MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fac4132b5be4248c8f6108ca534249ce3e1ff0d162cdb15c6c551bc137425a1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fac4132b5be4248c8f6108ca534249ce3e1ff0d162cdb15c6c551bc137425a1d
SHA3-384 hash: 5249c4673f92f6148615e2100bd98962fee6f706fc1a438970ba02ace826af35d7acd3a301ab4efffefab686b4732edb
SHA1 hash: 7692239d2df4ea0eecaab360bd341190867609a7
MD5 hash: 2b95546c30d8422bccca2f4d5ff82fba
humanhash: bakerloo-robert-fanta-speaker
File name:Payment Advice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:765'440 bytes
First seen:2023-06-20 06:27:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:v4uLxNb1ryLTFhOTZzbxjXb0WvSQO/Gq7RrXq7w+lYWI+8tYq7J3At5iHOq+ZQ1:vTnHTZ5brIfNXq7waM7Yqtm8OqK
Threatray 5'427 similar samples on MalwareBazaar
TLSH T18AF4124C4BE8521FEAA76B78DBA1F779173FAA41BA33E3262D60B0D39C117140B05365
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Advice.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 06:46:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/63c7e89e-235c-4f0c-9319-5ef425249130

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400822/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/649146f5024b6169b0eb173e/reports/7f091cd8-b721-4e43-a38d-78b0dbfae6c6/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/fac4132b5be4248c8f6108ca534249ce3e1ff0d162cdb15c6c551bc137425a1d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6687804-77fd-4f17-828f-285163cab8fa
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258464
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fac4132b5be4248c8f6108ca534249ce3e1ff0d162cdb15c6c551bc137425a1d/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 13:29:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 35 (48.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7lcbgk234qsizd3bbdffgqsjzy7b74grmlg3cxdmkun4cn2clioq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
055d1353e090b0ca79f1cada52c20eea97a86f452af07d9300fdc2d906dde98e
AgentTesla
07f01993306030d708dc2b5b42d4a6aef41c0c2f597aca066138689a6722a25d
AgentTesla
158d9c5a8c7290c638708e4843cb732e395c1ef4d782e1425220cb54467f27dd
AgentTesla
217deeacbfd0b0a0b448fd35c2dc00797077e43f7fc2383b6e1fb86029eccc52
AgentTesla
5710572191f804e2f5f91ec37236187038467ef22922976630028ea45d340807
AgentTesla
8f4a4002934b09591e8b6f95a9ec20ff0ae4ddc48dd869bd76fc9d9f9c59f72e
AgentTesla
ab3230837e2bd9c05f2046d480cf1d789b97d1d06c545f1b39e1fb0dcfb1e1a2
AgentTesla
c4c9edf6afbb7299ed861464f6235508fe155c28df677fc2c25f7b2ff47d0131
AgentTesla
ddde47cccacd1004e6fea80b5f6914f9b6e4601c7d0a09bd0334a4533a04c847
AgentTesla
f8c91d5c6dd452a15af5ecaf3ac6c9c076955708fc351ae4b8e2dbda928043fa
AgentTesla
+ 5'417 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230620-g8bpbsbe9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/7610d346-3dc2-4507-9949-3145cce121ab/
SH256 hash:
24b077fd9b344cd944a736f24ada8b80c7285f7343ff9dc56b58769bde27e4f6
MD5 hash:
64fcc151459a284a183dbbc044aa2142
SHA1 hash:
a33fa55f857e654bb5688c116680217e673bb600
Link:
https://www.unpac.me/results/7610d346-3dc2-4507-9949-3145cce121ab/
SH256 hash:
d04c02096ec8559815e5ac17feabdea067d39868ad1197abb56164a2d2487e9a
MD5 hash:
a7fbad7b3126df6543a98321929a0864
SHA1 hash:
a28a01521aea6589ab031dc4a062870f30346918
Link:
https://www.unpac.me/results/7610d346-3dc2-4507-9949-3145cce121ab/
SH256 hash:
6a2f5c7911ae5a344e841328c09e237291535766882f548d0d6e1334dd3f2781
MD5 hash:
d68d7c7d0c67d93068fef2f726278ce6
SHA1 hash:
9cc0883b14a10b2c1f77c41748606d7b5d8a65ae
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/7610d346-3dc2-4507-9949-3145cce121ab/
Parent samples :
eddd9935b3edd2349c86f398cb4531458d80dc0a1707aff480d70a6e6704d80c
ab3230837e2bd9c05f2046d480cf1d789b97d1d06c545f1b39e1fb0dcfb1e1a2
fac4132b5be4248c8f6108ca534249ce3e1ff0d162cdb15c6c551bc137425a1d
076556ad465bb59f3c94c5bfc5432af05b8bb41f8cf65fe72f55b0f208c17aa9
SH256 hash:
0110f33422523400a77a0d8007039d1431a58c192cfc954ab8ccdfb8e15008a4
MD5 hash:
953d08b599274f5220aa8253a4534da1
SHA1 hash:
5aa6ed6ac3f9c49bc886be060254229afeb6205d
Link:
https://www.unpac.me/results/7610d346-3dc2-4507-9949-3145cce121ab/
SH256 hash:
fac4132b5be4248c8f6108ca534249ce3e1ff0d162cdb15c6c551bc137425a1d
MD5 hash:
2b95546c30d8422bccca2f4d5ff82fba
SHA1 hash:
7692239d2df4ea0eecaab360bd341190867609a7
Link:
https://www.unpac.me/results/7610d346-3dc2-4507-9949-3145cce121ab/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fac4132b5be4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fac4132b5be4248c8f6108ca534249ce3e1ff0d162cdb15c6c551bc137425a1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400822/

Comments