MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 facd04849365e3e05f5924025a15f7750c941623b76cd711d65e466734ad8b9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	facd04849365e3e05f5924025a15f7750c941623b76cd711d65e466734ad8b9a
SHA3-384 hash:	e34e65287383724967cb82678ea69699c4dd7939e816bfe27125d4ac287d0404a250b18f01e5094fc4f4f31c523c0630
SHA1 hash:	cda00ef4e98d9e70dccbe9d32e2aa1f0e5424e3f
MD5 hash:	a9d92f8bdc245a9e5201e2a23a03792e
humanhash:	fanta-victor-pizza-carolina
File name:	FedEx Express AWB#53053232097Receipt.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	975'240 bytes
First seen:	2022-11-28 07:34:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3abe302b6d9a1256e6a915429af4ffd2 (271 x GuLoader, 38 x Formbook, 25 x Loki)
ssdeep	24576:cCXowpCkoxEVWgy/WxJWA/XUNByE8abQ6h/t:cCXow9ouWgB33X6BiaB
Threatray	2'096 similar samples on MalwareBazaar
TLSH	T14E2512C23A3FCD15FCDC05B8941AE6590B37ED542ABBCA87F795B6892035F86390C1A4
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	AgentTesla exe FedEx signed

Code Signing Certificate

Organisation:	Slibebrt
Issuer:	Slibebrt
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-02-07T23:54:47Z
Valid to:	2025-02-06T23:54:47Z
Serial number:	45b9e8e4fb5440c2
Thumbprint Algorithm:	SHA256
Thumbprint:	08b0f12b19e1c417ed0e9e4551fe082665123ec6ea3e3e883a6bd5d64933d201
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FedEx Express AWB#53053232097Receipt.exe

Verdict:

Malicious activity

Analysis date:

2022-11-28 07:43:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2f5167c7-900f-4f92-b200-a4ed301e3fe8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/339289/

Detection(s):

SecuriteInfo.com.Troj.Inject-EAO.957.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file

Sending a custom TCP request

Creating a file in the %temp% subdirectories

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

buer overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/638464ab559d07a06f47e796/reports/3992fc8f-7e9c-4662-999b-4df59f374678/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/93345e92-e96d-4657-9297-ecffd226feaf

Result

Threat name:

AgentTesla, GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1122339

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/facd04849365e3e05f5924025a15f7750c941623b76cd711d65e466734ad8b9a/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-11-28 00:46:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7lgqjbetmxr6ax2zeqbfufpxougjifrdw5wnoeowlzdgonfnrona._file

Verdict:

unknown

AgentTesla

1a340a1a7fac27ac3b7457ae56e0aa92a493c74a4fb4507d27245293783e8edd

AgentTesla

43f1463dd71cfcc3376f99056faf2c0ca6d35bacdd1a68db39b55c7179caf733

AgentTesla

61cbb9fa282b447f6fa3ed9db6f04b304eb31c6625a459a56a8a11bf71c7df04

AgentTesla

8de44c6d5f3c81b21ca61235a70d87c705c3b47127c9815628df1e1b1344a32b

AgentTesla

c1d4497629dff8c33f099d57352369ed56a081ce083a94d76b294d01b3e7479d

AgentTesla

ccb00726db19c3c19f4d2747fdc43b1a1bb6ed8d902ed9c45caf5fae7ad0de55

AgentTesla

d26418368c830b9d0cc5755e18cc1510288321fbab271eb301c457c3714fe79a

AgentTesla

e2dcc59293b027cc625930d90e7542867ee8ec34c2a25a01ca8ccbf64ba50e66

AgentTesla

+ 2'086 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221128-jep1zabe5w/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Checks QEMU agent file

Loads dropped DLL

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5970945594:AAHMt7s80wY_f2xiEG6TQZICclH5laYfErM/

Unpacked files

SH256 hash:

a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

MD5 hash:

fbe295e5a1acfbd0a6271898f885fe6a

SHA1 hash:

d6d205922e61635472efb13c2bb92c9ac6cb96da

Link:

https://www.unpac.me/results/e2af2017-cd12-422e-9ab8-1d400031fa67/

SH256 hash:

facd04849365e3e05f5924025a15f7750c941623b76cd711d65e466734ad8b9a

MD5 hash:

a9d92f8bdc245a9e5201e2a23a03792e

SHA1 hash:

cda00ef4e98d9e70dccbe9d32e2aa1f0e5424e3f

Link:

https://www.unpac.me/results/e2af2017-cd12-422e-9ab8-1d400031fa67/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/facd04849365e3e05f5924025a15f7750c941623b76cd711d65e466734ad8b9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/339289/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample