MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fae100c65ebd2186aaad55877ec5fdf2cdb171a458f1bc675722e8e1e488e370. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	fae100c65ebd2186aaad55877ec5fdf2cdb171a458f1bc675722e8e1e488e370
SHA3-384 hash:	90866f845fc85a183e6333288891d5b26185bd029deae9e31fce0aa795f8f34b5dd1123ef2b04c3e1dd35c3b8270db97
SHA1 hash:	523f947eee81eeaccccb0e0353e78e58d7322e83
MD5 hash:	5c065ec4bc03f6ce783da91e937b01ce
humanhash:	network-idaho-tennessee-march
File name:	shipment.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	859'648 bytes
First seen:	2023-02-23 14:41:49 UTC
Last seen:	2023-02-25 15:10:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:Dn4UhGHsTWg0yA5H6u+qmOvh+u3eEUCqF/BB5Ctcu:HIHI0yu3+qXoAgCir
Threatray	950 similar samples on MalwareBazaar
TLSH	T113057A46BBF09037F89E41AC063916CF5E32B253715CE22A5F3B69488D46EFBB1D8611
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

235

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

shipment.exe

Verdict:

Malicious activity

Analysis date:

2023-02-23 14:42:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/54c30651-991b-46b1-b2e0-315d58014d66

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/369307/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Sanesecurity.Rogue.0hr.20230223-1332.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63f77b3db53d126ad2660b69/reports/06db8188-801d-4aa0-96f9-4a8c599d08b6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/fae100c65ebd2186aaad55877ec5fdf2cdb171a458f1bc675722e8e1e488e370

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b5c51239-b75d-4d14-a1eb-11e971b7224a

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1181375

Signature

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/fae100c65ebd2186aaad55877ec5fdf2cdb171a458f1bc675722e8e1e488e370/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2023-02-23 13:20:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 25 (76.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7lqqbrs6xuqynkvnkwdx5rp56lg3c4neldy3yz2xeluodzei4nya._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

23b23bbc8497e567eba43518485bb19fe70d295e54e5af14f90d233b33d862f9

AgentTesla

361034f14b8e3519b58ed13287495211c533f2d393accd4e198640aa6c98fc48

AgentTesla

72e713d25be6feb7c88cddfd471d9836371bd44cac7199cc1c44838e6946b807

AgentTesla

bbf7b8c0c3542188f9a8b62cd3c096ce43d9536b8a635c350c9e16e2ee6a0ead

AgentTesla

d91d2ae4ef54fa855e4b7a36c37717014e0195e815abb272045a25ce46dc66a6

AgentTesla

ddd6cb2af8803e3d83ff9600e2706c205910b9d1a733fb11764b8d1f633ab161

AgentTesla

e60df4c4e0c5fd9cb3bc3863d6ca5e668f44120187dd66fa0239c0741653e5e7

AgentTesla

f9c19f6fab392f8a9fc72e130be89468f5a1e6a5bd9bd76e4af198b58ec3e3e3

AgentTesla

+ 940 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230223-r21pzsgb68/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Unpacked files

SH256 hash:

450248300f37a6fd8847107b4b83a0585a575b7a001edf02a1eb0fbda31fbfdd

MD5 hash:

2e64f23f67723487c06585cfe22fb9fd

SHA1 hash:

da358f14d4ae50c484981bd54e5465caa3eb6ac7

Link:

https://www.unpac.me/results/a0461a12-68ec-481d-9555-781e94423756/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/a0461a12-68ec-481d-9555-781e94423756/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

b2dd5bcf9138720f9ffeca3b8aefa001e40b2dd879c1db3bb8e47281c3575f8e

MD5 hash:

301d49f143b4559eebb04d6604c9c806

SHA1 hash:

8e1065918d606bf77bf8d0fd3375de5c1e4ec0b3

Link:

https://www.unpac.me/results/a0461a12-68ec-481d-9555-781e94423756/

SH256 hash:

ba085e7872be62563361fae6b09c24b72abb1e24905b29e9f186fc6b5bd0218c

MD5 hash:

acc1b3165098bb9663626210017ffcbe

SHA1 hash:

8cff619129dcb211d1d1df9527ebad05203f335b

Link:

https://www.unpac.me/results/a0461a12-68ec-481d-9555-781e94423756/

SH256 hash:

452677f7538cdad7eae21f72f500cc0fa48d6fef66e22176612ea26ef4813cdd

MD5 hash:

8bcebae63e79b193a35982314d8c3dbb

SHA1 hash:

7a45432f9b4329dd82dd31389631eb9b907c8e31

Link:

https://www.unpac.me/results/a0461a12-68ec-481d-9555-781e94423756/

SH256 hash:

fae100c65ebd2186aaad55877ec5fdf2cdb171a458f1bc675722e8e1e488e370

MD5 hash:

5c065ec4bc03f6ce783da91e937b01ce

SHA1 hash:

523f947eee81eeaccccb0e0353e78e58d7322e83

Link:

https://www.unpac.me/results/a0461a12-68ec-481d-9555-781e94423756/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fae100c65ebd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/fae100c65ebd2186aaad55877ec5fdf2cdb171a458f1bc675722e8e1e488e370

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.