MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa1ce7326395c4f6f5dede176048a430c5a12414de35efead99ef3cf1712fab2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa1ce7326395c4f6f5dede176048a430c5a12414de35efead99ef3cf1712fab2
SHA3-384 hash: beb263fc1507e96f1c18960841188258bc7b5de20a975f6045b4664671903457ddff4dd09b56898959f36f30f00cf1e9
SHA1 hash: a482c554d1968bc510d3d0e6466a9bf73797b128
MD5 hash: 1c986a692567e1322cadcc40f26e6a98
humanhash: winter-hot-robert-early
File name:2qm7QHN7DGpYWde.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:742'912 bytes
First seen:2021-02-03 05:28:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:p7q+jPMlWoxaduYk4YAZTOr7REKFWZVeglrg6Lv5kzI:DklW5uYXP987rFWzpd3T5k
Threatray 2'404 similar samples on MalwareBazaar
TLSH 4DF46AAC19968A15C875EBF51812C03D8ED39C195E129379B77238B522BE2E3DCD03DB
Reporter FORMALITYDE
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2qm7QHN7DGpYWde.exe
Verdict:
Malicious activity
Analysis date:
2021-02-03 06:23:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f1e44ed9-a8c0-48e1-9813-9e48d0461d56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115249/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42827.21133.11701.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/597409
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fa1ce7326395c4f6f5dede176048a430c5a12414de35efead99ef3cf1712fab2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-03 03:43:05 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7iooomtdsxcpn5o63ylwasfegdc2cjau3y2672wzt3z46fys7kza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
048e22fc986137bcdab54c6ef68864265bc0bbd056d9da4537e2ce3db5509cc2
AgentTesla
1dba88d2a711e0efb588cb9465a78513b45c80736ca55b31a678993eb5d89152
AgentTesla
3d8447d0eb2c48725fb70f18f56e22e9b1ff5f93647a0a54ec59357b0b014258
AgentTesla
477cb1acc87c46d1b80bfdb3f40725ea6edb116c53c64477c1b3ecc1d9f43062
AgentTesla
59ff35a142a61d8e5e2af9527d531e908ec4e9272812f42ce014cf21e190d917
AgentTesla
7a74013f1e05034491e590cfe6e87ba07107e765248587e30c7fc7b798d47b21
AgentTesla
937eea1ca05515f8793eb5f189e4f9a05484ebc74fe3f4ccf46fa6d794f82374
AgentTesla
95bd2c8256fc15082b1e8e0431439c226847bcb284871bdac55584abcab3af24
AgentTesla
da01467bee3a7232ced05a6366fa3cf47ec37eab97b565471e1a969bbab127ad
AgentTesla
dacb2ecd4b407a78d8d481033b824e6d70f21e1cc58b225663141412175841e3
AgentTesla
+ 2'394 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210203-6kh2xgbnja/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
70eccd44f77a2a0e3907d0386eb4855c37fa42173a81b368e90ebebf5f41bb42
MD5 hash:
b07e4cfb202bb5977e2823cdc229e6e4
SHA1 hash:
e435101f1dd60d3db5e111326cea7b169b1f1f37
Link:
https://www.unpac.me/results/2d9c3c52-26fe-4300-9f18-042fd772ff8f/
SH256 hash:
a2a0bbbe8c9ee88441356010f63455c50dfcafe663db757bbc453c815c51d720
MD5 hash:
11e80c54bfeff7f0c120dae46df0a8be
SHA1 hash:
d597b9b0dcac06f0aa00a931bb90de8eba564651
Link:
https://www.unpac.me/results/2d9c3c52-26fe-4300-9f18-042fd772ff8f/
SH256 hash:
08b6286a6c39f3e92c5ad51d70ef1210c1ddff1870b6e3ea30bf257e5813753c
MD5 hash:
28facb9fc3525b168700512afeb96cad
SHA1 hash:
7fbb5ea3de5f711d8b1d22628326ef39b428d3d7
Link:
https://www.unpac.me/results/2d9c3c52-26fe-4300-9f18-042fd772ff8f/
SH256 hash:
fa1ce7326395c4f6f5dede176048a430c5a12414de35efead99ef3cf1712fab2
MD5 hash:
1c986a692567e1322cadcc40f26e6a98
SHA1 hash:
a482c554d1968bc510d3d0e6466a9bf73797b128
Link:
https://www.unpac.me/results/2d9c3c52-26fe-4300-9f18-042fd772ff8f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
QQpass
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa1ce7326395c4f6f5dede176048a430c5a12414de35efead99ef3cf1712fab2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe fa1ce7326395c4f6f5dede176048a430c5a12414de35efead99ef3cf1712fab2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/115249/

Comments