3bfc09099df66cfb16fdd5e
SHA1 hash:
2df8bf4abce9d6126e2b8170f0789a1f9b129d7b
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/2a0fa330-14aa-4e6f-9321-ca528655b6e6/
Parent samples :
fa135191856c7e01a2fc89ee8cfbc37bdc6ba80bbd780644ea94183457597412
450ac397e5ec1c38fb8b238ee604baa624bdb6e6be91c51bc31f331056420c80
SH256 hash:
fa135191856c7e01a2fc89ee8cfbc37bdc6ba80bbd780644ea94183457597412
MD5 hash:
c4a959052f68232975b40553c51d45d0
SHA1 hash:
43c3d0f8d76692b6222f74c03e22e0211785673e
Link:
https://www.unpac.me/results/2a0fa330-14aa-4e6f-9321-ca528655b6e6/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fa135191856c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa135191856c7e01a2fc89ee8cfbc37bdc6ba80bbd780644ea94183457597412

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe fa135191856c7e01a2fc89ee8cfbc37bdc6ba80bbd780644ea94183457597412

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/432447/

Comments